How Does BIPA Compliance Work and What Are the Risks of Falling Short on Biometric Privacy Laws?

Why BIPA Compliance Matters More Than Ever

Biometric data is everywhere, from facial recognition systems and voice assistants to remote authentication tools. But as adoption grows, so does risk.

The Biometric Information Privacy Act (BIPA), enacted in Illinois in 2008, is the most aggressive biometric privacy law in the United States. As BIPA case law evolves, security teams must understand their legal obligations and exposure.

What Is BIPA and Who Must Comply?

BIPA regulates how organizations collect, store, and share individuals’ sensitive biometric data. Illinois was the first state to enact a biometric-related privacy law when it passed BIPA in 2008.

BIPA Compliance Requirements

BIPA bars companies from collecting biometric data of Illinoisians unless they inform the individual that they are collecting the data, obtain the individual’s written consent, and share the purpose of collection and length of time they will retain the information. It requires companies to develop and publish a data retention and deletion policy and take reasonable measures to keep biometric data confidential.

The legislation also prevents companies from selling or profiting from consumers’ biometric information.

Biometric data includes:

• Fingerprints
• DNA
• Iris or retina scans
• Voiceprints
• Hand scans
• Facial geometry

BIPA enables individuals to sue for $1,000 per negligent violation and $5,000 per reckless or intentional violation.

Third-Party Risk and Liability

Several different organizations frequently create, retain, or manage biometric data, which has raised questions in recent years about which entities are liable for BIPA violations. Third-party processors can be held liable for BIPA violations, but this is not always the case and appears to be an evolving area of the law, according to a WilmerHale analysis of court cases.

Security Best Practices for Biometric Data

While not an exhaustive list, security teams should consider implementing strict cybersecurity protocols, access controls, and data governance policies when biometric data is in the mix, such as:

1. Encrypt biometric information: Biometric data is permanent and must be kept confidential. Encrypt at rest and in transit.
2. Restrict access using Zero Trust: Treat systems handling biometric data as high risk. Use role-based access and multi-factor authentication.
3. Segment network environments: Isolate systems that collect, store, or process biometric data to reduce lateral movement risk in case of an intrusion.
4. Log and monitor every access attempt: Maintain audit trails for access, modification, and deletion of biometric records.
5. Include biometric data in breach response plans: Prepare for scenarios involving voice, fingerprint, or facial data exposures.
6. Enforce data deletion and retention: Create and enforce your data retention and deletion policy.
7. Conduct vendor due diligence: Ensure third-party service providers handling biometric data meet BIPA compliance requirements. Include data protection clauses in contracts.
8. Assess and train: Conduct risk assessments and train employees on proper biometric data handling.

Elevate Your Cybersecurity Strategy with MAX
Leverage SecurityScorecard’s MAX to gain unparalleled visibility into your nth party ecosystem. Our managed service not only identifies vulnerabilities but also provides remediation support, ensuring your supply chain remains secure and compliant.
🔗 Explore MAX