Illinois Biometric Information Privacy Act


In 2008, Illinois enacted the Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). BIPA is the most stringent law of any state regarding the consent, notice and disclosure procedures private companies must follow when collecting, storing or using people’s biometric information. Biometric information is defined (740 ILCS 14/10) to mean “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” It does not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. It also does not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment.

The BIPA requires companies to inform persons in writing about the specific purposes and length of time for which their biometric information will be collected, used or stored. No private entity may collect, use or store biometric information without first receiving a written release by the person whose biometric information is sought. The BIPA also requires a written schedule and guidelines for the retention and destruction of the biometric information to be made public. Finally, BIPA mandates consent and notice procedures that private entities must follow before disclosing someone’s biometric information to a third party.

Under the BIPA, aggrieved individuals have the right to sue violators and to collect the greater of $1,000 or actual damages for each violation negligently committed, and the greater of $5,000 or actual damages for each violation recklessly or intentionally committed. Plaintiffs can also collect attorneys’ fees and costs under the BIPA.

A common violation involves the use of fingerprint-operated machines to clock employees’ work hours without informing employees about the companies’ policies for use, storage and ultimate destruction of the fingerprint data or obtain the employees’ written consent before collecting, using or storing the biometric information.