The collection and use of biometric data, such as fingerprints, facial scans, and iris recognition, has rapidly grown as more organizations implement biometric technology as a core part of their processes.
With this rise comes the need for stringent privacy laws to ensure that biometric information is handled safely. In Illinois, a new rule is changing how employees can pursue damages against their employers for violations of the Illinois Biometric Information Privacy Act (BIPA).
This guide explains what BIPA entails, its recent amendments, and how businesses can adhere to its requirements using Mosey for corporate compliance.
What Is the Illinois Biometric Information Privacy Act?
The Illinois Biometric Information Privacy Act (BIPA), enacted by the Illinois legislature in 2008, was designed to regulate the collection, storage, and use of biometric identifiers like fingerprints, voiceprints, retinal scans, and facial recognition data.
Unlike other forms of personal data (e.g., names and addresses), biometric data is unique to each individual and, once compromised, cannot be changed or replaced.
BIPA establishes strict guidelines for every business that collects or transmits biometric information, ensuring individuals have the right to be informed of several key aspects of data collection before they choose to participate in BIPA identification.
These aspects include:
- What biometric data is being collected (like fingerprint scans, face geometry scans, or use of another unique identifier)
- How biometric data will be used
- How long biometric data will be stored
- Whether biometric data will be shared with any third parties
Employees must provide informed consent before allowing their biometric data to be collected or stored.
Why Is BIPA Important?
BIPA is an important Illinois compliance issue for employers. This biometric law offers strong protections for Illinois residents, giving them control over how their biometric data is handled. It also empowers them to file lawsuits (including class-action lawsuits) if their rights are violated. As a result, businesses must take special care to comply with the law to avoid costly litigation.
Many employees have utilized their right to file lawsuits against their employers, and most of these suits have been lengthy and costly for everyone involved.
To alleviate pressure on the Illinois court system, the Illinois Supreme Court has revisited BIPA provisions and changed how compliance violations and data privacy claims are legally managed.
What Are The Amendments to the Illinois Biometric Information Privacy Act?
While BIPA’s core principles have remained the same since its inception, recent amendments have expanded its scope and reinforced its protections. The 2024 amendments aim to address some of the challenges businesses face in complying with the law while strengthening its protections for individuals.
Clarified Definition of Biometric Data
One of the amendments further clarifies the definition of biometric data. The term now includes any data used to identify an individual based on physiological characteristics. This expanded definition ensures evolving technologies, such as new facial recognition systems, are included.
Reduced Penalty Cap for Small Businesses
A notable update is the introduction of a reduced penalty cap for small businesses. This change seeks to balance the need for strong privacy protections with the operational realities of a small business, which may struggle to comply with certain aspects of the law.
Condensing Violation Claims
Under the former rules, an employee could consider each use of their biometric data without complete consent a separate violation of BIPA.
For example, if an employee used retina biometrics to unlock a company computer ten times a day for two years, each instance would have been considered a separate violation. Penalties would be astronomical, potentially bankrupting a business.
Changes to the law dissuade single-plaintiff lawsuits and eliminate lawsuits in federal court in favor of simplified class action lawsuits, which makes it easier for employers to navigate compliance violations through a single court process.
Simplified Consent and Notice Procedures
The amendments also introduce streamlined consent and notice procedures to ease compliance. While businesses are still required to obtain informed consent from individuals, they can now do so through digital platforms and standardized language approved by the state.
This change aims to help businesses implement the law more efficiently without compromising individual rights.
Data Retention Guidelines
The recent amendments also provide clearer guidelines on data retention, including retention schedules for how long businesses can store biometric data. Biometric information must now be disposed of within three years of the last interaction with the individual unless a longer period is required by law.
How Does The Illinois Biometric Information Privacy Act Work?
At its core, BIPA outlines how biometric data should be collected, stored, and used. Businesses must adhere to specific requirements or risk penalties.
Written Notice and Consent
Before collecting biometric information, businesses must provide written notice to the individual. This notice must inform the person of the following:
- The specific type of biometric data being collected
- The purpose of collection
- How long the data will be stored, and when it will be destroyed
Importantly, businesses must obtain written consent from individuals before they can collect their biometric data. This ensures individuals understand how their data will be used and stored. The new amendments allow employees to give electronic consent.
