Beware of Biometrics: Complying with Illinois’ Biometric Information Privacy Act

Morgan Lewis - Health Law Scan

Morgan Lewis - Health Law Scan

Biometrics are physical or behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices, or data. Examples of biometric identifiers are fingerprints, facial geometry scans, and voice prints, as each are considered unique to the individual. Unlike a Social Security number, a person’s biometric data generally cannot be altered.

States have begun enacting laws specifically addressing the collection and safekeeping of biometric data, with more states expected to follow suit in the coming years. By far the most prominent of these laws is the Illinois Biometric Information Privacy Act (BIPA), which has been the subject of hundreds of class action lawsuits in the last few years alone. While none of these class actions have yet gone to trial, there have been some noteworthy large settlements of cases.


The use of biometrics in the business world has become widespread, and the types of usage are constantly evolving. With new technological developments—and the technology itself becoming more readily available—industries of all sizes and kinds are using biometrics for many different purposes.

For example, fingerprint readers and facial geometry scanners are growing in use across healthcare settings. With just a touch of a finger or scan of a face, biometric tools can identify and authenticate patients and employees by detecting unique biological information. They often improve the accuracy of recordkeeping and guard the physical security of medications, thus reducing errors.

These technologies—aimed at increasing security and, to a lesser degree, convenience—do raise concerns about and risks to data privacy and cybersecurity. However effective, convenient, or efficient these technologies may be, companies need to think carefully about their adoption and implementation.


BIPA requires private entities that obtain biometric information or identifiers to first inform the subject in writing that their information is being collected and stored, inform the subject of the specific purpose and term for collection and storage, and secure a written release from the subject. BIPA also prohibits the disclosure of biometric information without the subject’s consent.

Private entities also cannot sell, lease, trade, or profit from a person’s biometric information. Further, BIPA requires a private entity in possession of biometric identifiers and information to develop a publicly available written policy establishing a retention schedule and providing guidelines for the permanent destruction of the information. Any person aggrieved by a BIPA violation may file suit to recover statutory damages of $1,000 for each negligent violation or $5,000 for each intentional or reckless violation, plus reasonable attorney fees and costs. To establish standing, actual harm is not required and mere procedural violations are sufficient.


Texas and Washington also enacted statutes governing their residents’ biometric data. Although neither statute provides a private right of action (instead leaving enforcement to the state attorney general), both states’ laws do impose certain notice and consent requirements, along with biometric data retention limits.

Numerous other states continue to consider legislation akin to the Illinois, Washington, and Texas laws. There is not yet a single, overarching federal law governing biometrics, despite some industry-specific laws incorporating biometrics protections in limited fashion.


Companies that handle biometric data—especially but not only biometric data belonging to Illinois, Texas, or Washington residents—should be aware of the numerous requirements that BIPA and the other state statutes imposes.

Companies should consider complying with BIPA and similar state regulations—even if not necessarily subject to the statutes—to mitigate the risk from the uncertainty of the statutes’ scope and application, to help deter costly litigation, and to provide a degree of insurance against future biometrics laws.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis - Health Law Scan | Attorney Advertising

Written by:

Morgan Lewis - Health Law Scan

Morgan Lewis - Health Law Scan on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.