Biometric Information Privacy Act

Illinois is a pioneer in the world of biometric privacy. The Biometric Information Privacy Act (BIPA), enacted in 2008, is one of the strictest laws in the US when it comes to protecting your fingerprints, face scans, and other unique biological identifiers.

Think of BIPA as a superhero with a magnifying glass, carefully scrutinizing how companies collect, use, and store your biometric data. (And unlike some superheroes, it has some serious enforcement powers!)

What Does BIPA Actually Do?

BIPA places strict requirements on private entities that collect, capture, purchase, receive through trade, or otherwise obtain biometric identifiers or biometric information,1 such as:

  • Fingerprints

  • Face scans

  • Iris scans

  • Voiceprints

  • Hand and vein scans

Key Provisions of BIPA:

  • Informed Consent: Companies must obtain written consent from individuals before collecting or storing their biometric data. This means no sneaky data collection without your knowledge!

  • Data Security: Companies must protect biometric data with reasonable security measures, including establishing a written policy for securely storing, retaining, and destroying the data.

  • Prohibition on Sale or Profit: Companies cannot sell, lease, trade, or otherwise profit from an individual's biometric data.

  • Private Right of Action: Individuals can sue companies for BIPA violations, even without showing actual harm. This is a big deal, as it gives individuals strong legal recourse to protect their biometric privacy.

Why is BIPA So Important?

BIPA is a landmark law that sets a high bar for biometric privacy protection. It recognizes the unique sensitivity of biometric data and the potential for misuse. Non-compliance can lead to:

  • Hefty fines: Each violation can result in a penalty of $1,000 for negligent violations and $5,000 for intentional or reckless violations. (And in class-action lawsuits, those fines can multiply quickly!)

  • Reputational damage: BIPA violations can erode consumer trust and harm a company's reputation.

  • Legal challenges: Individuals can file lawsuits for BIPA violations, leading to costly litigation and settlements.

Who Needs to Comply with BIPA?

Any private entity that collects, uses, or stores biometric data of Illinois residents needs to comply with BIPA, regardless of where the company is located. This includes:

  • Employers using fingerprint scanners for timekeeping or security.

  • Retailers using facial recognition technology for loss prevention or customer identification.

  • Social media companies collecting biometric data for photo tagging or facial recognition features.

  • Any company using voice recognition technology to identify customers or employees.

How Can Businesses Comply with BIPA?

  • Develop a written biometric information policy.

  • Obtain informed consent before collecting or storing biometric data.

  • Implement reasonable security measures to protect biometric data.

  • Refrain from selling or profiting from biometric data.

  • Train employees on BIPA requirements.

Aetos Data Consulting Can Help:

Aetos Data Consulting provides expert guidance and support to help businesses navigate the complexities of BIPA. Our services include:

  • BIPA compliance audits

  • Policy development and implementation

  • Training and awareness programs

Contact us today to learn more about how we can help your business achieve and maintain BIPA compliance.

Check out other state laws