The Illinois Biometric Information Privacy Act (740 ILCS 14, a.k.a BIPA) was signed into law in 2008. It is the most stringent biometric state privacy law in the US, and yet many categories of biometric data are explicitly excluded as described below. You can find the text of the law here.
One unique aspect of BIPA is that it includes a private right of action, i.e. individuals can initiate lawsuits for violations of the law.
In addition to requiring consent for the collection or disclosure of biometric information, the law has several security-related features. BIPA requires companies to destroy biometric identifiers in a timely manner, securely store biometric identifiers, and use a “reasonable standard of care” in managing biometric information.
The law defines biometric identifiers narrowly—a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry—and says far more about what is not considered a biometric identifier under the law:
… writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color … biological materials regulated under the Genetic Information Privacy Act … X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, …
If you’d like to discuss the data privacy aspects of biometric data, under HIPAA and/or BIPA, give us a call.
Trusted consultants to some of the world’s leading companies
