Biometric Information Privacy Act | Au LLC
12865
page-template,page-template-full_width,page-template-full_width-php,page,page-id-12865,ajax_fade,page_not_loaded,,qode-theme-ver-2.1.1,wpb-js-composer js-comp-ver-4.11.2.1,vc_responsive
 

Biometric Information Privacy Act

Illinois Biometric Information Privacy Act

The term “biometrics” generally relates to technologies used to identify a person based on her unique biological characteristics. Perhaps the most well-known use of biometric technology is a fingerprint scan, where a person identifies herself by placing a finger on a device that scans her fingerprint. That information is processed and stored in a database and when the person wishes to identify herself in the future, her fingerprint is again scanned and that information is compared to the initially-captured data. If there is a match, the person is authentically identified. More exotic biometric technologies include facial and ocular (i.e., iris or retina) scans wherein those immutable geometries are processed to perform the same authentication.

The Illinois legislature, uniquely, has acknowledged that biometrics are “biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.1  It has been observed that “[b]iometric information recorded by machine, and the data linked to biometric observations, can be copied easily, shared quickly and widely, combined, and stored for long periods of time without degrading. That is how modern identification systems most threaten practical obscurity and the privacy it has afforded people for all of history.”2

fingerprint scan

Recent developments in fingerprint scanning and facial recognition devices, and software and databases enabling their use, has generated unique opportunities for the commercial proliferation of biometric technology, while also raising serious concerns about its threats to consumer privacy.  In 2008, lawmakers enacted the Illinois Biometric Information Privacy Act (“BIPA”), recognizing that “[t]he full ramifications of biometric technology are not fully known” and that “public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of Biometric Identifiers and information.”3

iris scan

Accordingly, the BIPA requires that a company in possession of Biometric Identifiers4 or Biometric Information5 develop a written publicly-available policy that establishes a retention schedule and guidelines for permanently destroying Biometric Identifiers and Biometric Information when the initial purpose for collecting such identifiers or information has been satisfied or within three years of the individual’s last interaction with the company, whichever occurs first.6

The BIPA makes it unlawful for a company to, among other things, “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s Biometric Identifiers or Biometric Information, unless it first: (1) informs the subject…in writing that a Biometric Identifier or Biometric Information is being collected or stored; (2) informs the subject…in writing of the specific purpose and length of term for which a Biometric Identifier or Biometric Information is being collected, stored, and used; and (3) receives a written release executed by the subject of the Biometric Identifier or Biometric Information.”7  Acknowledging the inherent risks in obtaining and exploiting Biometric Identifiers and Biometric Information for commercial purposes, the BIPA poses statutory remedies for violations including injunctive relief, statutory damages of between $1,000 and $5,000 per violation, and attorneys’ fees and costs.8

1 740 ILCS § 14/5(c).  Texas’ TEX BC. CODE ANN. § 503.001 generally covers the activities regulated by the BIPA, albeit without independently creating a private right of action for affected consumers.  There is pending legislation in Alaska, which mirrors the BIPA and its private right of action (SB 98), and in Washington, which mirrors the Texas law’s civil penalty enforced by the Texas Attorney General (HB 1094).
2 Jim Harper, Identity Crisis: How Identification is Overused and Misunderstood, 2006 Cato Institute,
3 740 ILCS § 14/5(f), (g).
4 740 ILCS § 14/10. “Biometric Identifier” includes “means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” but importantly EXCLUDES “writing samples, written signatures, photographs,” or physical descriptions.
5 740 ILCS § 14/10. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.
6 740 ILCS § 14/15(a).
7 740 ILCS § 14/15(b).
8 740 ILCS 14/20

If your fingerprint, facial, or iris/retina scan has been collected in the absence of disclosures detailing the collection process and/or a written release which you’ve executed, you may have a claim.  Contact us to evaluate your situation and whether recovery may be available under the Illinois Biometric Information Privacy Act.