For those who don’t know biometric information is the technical term for body measurements and calculations. It refers to metrics related to human characteristics including recognition of but not limited to iris, speech, finger print, signature, retinal scale, keystroke, facial, & more.
As a result the Biometric Information Privacy Act (BIPA) was passed by the Illinois General Assembly back in 2008. Codified as 740 ILCS/14 and Public Act 095-994, the BIPA guards against the unlawful collection and storing of biometric information. When Illinois passed the law in 2008, it became the first state to regulate the collection of biometric information Washington and Texas have since passed similar laws.
Below is a small portion from Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates summary of the BIPA and their Compliance Practice Pointers which encompasses the best practices for handling biometric information.
Businesses can reduce long-term compliance costs by taking the following considerations into account:
Duration –At most, an entity can retain information for the lesser of: (i) fulfillment of the purpose or (ii) three years after last contact with the data subject, whichever comes first. Thus, a narrow purpose may limit an entity’s ability to retain useful biometric information for the needed duration.
Scope – If the scope of the purpose is too narrow at the outset for a later use, the business must obtain additional consent prior to undertaking that use, resulting in unnecessary delay and expense.
Transferability –Unless disclosure is required by law, covered entities are prohibited from sharing biometric information with a third party without the individual’s prior consent, including with vendors and service providers.
To learn more about the BIPA you can visit ilga.gov or the below link for more information on the act.