The Biometric Information Privacy Act (“BIPA”)(740 ILCS 14/5) is a law that was enacted in the state of Illinois, United States. It was first passed in 2008 and has since been recognized as one of the most comprehensive and stringent biometric privacy laws in the country. BIPA regulates the collection, use, and storage of biometric information by private entities. Biometric information refers to unique physical or behavioral characteristics of an individual, such as fingerprints, iris or retina scans, voiceprints, and facial geometry. The law requires companies to obtain written consent from individuals before collecting their biometric data and to provide information about the purpose and duration of the data collection.
BIPA imposes specific requirements on how biometric data should be handled and stored. It requires entities that collect biometric information to develop and maintain a publicly available written policy outlining their data retention and destruction practices. Companies must also take reasonable measures to protect the confidentiality, integrity, and security of the biometric data they collect. One notable aspect of BIPA is its provision allowing individuals to bring private lawsuits against entities that violate the law. If a company fails to comply with the law’s requirements, individuals can seek damages, including actual damages or statutory damages ranging from $1,000 to $5,000 per violation, depending on the nature of the violation.
The law was reformed in August 2024 to limit the damages for BIPA violations. Following the reforms, damages for BIPA violations are no longer calculated on a “per scan” basis but are instead calculated “per person” so that multiple scans or collections of biometric information for one person allows just one recovery under the law.
BIPA has gained increased attention and significance with the proliferation of biometric technology and its use in various industries, including in areas such as facial recognition systems, employee timekeeping systems, and customer authentication processes. The law aims to safeguard individuals’ privacy rights and ensure that their biometric information is handled responsibly and securely.