The Illinois Biometric Information Privacy Act and Your Business

A classic device used in Star Trek Deep Space 9 is the retinal scanner, which was used to secure rooms and access briefings. The scans weren't new technology.They had been in use since the 21st century and were so good that they were in continued use in the 24th. Though, voiceprint access was much more common.

Retina scanners exist in the real world, and they were actually invented back in 1975. If you work in a secure facility, then you're probably familiar with them. For the rest of us, we're more familiar with the facial scan or the fingerprint system.

Devices like retina scanners collect what's called biometric data. And while biometric data has been around a while, the rapid evolution of it in the last 20 years has led to the introduction of laws to protect it for the first time.

Illinois published the first biometric privacy law in the U.S. known as the Biometric Information Privacy Act (BIPA) of 2008. And given the way biometric information has become a critical part of our daily lives, it's essential to know what it means for your business.

Do you collect biometric information from Illinois residents? You need to comply with the Act. Our guide will teach you what that means and what you need to do.

The Unique Challenges Related to Biometric Data

Before diving into the legislation, it's worth understanding the impetus of it, which in this case is the unique challenges posed by biometric data.

Biometric data includes unique human characteristics (biological or behavioral) that are measurable and suitable for use for identifying an individual. The most common examples are fingerprints and facial or voice recognition.

Today, biometric data is incredibly commonplace. Both Apple and Android users have been able to use it on their personal devices for years. And biometric facial recognition hardware will be in 90% of phones by 2024.

If you have worked in a secure building in the last ten years, then you might have also encountered it through building security measures and employee time tracking. So, you may not think twice about using it.

Although it's now considered to be a standard form of data, it differs from other types of personal data, like addresses and Social Security numbers. If someone steals a person's address and credit card number, there are means by which they can report it and change it if required. It's rarely easy, but it's possible. You can even rectify full-blown identity theft. Again, not easy but usually possible.

When biometric data is lost, it makes the subject more vulnerable. You can't change your fingerprints or facial features. As a result, when a breach occurs, the biometric data can never be used as a security feature again. Your fingerprint is virtually worthless, and that becomes an even bigger problem as biometric devices become more prominent in our daily lives.

The bottom line: biometric data is both valuable and vulnerable. As a result, those who collect, store, and process it need to be exceedingly careful with it. Hence, it becomes clear why states like Illinois feel the need to legislate the issue.

What is the Illinois Biometric Information Privacy Act?

Back in 2008, the state of Illinois recognized the vulnerabilities of biometric data and set about doing more to ensure that anyone who uses it does their absolute best to avoid exposing it. It was the first state to do so. Texas and Washington state followed suit.

For Illinois, biometric data includes any information based on an individual's biometric identifier regardless of how it is gathered, used, shared, or stored.

The Illinois Biometric Information Privacy Act (BIPA) covers the following actions as applied to biometric data:

• Collecting
• Using/processing
• Safeguarding
• Storing
• Retaining
• Destroying

Moreover, it aims to make sure that individuals have control over their own biometric data, given how sensitive and unique it is.

The law covers "private entities," which it defines as an:

• Individual
• Partnership
• LLC
• Corporation
• Public body

The number and types of individuals and groups covered makes it one of the strictest biometric privacy laws in the United States. In effect, you can't touch anyone's biometric data for commercial use without remaining strictly compliant with these rules.

Does Your Organization Have to Comply?

The Illinois Biometric Information Privacy Act applies to the commercial private entities (described above) who do business in Illinois.

Essentially, if you collect biometric data from Illinois residents for business purposes, then you must comply.

If you don't, your users or customers can sue you in the Illinois courts or in federal court. And there's a good chance they will. Some of the court cases involving the law include:

• Facebook Biometric info. Privacy Litig., 185 F. Supp. 3d 1155
• Pezen v. Facebook, Inc.
• Licata v. Facebook, Inc.
• Patel v. Facebook, Inc.
• Gullen v. Facebook, Inc
• Norberg v. Shutterfly, Inc
• Monroy v. Shutterfly, Inc.
• Rivera v. Google, Inc.
• Rosenbach v. Six Flags Entm't Corp.

The lawsuits above opened the floodgates. Between July and November of 2017, employees across the state of Illinois filed more than 30 employment class actions based on the law with the state court.

There are also statutory damages built into the law, which we will discuss in more detail in a later section.

The Biggest Challenge to the Illinois Biometric Privacy Act So Far

Illinois's choice to protect biometric data has been less-than-popular among big corporations, like Facebook and Google, who use this type of data in their day-to-day processing and identification activities.

For example, both Google and Facebook use facial recognition software on their primary platforms to sort through and assign photos to an identity. Both have also seen lawsuits as a result of their practices, and Facebook has lobbied hard for changes to the Illinois law that would favor its business operations.

In 2019, a case went as far as the Illinois Supreme Court before the Court upheld the law as written.

The challenge came from Six Flags, the theme park, which allegedly collected fingerprints from a minor without first seeking parental approval. Six Flags argued that it wasn't liable under the law unless the minor had proof of injury as a result of the collection, unauthorized or not.

