Illinois BIPA Decision Coming Soon

November 30, 2018

There have been many news stories about the Illinois Biometric Information Privacy Act (or “BIPA”) this past year. The core intention of Illinois legislators in creating BIPA was noble: to protect Illinois residents from having their biometric data collected in an unlawful (and unmanaged manner). Click here to view a copy of BIPA. Otherwise, a paraphrased version of BIPA follows:

Written Policy. Private companies must develop a written policy which details the retention policy and destruction guidelines for biometric information it is collecting, and the reason the data is being collected. This policy must be made available to the public.

Collection and Storage Consent. No private company is allowed to capture, collect, store, purchase, sell, or otherwise obtain a person’s biometric information unless: (a) it informs the individual in writing that their biometric information is being collected or stored, (b) it informs the individual about the specific purpose and length of term their biometric information is being collected, stored, and used, and (c) it receives a written release from the user.

No Profit Allowed. No private entity in possession of biometric information can sell, lease, trade, or otherwise profit from an individual’s biometric information.

Disclosure Consent. No private entity may disclose, redisclose, or otherwise disseminate an individual’s biometric information unless: (a) they have the person’s prior authorized consent, (b) the disclosure completes a financial transaction requested by the user, (c) the disclosure is required by state or federal law or municipal ordinance, or (d) the disclosure is required to support a valid warrant or subpoena.

Data Protection. The private company in possession of biometric information will: (a) use the same reasonable care to capture, transmit, and store biometric identifiers that is standard for their industry, and (b) use the same standards that it would use for other private or sensitive information.

Penalties. Any person aggrieved by a violation of this Act shall have the right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.

This last point is the reason BIPA has been in the news. Multiple individuals, and classes of individuals, are claiming that they are “aggrieved” due to the actions of some companies who have violated one or more provisions of BIPA. Illinois courts are now having to deal with many lawsuits related to BIPA – and are fortunately contemplating changes to this piece of legislation to make it clearer, fairer, and more appropriate.

Interestingly, each of the BIPA provisions paraphrased earlier are included in the GDPR. However, the GDPR is more comprehensive, and has language which accounts for many of the practical reasons companies collect personally identifiable information (PII), including biometric data. Hopefully, Illinois legislators can amend BIPA to be more focused and less susceptible to frivolous lawsuits.

As BIPA currently stands, a company can be sued for failing to provide proper notice to end users that their data is being collected, stored for a certain amount of time, and/or used for various purposes. These are considered “technical violations” of the statute. But what happens if a company commits a technical violation, yet has taken all proper measures to lock-down the biometric data, has ensured that the biometric data was only used for a purpose that generally benefitted the end user and his or her relationship with the company, and has also ensured that there has been no breach or loss of biometric data occurred? Can an end user really claim that they are “aggrieved”?

Part of the argument originally put forth by legislators makes some sense on the surface: should a person’s biometric identifiers be stolen or made public somehow, the individual could suffer irreparable harm. If this in fact occurred, then an argument could be made that the individual is aggrieved and is entitled to their day in court. But if no data leak or breach occurred, what actual damage occurred? Shouldn’t the company be allowed to correct their technical violations? Large awards for these scenarios make absolutely no sense.

Legislators in this case also don’t understand how all biometric technologies work. Some biometric technology takes an image at the source and compares it to a stored image elsewhere. Consider fingerprint and facial biometrics. Yes, a good copy of your fingerprint could be re-used by another sensor – and you can’t give a person new fingerprints if they’ve been compromised. A good quality photo of a person can also defeat some facial biometric systems – again, your facial features cannot be changed if compromised. Retinal scans are also image driven. However, it appears this logic has been broadly applied to all biometrics by the Illinois legislators, and this is incorrect.

For example, behavioral biometrics such as gait analysis and keystroke biometrics are not image-driven. The data from these biometrics if made public would likely not be an issue. They are often the result of interpretation and extraction routines performed locally and transmitted to a centralized biometric system for comparison to stored (interpreted) features. Voice biometrics works this way too. We collect speech samples (i.e., WAV files) at the source, and these are sent to the system for distillation into a voiceprint. If VBG voiceprints were to be made public, there would be no damage to any of our end-users: people don’t submit voiceprints to voice biometric systems. Besides, VBG uses a proprietary voiceprint format that can only be used by our system.

This doesn’t mean that voice and behavioral biometric vendors should be given license to be reckless with end user data – quite the opposite is true. The point is, end users of several forms of biometric technologies would NOT be aggrieved if their biometric data was made public somehow. For this reason alone, the BIPA statue needs to be revised.

To illustrate the fact that this issue remains clouded, just look at a recent article from Biometric Early indications have Illinois Supreme Court Justices split. Click here to view the article.

And please check back soon, as we will continue to follow this particular issue very closely.

Image Description

Peter Soufleris

VBG's Founder and CEO

Peter is an avid reader, particularly of high-tech topics. These articles express his opinion only, but he hopes you enjoy them!

Continue Reading?

Other Related Articles You May Enjoy

Click on any article title to read ...

Image Description
June 18, 2018

GDPR is Official

Contact Us

Do You Have Any Questions?

Please let us know how we can help you and we'll respond promptly!

Image Description