The Illinois General Assembly enacted the Illinois Biometric Information Privacy Act (BIPA) in 2008. The act was one of the first data privacy laws to safeguard biometric data. However, the law went largely unnoticed until 2015, when several high-profile, class-action lawsuits occurred between large corporations and Illinois residents (Pezen v. Facebook, Norgberg v. Shutterfly, Rosenbach v. Six Flags).
BIPA allows the Illinois legislature to protect the sensitive data of its residents in many ways. The act restricts the sale of biometric data and requires companies that collect sensitive data, store biometric identifiers, or employ biometric technology to follow several privacy procedures.
Learn how UpGuard Vendor Risk helps organizations achieve BIPA compliance across their supply chain>
Scope of the Illinois Biometric Information Privacy Act
BIPA applies to any company or private entity that conducts business in Illinois, collects biometric data from state residents, or makes decisions involving processing biometric data.
Two other states, Texas and Washington, also passed laws in the early 2000s aimed solely at protecting biometric data. Several states, including California’s CCPA (California Consumer Privacy Act) and Virginia’s VCDP (Virginia Consumer Data Protection Act), have passed comprehensive privacy laws that provide regulations limiting the storage, collection, and sale of biometric data.
In 2022, seven states (California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York) attempted to pass privacy laws that resembled BIPA. Each of these seven biometric privacy laws failed to pass.
What is Biometric Data?
Biometrics are unique data types that contain physical or behavioral identifiers and are biologically linked to a specific individual. Unlike other forms of sensitive information, individuals cannot edit their biometric data after it is compromised. These unique characteristics make protecting biometric data a critical endeavor.
Identity theft and other forms of misuse become increasingly likely when a person’s biometric identifiers are exposed.
BIPA defines biometric data as any biometric identifier used to identify an individual.
This definition includes but is not limited to the following:
- DNA
- Fingerprint scans
- Face Geometry
- Palm prints
- Retina scans
- Iris scans
- Vein patterns
- Voiceprints
It’s also important to note that BIPA excludes many types of information from its definition of biometric data, such as:
- Physical descriptions such as weight, height, hair or eye color, or tattoo descriptions
- Written data such as writing samples and signatures
- Biological samples used for scientific testing or screening
- Organs and body parts defined by the Illinois Anatomical Gift Act
- Blood stored for cadaveric transplants
- Biological materials protected by the Genetic Information Privacy Act
- Information captured in a healthcare setting and protected by the Health Insurance Portability and Accountability Act (HIPAA)
- X-rays and other electronic scans used by medical professionals to diagnose or treat medical conditions or complete scientific testing
Consumer Rights
By granting resident consumers several rights, BIPA allows individuals to take control of their biometric data. Under BIPA, Illinois residents possess the right to know:
- What types of data entities are collecting,
- The process an entity uses to store data,
- The specific purpose an entity has identified for collecting data,
- When and how their data is collected, and
- How long will their data be stored
The Illinois law also grants residents the right to provide consent and requires all entities that collect data to obtain permission before participating in collecting, storing, or processing biometric data.
Exemptions
While BIPA applies to most organizations that conduct business in Illinois, the law does outline a few exemptions. The law does not apply to:
- Financial Institutions subject to the Gramm-Leach-Bliley Act (GLBA), or
- State contractors who are engaged in business with some sector of state government
Regulations of BIPA
Businesses subject to BIPA must comply with several data protection policies to safeguard consumers' biometric data.
BIPA requires businesses to follow the following regulations:
- Create a retention and destruction policy that is publicly displayed and details the duration that it will store data and how it will permanently erase data
- Provide a written notice that outlines what types of data it will collect and the intended use of this data before collecting, storing, or using a customer’s biometric data
- Obtain written consent from a customer before collecting, storing, or using their biometric data
- Maintain data privacy protections to protect consumer data and achieve a reasonable standard of care
- Do not share the biometric data of a consumer with another entity
- Do not profit from the collection, storage, or use of biometric data
Enforcing the BIPA & Penalties for BIPA Violations
Illinois enforces BIPA through a private right of action. In other words, individuals disturbed by a BIPA violation have the right to pursue legal action through the Illinois Supreme Court. Individuals also have the right to pursue a supplemental BIPA claim in a federal court after the case moves through the state and district court circuit.
