Biometric Information Privacy Act

The Biometric Information Privacy Act (“BIPA”)(740 ILCS 14/5) is a law that was enacted in the state of Illinois, United States. It was first passed in 2008 and has since been recognized as one of the most comprehensive and stringent biometric privacy laws in the country. BIPA regulates the collection, use, and storage of biometric information by private entities. Biometric information refers to unique physical or behavioral characteristics of an individual, such as fingerprints, iris or retina scans, voiceprints, and facial geometry. The law requires companies to obtain written consent from individuals before collecting their biometric data and to provide information about the purpose and duration of the data collection.

BIPA imposes specific requirements on how biometric data should be handled and stored. It requires entities that collect biometric information to develop and maintain a publicly available written policy outlining their data retention and destruction practices. Companies must also take reasonable measures to protect the confidentiality, integrity, and security of the biometric data they collect. One notable aspect of BIPA is its provision allowing individuals to bring private lawsuits against entities that violate the law. If a company fails to comply with the law’s requirements, individuals can seek damages, including actual damages or statutory damages ranging from $1,000 to $5,000 per violation, depending on the nature of the violation.

BIPA has gained increased attention and significance with the proliferation of biometric technology and its use in various industries, including in areas such as facial recognition systems, employee timekeeping systems, and customer authentication processes. The law aims to safeguard individuals’ privacy rights and ensure that their biometric information is handled responsibly and securely.