If successful, the Six Flags challenge would have whittled the law down to allow more companies to collect biometric data.

However, the Illinois Supreme Court said "a person need not have sustained actual damage beyond violation of his or her rights under the Act."

Essentially, the Court and the state believe that whatever it costs to collect and protect biometric data according to the rules of the law is far less than the damage done to an individual's privacy if a business fails to meet the law's requirements.

The takeaway from the case is important to remember when you question the lengths you need to go to in implementing the provisions of the law. Businesses who want to use biometric data are expected to do and spend what it takes to protect it, period.

Legislative Challenges: What is SB3053?

The courts have thus far upheld the Biometric Information Privacy Act as it stands, but the Illinois General Assembly may change it on its own.

In 2018, SB3053 reached the Illinois Senate floor, which would dramatically alter the act.

It says that the Act would no longer apply to identities collecting, storing, or transmitting biometric data if they are doing so for one of the named reasons:

• Using it exclusively for employment
• Using it exclusively for human resources
• Using it exclusively for fraud prevention
• Using it exclusively for security purposes

Additionally, the private entity would have to agree to not sell, trade, lease or profit from the data. It must also follow extensive security procedures to protect the data it does collect.

If passed, it would eliminate the need for the many businesses operating in Illinois to comply with the Act. Doing so would also eliminate data subjects' grounds for suing under the Act when their data is collected for a specific purpose.

Companies like Google and Facebook who use biometric data in their algorithms and not for security would not be affected. However, a law like this could open the door to further erosion of the rest of the law.

The law didn't pass in either of the 2018 legislative sessions, but it also wasn't voted down. The Illinois Senate postponed it on April 26, 2018 and again in 2019. But it could come up again in the future.

How to Comply with the Biometric Information Privacy Act

The law provides a list of comprehensive rules for any private entity that wishes to collect the biometric information of an Illinois resident.

To understand your role, it's helpful to break down the Act into its four key features.

1. Gathering informed consent before data collection
2. Understanding your limited rights to disclosure
3. Implementing the appropriate security obligations and retention timeline
4. Avoiding any profit from biometric data

Gathering Informed Consent

You can't touch the biometric data of any Illinois resident if you do not first seek informed consent from that individual.

The law says that you must:

• Inform the individual in writing that you intend to collect or store biometric information and how you intend to use it and how long you intend to store it, and
• Ask for and receive a written release agreeing to the collection and use

This applies to both use of data for general purposes and for employment purposes.

Additionally, if you are not able to contact the data subject directly, you must get confirmation from their legal representative. In the case of minors, it means contacting their parents or legal guardian and receiving a written release from them.

Remember that you must be honest and clear about your collection of the data. If you're not, you are vulnerable to violations, fines, and even class action lawsuits.

Understanding the Rights to Disclosure

BIPA grants you only a limited right to disclose the data, and if you must disclose the data, it needs to be with the data subject's consent. You need to notify the subject in writing, name the categories of third parties with whom you will share the data, and state the business purpose for your sharing.

The other potential reasons for disclosure include:

• When a financial transaction requested by the subject requires it
• When state, federal, municipal law require it
• When it is required for a warrant or subpoena

The limited right to disclosure ties into the profit requirement. If you can't share the data with whom you wish, it further limits companies from profiting from it.

Implementing Security and Retention Obligations

Like most other privacy laws, BIPA isn't prescriptive. When it comes to protecting the information, it says:

A private entity shall:

"store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information."

Some of the basic modes of security compliance may include:

• Using appropriate encryption measures
• Limiting access to information internally
• Practicing data minimization (only collecting what you need)

Avoiding Profit from Biometric Data

The law specifically stops you from selling, leasing, or profiting from any biometric data you collect regardless of whether you have consent to collect it.

Penalties for Failing to Comply with the Act

BIPA includes statutory penalties that can become a real problem for businesses.

You can face $1,000 for every negligent violation and $5,000 per 'intentional' or 'reckless' violation.

What's important to understand about the law and the recent Six Flags case is that the complainant doesn't need to prove harm. They only need to prove you violated the statute (e.g., gathered data without consent, sold data for profit, shared data without consent, etc.).

As a result, both violations and lawsuits can add up quickly, so compliance is very important.

Summary

The Illinois Biometric Information Privacy Act is a landmark piece of state legislation and governs the way commercial entities (from individuals to corporations) collect, use, store, and share biometric data. Its goal is to keep the data subject in control of their biometric data. After all, we're talking about retinas, fingerprints, voiceprints, and facial recognition.

Your business must comply with BIPA if you collect any biometric information from a resident of the state of Illinois. Compliance means asking for and receiving informed, written consent from each data subject. It also means agreeing not to sell or lease any of the data to generate a profit.

Compliance is important because citizens have been quick to sue and there doesn't need to be damage for their class action to be successful.

Ultimately, meeting the requirements of BIPA only requires you to be respectful of the nature of biometric data and make sure you don't take any actions that remove the data subject as the owner of the data. Good governance and a focus on consent should keep you clear of serious violations.