With the advancement of technology, businesses are using new techniques to gather information from their users to create user-friendly experiences. However, this is also raises privacy questions.
In fact, a case involving Six Flags came up before the Illinois Supreme Court concerning the implementation of the state's Biometric Information Privacy Act (BIPA).
The case revolved around a mother suing for damages because her child had to give her fingerprint for a season pass without consent or being informed about the collection of the biometric information. The court decided to not dismiss the case because waiting until some sustained injury has occurred due to the collection of biometric information would go against the spirit of the law.
This decision has led to many questions about the future of the collection of biometric information and how companies must comply with state laws regarding biometrics, including BIPA.
What Does BIPA Aim to Do?
BIPA was created in response to the growth of the usage of biometric identifiers being used to "streamline" access to information and devices, such as phones.
In Section 10 of BIPA, biometric identifiers are defined as a "retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." This biometric information is related to your own genetics and physical features.
An example of biometric identifiers is how iPhone users can use their fingerprints to open their phone instead of typing in a code:
Since the use of biometrics is a rather recent technological development, the Illinois lawmakers were concerned about the unknown ramifications of this data and wanted to protect the private information of its residents.
BIPA aims to protect the safety and privacy of individuals by supervising a company's following interactions with biometric information:
- Collection
- Use
- Security
- Handling
- Storage
- Retention
- Destruction
Additionally, the Illinois Legislation set out to protect biometric privacy because of its unique differences from other confidential information like email addresses and credit card numbers. Biometric information can't be changed, it is your physical features that once stolen are lost for good, which is why they demand a higher level of protection.
Who Does BIPA Apply to?
BIPA applies to private entities. Entities included are:
- Individuals
- Partnerships
- Corporations
- LLCs
- Associations
- Other groups
The act doesn't just apply to large companies like Google and Facebook. Any private entity, no matter the size, must follow the BIPA regulations.
However, there are a few exceptions to the rule.
Legal and government bodies are expected from BIPA. The law states that state and government agencies (including the clerk, justices, and court of Illinois) do not fall under the scope of BIPA.
Additionally, the law does not apply to financial institutions, such as banks and brokerage firms, or contractors and subcontractors of a state agency.
What Does BIPA Require?
BIPA includes a wide range of requirements and regulations companies must follow. The 5 key requirements are:
- Informed consent before the collection of data
- Entities have a limited right to disclosure
- Entities are prohibited from profiting from data
- Protect and retain data according to the act
- Through a private right of action individuals may collect either collect $1,000 for negligent actions or $5,000 for reckless or intentional actions
How to Comply With BIPA?
Before you do anything, make sure to double-check whether your company actually collects data that falls under BIPA's biometric information definition. Remember, this can include retina scans, fingerprints, and facial and hand scans.
If you do collect biometric information, make sure to follow these simple steps to comply with BIPA's regulations.
Create a BIPA Privacy Policy
The most important way to comply with BIPA is by including a BIPA Privacy Policy. While BIPA is relatively new, some companies are beginning to include a BIPA Privacy Policy solely directed at any biometric information that is collected.
A BIPA Policy must include what biometric information is collected, how the information is retained, stored, and how long the information is retained.
RAM Races created a separate BIPA Policy to comply with BIPA standards:
RAM Races' BIPA Policy states the exact biometric information that is collected along with how the information is collected.
The Policy even states how long the data is retained, including a 3 year period for retention of facial scans. All of this is accomplished in one simple paragraph.
Informed consent is required to collect biometric data. Your BIPA Privacy Policy must state how consent is obtained.
BIPA Privacy Policies have become a major player in the workplace and the workforce with many companies using biometrics to perform jobs and collect information. TrueBlue collects biometric data when connecting potential employees with companies.
TrueBlue's policy discloses the requirements for when data on a case-by-case basis can be collected. Collection can only be obtained when prior written consent has been obtained after reading the BIPA Policy:
Your BIPA Privacy Policy must be made available to the public. You can do this through links in the footer or by providing a public link elsewhere on your website or within your app.
GES actively collects finger-scans and biometric information disclosed in its Biometric Information Policy to keep track of time cards. GES' policy states how the data is collected and the information is retained until the end of the employee's term or 3 years later:
At the bottom of GES' policy, it states how employees can learn more about the biometric data collection, download and sign the consent form, and a publicly-available link is included to the complete Policy:
Install a Retention Schedule of Data
This requirement is specific to biometrics because one of the most important pieces of BIPA is protecting this data that is unchangeable.
Under BIPA, your Privacy Policy must include a retention schedule for the biometric information that is collected. You must also lay out the guidelines for how that information will be destroyed.
These guidelines should state that the information is destroyed after the "initial use" for why the data was collected is over or within 3 years of the last time, the user interacted with the company.
Firstsource's Biometric Information Security Policy is an example of a solid retention schedule and policy that notifies individuals of how long their information is stored:
This requirement extends to third parties that provide biometric data software or systems as well.
ADP stores biometric data for its clients through timeclocks. ADP's Biometric Information Privacy Policy includes a detailed retention schedule for data collected by its timeclocks when used by its clients. The data is stored until ADP's client notifies ADP that the employee has been terminated or stopped using its services:
Companies are required to use a "reasonable standard of care" that is in place in the company's industry when collecting and storing the data. This level of care may be different for each industry, so it is important to know the standard in your field.
Not Profiting from Data
BIPA states in sec. 15(c) that companies are not allowed to "sell, lease, trade, or otherwise profit" from the information that is taken from their users. This means you can't sell your user's biometric data to a third-party that wishes to use the data and get paid for that disclosure.
Individuals should be informed of your company's restrictions on using the data in your BIOPA Privacy Policy.
Sonesta's Biometric Information Privacy Policy promises employees that Sonesta will only use the data for specific reasons and will not sell or trade the data and will not profit from any transmission of the data:
Limited Right to Disclosure of Data
BIPA restricts the rights of companies to disclose biometric data. Companies may only disclose data when:
- Consent was granted by user
- A financial transaction user has consented to it
- It's required by law
- In response to a warrant or subpoena
Homz states in its Biometric Data Policy that the biometric information will be shared, but will not be sold and it only discloses the data after receiving consent or if required by law:
Including clauses that address the above issues and are similar to the ones in the examples will help you create a solid BIPA Privacy Policy that your employees, customers and legal authorities will be satisfied with.
What Happens if You Violate BIPA?
If you violate or fail to comply with BIPA, can your company face any penalties? In short, yes.
Under BIPA, the law provides for a private right of action. A private right of action is when an individual sues a private entity for damages for failing to comply with the law.
No actual damages (i.e., monetary or physical) are required before suit can be brought. The Illinois Supreme Court in the Six Flags case stated the mere violation of an individual's rights is enough to bring an action against your company.
If you violate BIPA, you may face one of the following penalties:
- A negligent violation is for $1,000 or actual damages
- A reckless or intentional violation is $5,000 or actual damages
- Attorney fees
- Litigation fees
This inclusion of base payment or actual damages may seem small initially but can add up very quickly if your company faces lawsuits from a class action.
Summary
Biometric information is extremely sensitive and demands a higher standard of protection. As BIPA's reach continues to extend, private entities are going to need to update their practices and create BIPA Policies to comply with the law.
Creating a separate BIPA Privacy Policy from your general Privacy Policy that includes a retention guide, what biometric information is collected, and how individuals can consent to the collection is extremely important going forward. If updates are not made, your company may face potential legal issues.