Limited Data Use
BIPA strictly limits the use of biometric data. Businesses can only collect and use biometric data for purposes specified in their privacy policies; any additional use requires new consent from the individual.
BIPA also prohibits the sale or transfer of biometric data to third parties without the individual’s explicit consent. This means businesses cannot sell or share biometric information without informing the individual and obtaining their approval.
Data Safeguarding Measures
By state law, businesses must use industry-standard security practices to protect biometric data. This includes implementing encryption for sensitive information, access controls, and regular audits to ensure that biometric information is not misused or compromised.
Companies that use biometric data should have a full-time dedicated IT team or cybersecurity expert to ensure data protection.
Right To Sue
Finally, BIPA gives individuals the right to sue if their biometric information is collected or used in violation of the law. This private right of action has led to numerous lawsuits in Illinois, making BIPA compliance a top priority for businesses that collect biometric data.
This specific right is what inspired the recent amendments to BIPA. Under the new rule, lawsuits are more manageable for businesses, but organizations shouldn’t take the additional grace for granted. Even though handling a BIPA claim in court is simpler now, it’s still significantly expensive and time-consuming.
Who Does the Illinois Biometric Information Privacy Act Apply To?
BIPA applies to any business or organization that collects or uses biometric data in Illinois, regardless of whether the company is based in the state. If a company interacts with Illinois residents and gathers biometric information, it must comply with BIPA’s rules.
Employers
Any private entity can use biometric data to track employee attendance (through fingerprint scanners or facial recognition), making employers a key group impacted by BIPA.
Healthcare Providers
Biometric data may be used to verify patient identity or access medical records.
Retailers
Some retailers use facial recognition technology for security purposes or customer identification.
Technology Companies
BIPA directly impacts companies that provide biometric services (such as facial recognition software).
Exemptions
BIPA has some exemptions. For example, biometric data collected for law enforcement purposes or under federal regulations is not subject to BIPA. However, most businesses that handle biometric data for commercial purposes fall under the law’s jurisdiction.
How To Comply With the Illinois Biometric Information Privacy Act
For businesses operating in Illinois, compliance with BIPA is crucial to avoid legal risks. Here are the steps that employers can take to ensure they meet the law’s requirements:
Establish a Biometric Data Policy
Employers should start by developing a clear biometric data policy that outlines how biometric information is collected, used, and stored.
This written policy should include:
- The purpose of collecting biometric data.
- How long the data will be retained
- The security measures in place to protect the data
- Procedures for the disposal of biometric information after it is no longer needed
Provide Notice and Obtain Consent
Businesses must make sure they provide written notice to individuals before they collect their biometric data. This notice should be easy to understand and clearly explain the reasons for data collection. Once notice is provided, businesses must obtain written consent from the individual, either in physical or digital form.
The easiest method for collecting consent is to send a one-time-only blanket notice to employees and have them sign electronically. You can also collect a written release.
Regularly Audit Data Security Measures
Implementing strong security measures is a key component of BIPA compliance. You should:
- Encrypt all stored biometric data
- Limit access to biometric information to authorized personnel only
- Conduct regular security audits to ensure all data protection protocols are in place and function properly
It’s also helpful to review consent received by employees. Store the consent of former employees if questions arise later on down the road. Finally, make sure your process for collecting consent from new employees won’t let recent hires slip through the cracks.
Elevate Your Compliance With Mosey
Even though recent amendments have streamlined the process of handling BIPA compliance violations, abiding by biometric privacy laws is highly serious. Contending with a class action lawsuit can be expensive and have a devastating impact on your business.
Mosey knows compliance issues. Our corporate compliance platform makes it easy to track state and local compliance issues that impact your business. Book a demo with Mosey today to learn how we can help you stay on top of key compliance issues.
Read more from Mosey:
- CT Paid Leave: New Requirement for Private Employers Starting in 2027
- California’s New “Designated Person” Standards Expand
- California Pay Data Reporting: Employer Requirements & Deadlines
- 19 Virtual Team Building Activities 2024
- California Bereavement Leave Requirements 2024
- Illinois Paid Leave for All Workers Act: An Employers Guide 2024
