Biometric Information Privacy Act (BIPA)

%3Ciframe%20width%3D%22100%25%22%20height%3D%22166%22%20scrolling%3D%22no%22%20frameborder%3D%22no%22%20allow%3D%22autoplay%22%20src%3D%22https%3A%2F%2Fw.soundcloud.com%2Fplayer%2F%3Furl%3Dhttps%253A%2F%2Fapi.soundcloud.com%2Ftracks%2F697829464%26amp%3Bcolor%3D%2523397ba8%26amp%3Bauto_play%3Dfalse%26amp%3Bhide_related%3Dfalse%26amp%3Bshow_comments%3Dtrue%26amp%3Bshow_user%3Dtrue%26amp%3Bshow_reposts%3Dfalse%26amp%3Bshow_teaser%3Dtrue%22%3E%3C%2Fiframe%3E

Privacy statement. This embed will serve content from soundcloud.com.

Talking Liberties with the ACLU of Illinois · Episode 16: Protecting Your Biometric Information

WHAT IS BIPA?

The Illinois legislature unanimously passed the Biometric Information Privacy Act (“BIPA”) in 2008, an initiative led by the ACLU of Illinois. The law ensures that individuals are in control of their own biometric data and prohibits private companies from collecting it unless they:

Inform the person in writing of what data is being collected or stored. (e.g. fingerprint is stored when using TouchID to log into bank account app on phone)
Inform the person in writing of the specific purpose and length of time the for which the data will be collected, stored and used. (e.g. fingerprint is stored for ease of logging into app and only for a duration of six months)
Obtain the person’s written consent. (e.g. user signs their name before sharing their fingerprint)

Biometric information includes retina or iris scans, fingerprints, voiceprints, hand scans, facial geometry, DNA, and other unique biological information.

WHAT DOES BIPA DO?

BIPA establishes standards for how companies must handle Illinois consumers’ biometric information. In addition to its notice and consent requirement, the law prohibits any company from selling or otherwise profiting from consumers’ biometric information. BIPA continues to stand as the most protective biometric privacy law in the nation, with the only one of its kind to offer consumers protection by allowing them to take a company who violates the law to court

WHY DO WE NEED BIPA?

A person’s biometric information belongs to them, and only them. This information should never be left to corporate interests who want to collect data and use it for commercial purposes. BIPA is currently the one legislation that makes it unlawful for private companies to use facial recognition technology to identify and track people without their consent. This technology has proven to be both inaccurate and harmful, making it prone to discriminatory effects, especially on women and people of color. Yet, more than a decade after BIPA’s enactment, we constantly hear new examples about companies seeking to collect, share, and misuse personal information of millions of people, without their knowledge or consent. At this critical moment, it is important for state decision makers to continue protecting BIPA under mounting attacks.

Unlike a phone number, email address, or other password, biometric information can never be changed! That is why we continue to rely upon BIPA to protect our most sensitive information.

HOW DO WE PROTECT BIPA:

With new technological advancements implicating the biometric information of millions of people at a time, the strong protections of Illinois’s law are more critical now than ever. BIPA is the one recourse Illinoisans have to control their own fingerprints, facial scans, and other crucial information about their bodies. That is exactly what the General Assembly had in mind when it enacted BIPA and what the Illinois Supreme Court held when it analyzed the law in Rosenbach v. Six Flags. The Court recognized that in addition to controlling their own biometric information, individuals must have the right to sue companies that unlawfully collect this information in order to hold them accountable. State decision makers must continue to protect BIPA without chipping away at any of the protections it offers.

BILLS THAT WEAKEN BIPA:

A number of bills introduced this session weaken the strength of BIPA. Specifically:

Bill #	Status	Weakens BIPA by …
HB 5635 Keicher	Referred to Rules Committee	Expanding the collection of biometric information by creating exceptions to the notice and consent requirement for security purposes and the use of biometric time clocks and locks. Giving covered entities a “get out of jail free card,” by allowing them to get away with violating BIPA, knowing that they can avoid any liability under the law by stopping their violations during the 30-day cure period. Providing local or federal government agencies the ability to issue an order, warrant, or subpoena allowing entities to retain biometric information indefinitely. Creating a 1-year statute of limitation.
HB 4686 Ozinga	Re-referred to Rules Committee	Creating the “get out of jail free card” by establishing a 1-year statute of limitation and a 30-day cure period. Allowing entities to bargain their way out of compliance with BIPA. Increasing the amount of information collected about us by allowing entities to collect information derived from biometrics. Severely weakening the private right of action.
HB 4102 Ford	Referred to Rules Committee	Expanding the collection of biometric information by creating a “security purpose” exception to the notice and consent requirements. Creating a “security purpose” exception to the 3-year period that entities can retain biometric information. Increasing disclosures of biometric information through a “security purpose” exception to the prohibition on disclosures. Limiting the ability to be anonymous online.
SB 3319 Murphy	Referred to Assignments	Limiting the scope of entities that must comply with BIPA to those that employ more than 5 individuals despite it only taking one person to collect our biometric information without our permission.
HB 5836	Referred to Rules	Creating a carveout from compliance for Internet dating services and undefined “providers” acting on their behalf if the collection, use, retention, and disclosure of biometrics can be justified for the vague and broad definition of “security purposes.”