WHAT IS BIPA?
The Illinois legislature unanimously passed the Biometric Information Privacy Act (“BIPA”) in 2008, an initiative led by the ACLU of Illinois. The law ensures that individuals are in control of their own biometric data and prohibits private companies from collecting it unless they:
- Inform the person in writing of what data is being collected or stored. (e.g. fingerprint is stored when using TouchID to log into bank account app on phone)
- Inform the person in writing of the specific purpose and length of time the for which the data will be collected, stored and used. (e.g. fingerprint is stored for ease of logging into app and only for a duration of six months)
- Obtain the person’s written consent. (e.g. user signs their name before sharing their fingerprint)
Biometric information includes retina or iris scans, fingerprints, voiceprints, hand scans, facial geometry, DNA, and other unique biological information.
WHAT DOES BIPA DO?
BIPA establishes standards for how companies must handle Illinois consumers’ biometric information. In addition to its notice and consent requirement, the law prohibits any company from selling or otherwise profiting from consumers’ biometric information. BIPA continues to stand as the most protective biometric privacy law in the nation, with the only one of its kind to offer consumers protection by allowing them to take a company who violates the law to court
WHY DO WE NEED BIPA?
A person’s biometric information belongs to them, and only them. This information should never be left to corporate interests who want to collect data and use it for commercial purposes. BIPA is currently the one legislation that makes it unlawful for private companies to use facial recognition technology to identify and track people without their consent. This technology has proven to be both inaccurate and harmful, making it prone to discriminatory effects, especially on women and people of color. Yet, more than a decade after BIPA’s enactment, we constantly hear new examples about companies seeking to collect, share, and misuse personal information of millions of people, without their knowledge or consent. At this critical moment, it is important for state decision makers to continue protecting BIPA under mounting attacks.
Unlike a phone number, email address, or other password, biometric information can never be changed! That is why we continue to rely upon BIPA to protect our most sensitive information.