Biometric Information Privacy Acts (BIPA) are U.S. state laws that concern the collection, retention, and disposal of personal biometric information.

Definition

Biometric identifiers often include a person’s retina or iris scan, fingerprint, voiceprint, or a scan of hand or face geometry, e.g. facial recognition.

Requirements

In general, BIPAs require that biometric information:

  1. Be collected only upon express consent;
  2. Be secured from unauthorized access; and
  3. Be timely destroyed following use.

Jurisdictions

Illinois, Texas, and Washington have enacted biometric information privacy laws, while California includes a definition of biometric data under the California Consumer Privacy Act of 2018 (CCPA).

Enforcement and Liability

Illinois provides a private right of action under its BIPA (plaintiffs may sue companies directly for BIPA violations). Otherwise, BIPA violations are enforced by state authorities, such as an attorney general, who may bring an action on behalf of the state or aggrieved parties and seek to impose financial penalties and other sanctions.

Several successful class action suits have been brought by plaintiffs under Illinois’ BIPA.

Compliance Guidance

Biometric information should not be collected without consideration of the legal risks. By its nature, biometric information is immutable to an individual. If compromised, the resulting harm cannot be easily redressed.

Compliance with BIPAs should be properly planned prior to the collection of biometric information. There may be questions as to whether the information in question constitutes biometric information or identifiers under the law.

What is required for consent, how such consent is presented and obtained, the terms of collection and use, as well as information security, retention, disposal, and recordkeeping requirements must be thoughtfully considered.