Technological advances are leading many businesses to collect and store the biometric data of their employees, contractors, and customers for purposes of identification and authentication. Biometric data has many uses, such as giving people access to their accounts and sensitive financial information, providing employees, contractors, and customers physical access to workplaces and businesses, and giving employees the ability to clock in and out of work without using keyfobs or ID cards.
But how should Illinois businesses collect and store biometric data, and what obligations do they have to provide notice and receive consent? A little-known 2008 Illinois law, the Biometric Information Privacy Act (BIPA), provides important guidance.
Plaintiffs’ lawyers are increasingly turning to this law to challenge how entities collect and store biometric data. Since August 2017, over 25 class action lawsuits have been filed in Illinois alleging that the businesses failed to comply with BIPA’s written notification and release requirements when they collected the biometric data of their employees, contractors, and customers. If your business collects or stores biometric data – or is considering doing so in the future – here is a quick primer on BIPA.
What BIPA Covers
BIPA does not prohibit businesses from collecting or storing biometric identifiers. But if they do, they must comply with the law. BIPA defines “biometric identifiers” as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” BIPA specifically excludes “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color or eye color.” BIPA also does not apply to information collected by a healthcare institution for purposes of patient care.
What BIPA Requires
The law requires that an entity use a “reasonable standard of care” when storing, transmitting, or protecting biometric data from disclosure to protect the privacy of the individual providing the data. Businesses are also required to do so in a way that is “the same as or more protective” than the way they store, transmit, and protect other confidential and sensitive information.
BIPA also includes two additional important requirements:
-
Written Policy: Entities must have a policy — available to the public — that establishes a “retention schedule and guidelines for permanently destroying biometric identifiers and biometric information” if the purpose for which the information was collected has been satisfied or three years have lapsed from the individual’s last contact interaction with the entity.
-
Notification: Entities that collect, capture, purchase, or receive a biometric identifier must do three things: (1) notify the individual or an authorized representative in writing that the information is being collected or stored; (2) inform the individual or an authorized representative of the specific purpose and length of time that the biometric identifier will be collected, stored, and used; and (3) obtain a written release from the individual or an authorized representative.
Disclosure Is Limited
Disclosure of the biometric information to a third party is prohibited unless consent is obtained or the disclosure completes a financial transaction approved by the individual, is made for purposes of complying with a state or federal law or municipal ordinance, or is in response to a court-issued warrant or subpoena.
Damages Can Be Significant
BIPA includes a private right of action allowing any individual who is “aggrieved by a violation” of the law to sue the entity collecting or storing the data. Claimed damages may be significant and can add up in a class action suit. They include the following:
-
$1,000 in liquidated damages or actual damages (whichever is higher) if the entity is deemed to have negligently violated BIPA
-
$5,000 in liquidated damages or actual damages (whichever is higher) if the entity is deemed to have intentionally or recklessly violated BIPA
-
Reasonable attorneys’ fees and costs
-
Injunctive relief
What BIPA Excludes
BIPA has some important exclusions. First, it does not apply to “a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder.” Second, it is not intended to be construed to (1) conflict with the Private Detective, Private Alarm, Private Security, Fingerprint Vendor, and Locksmith Act of 2004 and the rules promulgated under that Act; or (2) apply to a contractor, subcontractor, or agent of a State agency or local unit of government when the contractor, subcontractor, or agent is working for that State agency or local unit of government.