Illinois Biometric Information Privacy Act | How to Comply

Date written: April 25, 2022

Here’s some information about the Biometric Information Privacy Act and how violating these laws can truly add up.

One of the fastest growing areas of privacy law is the protection of biometric information. In this video I’ll describe the Illinois Biometric Information Privacy Act, what is covered by the act, and how to comply. [740 ILCS 14/15]

Illinois was the first state to enact a bread biometric privacy statute, a huge step in protecting consumer privacy for Illinois residents. The Biometric Information Privacy Act, or BIPA, acknowledges the heightened risk associated with biometrics because of the immutability of these characteristics. BIPA has gained much national attention because of its private right of action provision and expensive statutory damages. Any company violating this act is liable for $1000 in damages per negligent violation and $5000 in damages for intentional or reckless violation. This adds up: in recent years Facebook paid a settlement of $650 million and TikTok paid a settlement of $92 million over BIPA claims.

What is covered under BIPA? The act covers biometric identifiers that include the following elements: “a retina or iris scan, fingerprint, voice print, or scan of a hand or face geometry.” If an entity is collecting any such information, BIPA imposes three major requirements. First, a company must develop a written plan that clearly states procedures for retention and destruction of biometric information. This plan must be made available to the public. Second, a company must inform the data subject that a biometric identifier or biometric information is being collected and stored and inform them of the purpose of that storage. This information must be provided in writing and is an additional requirement to the public retention and destruction plan. The third requirement is to receive a written release from the data subject whose biometric information is being collected.  

Additionally, BIPA forbids selling, leasing, trading, or otherwise obtaining a profit for biometric information. If a company must disclose biometric information, companies in most situations must obtain the subject’s consent. BIPA also sets a standard for biometric information security, requiring the “reasonable standard of care within the private entity’s industry.”  

If you are processing biometric data of Illinois residents, you must comply with these requirements. So far, though other states have enacted biometric protection laws, Illinois is the only state with such a broad private right of action. If you have any questions, don’t hesitate to reach out to us at Aleada.