What makes the Illinois BIPA so groundbreaking for biometric data in video?

Written By Seena Williams

Today, biometric data collection is ubiquitous. From omnipresent street cameras and workplaces to our doorbell cameras and smartphones - biometric data is collected everywhere. 

Within this context, the Illinois Biometric Information Privacy Act (BIPA) emerges as a pioneering piece of legislation. 

Enacted in 2008, BIPA was the first state law in the United States to provide a legal framework specifically designed to protect individuals' biometric information from unauthorised collection and use. 

This groundbreaking law underscores the importance of informed consent, robust data protection, and the right to privacy, setting a precedent in US data protection. Since its enactment, the law has been one of the most litigated privacy-related laws and has carried some of the highest penalties. 

For example, 2022 was a record year for BIPA litigation, with several lawsuits from employees, customers, and other litigants. 

In the fast-evolving landscape of biometric technology, BIPA not only holds up but continues to serve as a critical benchmark for privacy legislation. It has proven to be adaptable to new technologies and provides ongoing legal precedents and amendments that keep it relevant to contemporary biometric uses. 

Key features of the Illinois BIPA

BIPA is not merely a regulatory measure; it's a testament to Illinois' commitment to safeguarding personal privacy. 

Some of the main provisions of the law include:

  • Informed consent: BIPA requires organisations to obtain explicit consent from individuals before collecting their biometric data, to ensure people are aware and agree to how their information is used.

  • Disclosure and profit prohibition: The act prohibits companies from selling or profiting from individuals' biometric information, which safeguards personal data from commercial exploitation.

  • Data protection and retention guidelines: It sets strict guidelines for the secure handling, storage, and eventual destruction of biometric data.

  • Right to action: BIPA grants individuals the right to sue for violations, providing a powerful mechanism for enforcing biometric privacy rights and holding entities accountable.

The evolution of BIPA

Recent changes and amendments to BIPA have only reinforced its significance. 

This is especially true in light of landmark lawsuits, such as the notable case against Facebook for its use of facial recognition technology without user consent. The case culminated in a $650 million settlement in 2020, one of the latest privacy settlements ever, and highlighted BIPA's effectiveness in holding tech giants accountable and its enforcement power for private litigants. 

The pivotal 2019 Rosenbach v. Six Flags decision lowered the bar for suing under BIPA - opening the door for individuals to take legal action against entities that do not comply with the law. This decision came after the claimant filed a lawsuit against Six Flags for collecting her son's thumbprint without proper notice or consent during the process of issuing a season pass. The Illinois Supreme Court ruled that individuals do not need to prove actual harm to sue under BIPA; the mere unauthorised collection of biometric data in itself constitutes a violation of rights. This lowering of the bar for civil suits, in turn, amplified BIPA’s role as a deterrent against unauthorised data collection. 

Even today, the impact of BIPA extends beyond Illinois, inspiring other states like Texas and Washington to enact their own biometric privacy laws. 

In 2023 alone, 15 biometric privacy acts and law proposals were put forward in 11 states. 

This ripple effect underscores the growing recognition of biometric data's sensitivity and the need for stringent protections. Businesses operating in Illinois and beyond must now navigate a growing landscape of biometric privacy regulations, with BIPA serving as a benchmark for compliance and ethical data use.

How do businesses keep in line with BIPA?

For businesses, BIPA compliance is not optional but essential.

This includes:

  • The verification of the necessity of collecting biometric data

  • The explicit consent from individuals 

  • The implementation of state-of-the-art data protection measures to safeguard against unauthorised access or breaches.

As individuals become increasingly aware of their rights under BIPA (and with biometric-specific laws growing in popularity), everyone must be informed about how to protect biometric data. Businesses must proactively review and update their data collection and protection practices to ensure full compliance with BIPA, to avoid hefty fines and lawsuits.  

BIPA stands as a beacon of biometric privacy protection. As technology continues to evolve, so too must our approach to privacy and data protection. By staying informed and vigilant, both individuals and businesses can navigate the complexities of BIPA, ensuring the safe collection and use of sensitive personal information, and a future where privacy is not just expected but guaranteed.

To find out more about the data privacy landscape in the US, visit our policy page.

Seena Williams
Previous

Introducing Florida's new data privacy law: The Digital Bill of Rights
Next

Canada’s take on data privacy: The Freedom of Information and Protection of Privacy Act (FIPPA)