Introduction

The BIPA regulates a private entity in possession of biometric identifiers or biometric information. The term “private entity” includes any individual or business organization; however, it does not include any government entities. The statute mandates various measures intended to protect biometric identifiers and biometric information.

Requirements

A biometric identifier is a retina or iris scan, fingerprint, voiceprint, or scan of a person’s hand or face geometry. It does not include photographs, writing samples, biological samples, organs, tissue, or physical descriptions. Further, the term excludes any information captured in a health care setting or collected, used, or retained for treatment, payment, or operation purposes under HIPAA.

The statute also extends protection to any information, used to identify an individual, that is based on a biometric identifier. The information is described as “biometric information,” and shares the same exclusions as the term biometric identifier.

Private entities in possession of biometric identifiers or biometric information are required to adopt and implement a publicly available written data retention and destruction policy. Further, the data is to be retained only as long as the purpose for its collection is satisfied or until three years after the last interaction with the data subject, whichever occurs first. However, the retention period may be modified for data that is relevant to a warrant or subpoena.

Before a private entity even begins to obtain the protected information of an individual, through any means, including collection, capture, or purchase, it must obtain written informed consent. The satisfy this requirement, the private entity must provide the individual, in writing, with information that includes notification that a biometric identifier or biometric information is being collected or stored, the specific purpose for collection or storing, and the retention period. The data subject must, in return, provide the private entity with their consent, in writing.

The statute also prohibits the sale of the protected information and limits its disclosure. There is an absolute ban on the sale, leasing, trading, or otherwise profiting from the protected information. Additionally, a private entity may not disclose the protected information to any third party, except where the data subject has consented, the disclosure is required by law or court order, or it completes a financial transaction that was authorized by the data subject.

Biometric identifiers and biometric information must be secured using a reasonable standard of care for the private entity’s industry and those measures must be equal to or greater than the security measures applied to the private entity’s other confidential and sensitive information. For example, a financial institution, subject to GLBA, that uses voiceprint information to verify a caller’s identity for its customer service call center, will be required to secure the voiceprint information consistent with GLBA’s requirements. And if there are any optional measures, such as encryption, that are utilized for the financial institution’s account information, it must also be applied to the voiceprint information.

Enforcement

BIPA is enforced by plaintiffs through a private right of action.

Compliance Tip: BIPA’s private right of action was affirmed by the Illinoins Supreme Court in Rosenbach v. Six Flags Entertainment Corp. (2019).

Penalties

BIPA provides data subjects with a cause of action based on a private entity’s violation of the statutory requirements. Damages for negligent violations are $1,000 and intentional or reckless violations are $5,000.