Biometric Information Privacy Act

If your fingerprint, facial, or iris/retina scan has been collected in the absence of disclosures detailing the collection process and/or a written release which you’ve executed, you may have a claim. Contact us to evaluate your situation and whether recovery may be available under the Illinois Biometric Information Privacy Act.

Contact Us

The term “biometrics” generally relates to technologies used to identify a person based on her unique biological characteristics. Perhaps the most well-known use of biometric technology is a fingerprint scan, where a person identifies herself by placing a finger on a device that scans her fingerprint. That information is processed and stored in a database and when the person wishes to identify herself in the future, her fingerprint is again scanned and that information is compared to the initially-captured data. If there is a match, the person is authentically identified. More exotic biometric technologies include facial and ocular (i.e., iris or retina) scans wherein those immutable geometries are processed to perform the same authentication.

The Illinois legislature, uniquely, has acknowledged that biometrics are “biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions. It has been observed that “[b]iometric information recorded by machine, and the data linked to biometric observations, can be copied easily, shared quickly and widely, combined, and stored for long periods of time without degrading. That is how modern identification systems most threaten practical obscurity and the privacy it has afforded people for all of history.”

Recent developments in fingerprint scanning and facial recognition devices, and software and databases enabling their use, has generated unique opportunities for the commercial proliferation of biometric technology, while also raising serious concerns about its threats to consumer privacy.  In 2008, lawmakers enacted the Illinois Biometric Information Privacy Act (“BIPA”), recognizing that “[t]he full ramifications of biometric technology are not fully known” and that “public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of Biometric Identifiers and information.”

Accordingly, the BIPA requires that a company in possession of Biometric Identifiers or Biometric Information develop a written publicly-available policy that establishes a retention schedule and guidelines for permanently destroying Biometric Identifiers and Biometric Information when the initial purpose for collecting such identifiers or information has been satisfied or within three years of the individual’s last interaction with the company, whichever occurs first.

The BIPA makes it unlawful for a company to, among other things, “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s Biometric Identifiers or Biometric Information, unless it first: (1) informs the subject…in writing that a Biometric Identifier or Biometric Information is being collected or stored; (2) informs the subject…in writing of the specific purpose and length of term for which a Biometric Identifier or Biometric Information is being collected, stored, and used; and (3) receives a written release executed by the subject of the Biometric Identifier or Biometric Information.” Acknowledging the inherent risks in obtaining and exploiting Biometric Identifiers and Biometric Information for commercial purposes, the BIPA poses statutory remedies for violations including injunctive relief, statutory damages of between $1,000 and $5,000 per violation, and attorneys’ fees and costs.