Beware of Biometrics — What Companies Need to Know About the Illinois Biometric Information Privacy Act

Written By Mac Burns
 
 

Saturday, September 24, 2022, was an important day for some Illinois residents and tech-behemoth Google. That was the deadline for Illinois residents to submit their claims for a piece of the $100,000,000 settlement in a class-action lawsuit against Google for alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”), an Illinois law that has been causing problems for tech companies. In addition to Google’s recent settlement, Snapchat, Facebook, and TikTok have all also settled multi-million-dollar class action claims for alleged violations of BIPA. So, what is BIPA, and why are tech companies paying out millions of dollars for violating it?

What is BIPA?

In short, BIPA regulates the collection, use, retention, disclosure, and destruction of a person’s biometric identifiers or biometric information—things like fingerprints and face recognitions—by private entities. BIPA creates a private right of action for individuals aggrieved by a violation, and individuals who are found to have been aggrieved by companies under the law get damages of at least $1,000 for negligent violations or at least $5,000 for reckless or intentional violations.

Who does BIPA apply to?

Because BIPA is an Illinois statute, only Illinois residents can file BIPA claims. In the same vein, a company must be doing business in Illinois to be subject to BIPA’s requirements. To note, BIPA applies only to private entities and not to the government.

What does BIPA cover?

The BIPA covers “biometric identifiers” and “biometric information.” Biometric identifiers include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” (but do not include things like writing samples, written signatures, and physical descriptions like height, weight, or hair color). Biometric information includes “any information, regardless of how it is captured, converted, stored or shared, based on an individual’s biometric identifier used to identify an individual.”

What does BIPA require?

Among other requirements, BIPA mandates that companies must:

  •    Provide a public, written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information;

  • Obtain informed consent from the person that the entity is collecting, capturing, purchasing, receiving through trade, or otherwise obtaining biometric identifier and biometric information from;

  • Not sell, lease, trade, or otherwise profit from a person or a customer’s biometric identifier or biometric information;

  • Not disclose, redisclose, or otherwise disseminate a person or customer’s biometric identifier or biometric information; and

  • Store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the company’s industry.

Takeaway

If your company does business in Illinois and collects any of the types of biometric information discussed above, you will want to make sure that it follows BIPA. Otherwise, your company may end up like Google, Snapchat, Facebook, and TikTok and need to pay an unanticipated and hefty settlement.

 

Mac Burns
Previous

First Trial Under the Illinois Biometric Information Privacy Act Results in $228m Verdict
Next

Risks of Using Nonparty Subpoenas to Obtain Discovery