The Illinois Biometric Information Privacy Act (IBIPA) has been grabbing headlines of late as class action lawsuits under IBIPA’s private right of action are piling up, but an Illinois state appeals court recently held that a plaintiff “must allege some actual harm,” potentially stemming the flood of litigation.
Noting that biometric identifiers are biologically unique and permanent (unlike, for example, passwords) and thus irreparably problematic if compromised, IBIPA regulates the collection, retention, disclosure, and destruction of biometric identifiers and biometric information.
Under the statute, “biometric identifiers” are retina or iris scans, fingerprints, voiceprints, and hand or face geometry scans. Some exceptions, such as writing samples, written signatures, and physical descriptions, are specifically listed. The second category of regulated data, “biometric information,” broadly includes any information “based on an individual’s biometric identifier used to identify an individual.” Companies, therefore, can’t evade the purview of the law by converting a biometric identifier into a new identifier—say, a unique number.