Illinois Biometric Data Privacy Laws Explained

by Daniel Perez - News Editor
0 comments

Illinois maintains some of the most stringent biometric privacy protections in the United States, primarily through the Illinois Biometric Information Privacy Act (BIPA). Enacted in 2008, the law requires private entities to obtain informed consent before collecting or storing biometric identifiers—such as fingerprints, retina scans, or facial geometry—and provides a private right of action for individuals to sue for violations.

Understanding the Illinois Biometric Information Privacy Act

The Illinois Biometric Information Privacy Act, or BIPA, serves as a foundational data protection statute. Unlike many state laws that focus on general data breaches, BIPA specifically regulates the lifecycle of biometric data. According to the American Civil Liberties Union (ACLU), the law mandates that private companies must inform individuals in writing that biometric data is being collected or stored and must receive a written release from the individual.

Understanding the Illinois Biometric Information Privacy Act

The statute defines biometric identifiers as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Under the law, companies are prohibited from profiting from this data and must establish a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers when the initial purpose for collection has been satisfied.

Legal Stakes and Private Right of Action

What distinguishes Illinois from most other states is the ability for individuals to seek legal recourse directly. Under 740 ILCS 14/20, any person aggrieved by a violation of the act has a right of action against an offending party.

Illinois White Castles facing $17B privacy lawsuit

This provision has led to significant litigation. As reported by the Illinois Supreme Court, the court clarified in the 2023 Cothron v. White Castle System, Inc. decision that BIPA claims accrue each time a company scans or transmits an individual’s biometric identifier without prior informed consent. This ruling underscored the potential financial liability for companies that fail to implement compliant data collection practices, as damages can be calculated on a per-violation basis.

Compliance Requirements for Businesses

For companies operating in Illinois, compliance is not optional. The Illinois Chamber of Commerce has frequently highlighted the necessity for businesses to audit their technology stacks to ensure any software utilizing facial recognition or fingerprint authentication meets the following criteria:

Compliance Requirements for Businesses
  • Informed Consent: Obtaining a clear, written release before any biometric data is captured.
  • Data Minimization: Collecting only the data necessary for the specific business purpose.
  • Destruction Protocols: Ensuring that biometric data is permanently deleted within three years of the individual’s last interaction with the entity or when the purpose for collection is fulfilled, whichever occurs first.
  • Public Disclosure: Maintaining a written policy that outlines the retention and destruction schedule.

Comparison of Biometric Privacy Frameworks

While Illinois remains at the forefront of biometric regulation, the landscape is shifting. Other states have begun to pass biometric privacy legislation, though many lack the same level of enforcement power found in Illinois.

State Statutory Focus Private Right of Action
Illinois BIPA (Strict) Yes
Texas Capture or Use of Biometric Identifier Act No (Enforced by Attorney General)
Washington Biometric Privacy Law No (Enforced by Attorney General)

In Texas and Washington, for instance, the authority to enforce biometric privacy violations generally rests with the state Attorney General rather than the individual consumer. This contrast highlights why Illinois remains the primary venue for biometric privacy litigation in the United States, as the ability for individuals to initiate lawsuits creates a higher threshold for compliance among tech providers and employers.

Related Posts

Leave a Comment