Beware of Biometrics: Comply with Illinois Biometric Privacy Law – Food, Drugs, Healthcare, Life Sciences


United States: Beware of Biometrics: Comply with Illinois Biometric Privacy Law

To print this article, simply register or connect to

Biometrics is a human physical or behavioral characteristic that can be used to digitally identify a person in order to authorize access to systems, devices or data. Fingerprints, facial geometry scans, and voice prints are examples of biometric identifiers, as each is considered unique to the individual. Unlike a social security number, a person’s biometric data generally cannot be changed.

States have started enacting laws specifically addressing the collection and retention of biometric data, and more states are expected to follow suit in the years to come. By far the most important of these laws is the Illinois Biometric Information Privacy Act (BIPA), which has been the subject of hundreds of class actions in recent years alone. While none of these class actions have yet gone to trial, there have been a few important settlements of noteworthy cases.

A boom in biometrics

The use of biometrics in the business world has become widespread and the types of use are constantly evolving. With new technological developments – and the technology itself becoming more readily available – industries of all sizes and types are using biometrics for many different purposes.

For example, fingerprint readers and facial geometry scanners are increasingly used in healthcare facilities. With the touch of a finger or a facial scan, biometric tools can identify and authenticate patients and employees by detecting unique biological information. They often improve the accuracy of record keeping and protect the physical safety of medications, thereby reducing errors.

These technologies, aimed at increasing security and, to a lesser extent, convenience, raise concerns and risks for data privacy and cybersecurity. As effective, practical or efficient as these technologies may be, companies need to think carefully about their adoption and implementation.

Key components of BIPA

The BIPA requires that private entities that obtain biometric information or identifiers first inform the subject in writing that their information is being collected and stored, inform the subject of the specific purpose and the duration of the collection and storage, and obtain written permission from the subject. The BIPA also prohibits the disclosure of biometric information without the subject’s consent.

Private entities also cannot sell, rent, trade or profit from a person’s biometric information. In addition, BIPA requires a private entity in possession of biometric identifiers and information to develop a publicly available written policy setting out a retention schedule and providing guidelines for the permanent destruction of the information. Anyone harmed by a BIPA violation can sue for statutory damages of $ 1,000 for each negligent violation or $ 5,000 for each intentional or reckless violation, plus reasonable attorney fees and costs. To establish standing, actual prejudice is not required and simple procedural violations suffice.

Similar statuses in Texas and Washington

Texas and Washington have also passed laws governing the biometric data of their residents. While no law provides for a private right of action (rather than leaving execution to the state attorney general), the laws of both states impose certain notification and consent requirements, as well as retention limits. biometric data.

Many other states continue to consider legislation similar to the laws of Illinois, Washington, and Texas. There is not yet a single comprehensive federal law governing biometrics, despite some industry-specific laws incorporating biometric protections in limited ways.

Considerations for Businesses Using Biometrics

Businesses that manage biometric data, especially but not only biometric data belonging to residents of Illinois, Texas, or Washington, should be aware of the many requirements imposed by BIPA and other state laws.

Businesses should consider complying with BIPA and similar national regulations, even if they are not necessarily subject to laws, in order to mitigate the risk associated with the uncertainty of the scope and application of laws, d ‘Help deter costly litigation and provide some insurance against biometrics laws.

This article is provided as a general information service and should not be construed as providing legal advice on any specific matter.

POPULAR ARTICLES ON: Food, Medicines, Health Care, Life Sciences of the United States

Food & Beverage Digest – October 2021

Alston & Bird

A California complainant made “guac” claims about a 100% avocado oil product: it actually only contains 10% avocado oil and 90% canola oil.


Comments are closed.