The Illinois Biometric Information Privacy Act (BIPA)

The Illinois Biometric Information Privacy Act or BIPA for short is an Illinois state law passed in 2008 that regulates the collection, storage, retention, safeguarding, use, and destruction of biometric information and identifiers. If residents living within the state of Illinois feel as though their biometric information has been shared with business or third parties without their consent, the BIPA allows them to take any applicable parties to court and put forth a grievance to recover financial damages, any associated legal or court fees, and other forms of relief deemed by a court of law in relation to a privacy violation. Furthermore, the BIPA was also the basis of a landmark 2019 case, Rosenbach v. Six Flags Entertainment Corp., that changed the ways in which such legislation has come to be viewed around the country. Despite all of this, many people may be wondering what biometric information is.

What is biometric information?

Biometrics is defined as the measurement and statistical analysis of an individual’s behavioral and physical characteristics. In the context of personal privacy, biometric information or identifiers can be used to identify, label, or describe individuals. Some common examples of physical biometric identifiers include facial recognition, fingerprints, DNA, iris recognition, hand geometry, palm veins, odor or scent, and retina or ear features. Alternatively, some common examples of behavioral biometric identifiers include signature, gait analysis, typing rhythm, gestures, keystroke, voice, and behavioral profiling.

How is biometric information used in the context of business?

The use of biometric information in the business world has become widespread in recent years, as many companies and industries such as banking and technology have begun to make use of biometric features such as fingerprint and facial recognition. As such, biometric information has come to be used in business in the following ways:

• Time management – Businesses across fields and industries have come to find that biometric time clocks, devices that allow employees to clock in and out via fingerprint or some other form of biometric identifier rather than a pin code or identification number, are more cost-effective, ensure more accurate compliance with attendance and labor policies, and help eliminate time theft.
• Security access – As one of the original and most common uses for biometric information in business, biometric identifiers can also be used for physical security in relation to entering a business or physical location, as well as to secure items such as laptops, portable storage devices such as hard drives or USB drives, and computer accessories such mice and keyboards through the use of facial recognition technology, fingerprint readers, and geometry scanners. Moreover, iris and retina scanners can also be used in businesses that may require a high-security level or clearance.
• Safety – Biometric information can be used to create a profile for each employee who is employed by a company or business. Through this profile, employers can ensure that their employees are up to date with training and certifications, disseminate crucial information, and issue credentials in a fraction of the time as it would take to do physically.
• Health plan – biometric information can be used for health programs and assist in the development and implementation of wellness programs. Through biometric information, employers can also assess potential health risks to employees, as well as provide incentives for implementing behavior that could lower these risks.

What criteria are Illinois businesses required to follow when collecting or using biometric information?

Under the BIPA, companies, and businesses that collect the biometric information of residents within the state of Illinois are required to follow the following comprehensive set of rules:

• Written retention and destruction – Private entities in possession of biometric information must develop a publicly available written policy in regards to the establishment of a biometric data retention schedule. This policy must also include guidelines for the permanent destruction of biometric information.
• Written release – The BIPA prohibits private entities from collecting any biometric information without a person’s written informed consent obtained in advance of said collection.
• Prohibition against profiting from biometric information- The BIPA strictly prohibits private entities in possession of biometric information from selling, leasing, trading, or profiting in another way from the biometric information of Illinois consumers. Additionally, private entities are also prohibited from circumventing this rule by obtaining consent from an individual.
• Restriction on disclosure – Under the BIPA, private entities in possession of biometric information may not “disclose, reclose, or otherwise disseminate” this information, unless they obtain an individuals consent, or the disclosure of their biometric information is required for a specific purpose that is set forth at the point of collection. For example, when an individual’s biometric information is needed to complete a financial transaction, or pursue a valid warrant or subpoena.
• Industry-specific “reasonable” security requirements – Private entities must also use “reasonable standards of care” in the processing of biometric information. However, the BIPA requires that this definition of “reasonableness” is informed in accordance with a specific industry’s level of care. Additionally, the level of security utilized must also be of a similar, if not more stringent and protective, manner than the security utilized for other confidential and sensitive information such as passcodes, social security numbers, and account numbers.

Unlike many state privacy statutes around the country, the BIPA allows for a private right of action that allows for any aggrieved person to recover the following damages in accordance with a BIPA violation:

• “Liquidated damages of $1000 or actual damages, whichever amount is greater, for negligent violations.”
• “Liquidated damages of $5000 or actual damages, whichever amount is greater, for intentional or reckless violations.

Plaintiffs involved in BIPA violation lawsuits are also entitled to recover reasonable attorney fees and related court costs, including expert witness fees and other litigation expenses.

What is the significance of Rosenbach v. Six Flags Entertainment Corp?

In Rosenbach v. Six Flags Entertainment Corporation, the plaintiff, the mother of a 14-year-old boy, sued the Six Flags Corporation on the grounds that the corporation had violated the BIPA. The plaintiff alleged that the theme park had collected the biometric information of her son in the form of a fingerprint without first obtaining written consent. Moreover, the plaintiff also alleged that the Six Flags Corporation failed to provide her with proper disclosure in relation to the collection, use, and retention of her son’s fingerprint data. Alternatively, the Six Flags corporation countered by arguing that the plaintiff was not “an aggrieved” party for the purposes of the BIPA, as she had not alleged that an “actual injury” had occurred as a result of the biometric information that was collected from her son.

In the end, The Illinois Supreme Court concluded that a consumer did not need to demonstrate “an adverse effect or specific harm (such as evidence that personal information was stolen or misused) to have standing to sue under BIPA”. This decision was in stark contrast to the ways in which many privacy laws are written and enforced around the country, as plaintiffs in privacy lawsuits and cases often have to prove that they sustained some form of damage or harm in relation to the illegal disclosure of their personal information. As such, Rosenbach v. Six Flags Entertainment Corp will serve as a landmark case for future biometric privacy laws and cases around the country.

The BIPA was the first comprehensive biometric privacy law to be passed within the United States. As such, it has been extremely influential in the space of biometric privacy, as many states around the country have come to draft and pass their own forms of biometric privacy laws in response to the BIPA. What’s more, the case of Rosenbach v. Six Flags Entertainment Corp has changed the ways in which privacy laws, in general, are viewed within the U.S., as what is considered a violation of a citizen’s privacy in our current digital age is something that is still up for debate and discussion.