Under the private right of action statute, affected individuals may recover the following from any violating entity:
- Negligent violations: Liquidated damages of $1,000 or actual damages (whichever is greater)
- Intentional or reckless violations: Liquidated damages of $5,000 or actual damages (whichever is greater)
- Litigation fees: attorney fees, court costs, and witness fees
- Other expenses: additional injunctions or other damage awards determined by the court’s decision
Note: All BIPA claims are subject to a five-year limited period (Tims v. Black Horse Carriers). This statute of limitations includes negligent violations and reckless violations of BIPA.
Notable BIPA Lawsuits and Their Impact
Since its enactment, BIPA has been the subject of many class-action lawsuits. These lawsuits have revealed several important insights, such as how entities are held accountable for violations, the liability of third-party processors, and the limit of individual rights granted by the law.
Richard Rogers v. BSNF Railway Company
Overview: After a jury found the BSNF Railway Company guilty of violating BIPA a staggering 45,600 times (one per individual affected), the organization argued that the violations resulted from negligence committed by a third-party vendor.
Court Ruling: The court disagreed with the defendant and ruled that entities could be held vicariously liable for any BIPA violation committed by a third-party vendor. This ruling confirmed that organizations cannot escape violation penalties by shifting blame to a third-party contractor.
Cothron v. White Castle System, Inc.
Overview: Plaintiff alleged that White Castle did not receive her consent to share her fingerprint information with a third-party data processor. The plaintiff also argued that White Castle committed a new violation every time it required the employee to scan her fingerprint. White Castle argued that violations of BIPA occur once when the data is initially collected, making the plaintiff’s claims untimely under the state law’s statute of limitations.
Court Ruling: Organizations are subject to a new violation each and every time it collects or processes a consumer’s biometric data without prior consumer consent.
Comparing BIPA to CUPI
Texas was the first state in the United States to pass a biometric privacy law. The state’s Capture of Use of Biometric Information (CUPI) has received less attention than BIPA. However, the Texas v. Meta Platforms, Inc. lawsuit recently turned the law into the spotlight.
CUPI and BIPA are different in many ways:
- Enforcement: BIPA grants residents the private right of action, whereas CUPI does not. The Texas Attorney General has sole authority to enforce CUPI and its statutes.
- Data exclusions: BIPA excludes several types of biometric data from its scope. CUBI does not include a list of data exclusions.
- Restriction exclusions: While BIPA excludes data regulated by HIPAA and the GLBA, CUBI only provides one narrow restriction exclusion: voice prints retained by a financial institution or one of its affiliates.
How To Ensure Your Organization Remains Compliant Under BIPA
Organizations that utilize biometric technology or gather biometric information from Illinois residents must comply with BIPA. To ensure compliance, regulated organizations should create a compliance assessment process that examines all its procedures for collecting or processing biometric data.
A proper BIPA compliance checklist should at least include the following:
- Make a note of any procedures that involve collecting, processing, storing, or transmitting biometric data.
- Develop clear written policies that govern how your organization collects, processes, and protects consumer data. These policies should outline the necessary steps to safely collect, store, use, transmit, or destroy biometric data.
- Inform all employees and stakeholders of your organization’s biometric data policy. Make sure to broadcast all steps in the procedure accurately.
- Obtain consumer consent before collecting, processing, or sharing biometric information from any individual.
- Conduct periodic risk assessments to ensure all consumer data is adequately protected and the necessary protections are in place.
- Train and educate employees on the importance of safeguarding consumer data and how to meet the compliance standards of BIPA.
- Develop a written release for employees whose biometric identifiers are collected as a term of employment.
- Develop a data collection contract with all third-party data processors.
- Ensure all third parties within your supply chain meet BIPA compliance standards.
How Can UpGuard Help?
UpGuard Vendor Risk empowers organizations to ensure BIPA compliance across their entire supply chain. By using Vendor Risk, your organization will have access to flexible security questionnaires, powerful vendor assessment tools, and seamless remediation workflows that allow it to safeguard consumer data 24/7.
UpGuard Vendor Risk will also allow your organization to:
- Increase visibility across its supply chain
- Automate its vendor risk assessment process
- Receive real-time risk updates
- Tier vendors based on their criticality and vulnerability levels
- Calculate the impact of remediated risks
- Generate instant reports
- Stayed informed on relevant data breaches and industry information
- Monitor all third-party risks in one centralized dashboard
Organizations that collect and store biometric data can also utilize UpGuard BreachSight to manage their external attack surface. This comprehensive cybersecurity tool enables organizations to monitor security risks, identify vulnerabilities, and make informed decisions regarding risk remediation based on real-time notifications.