Illinois, Texas, New York, Vermont, and Washington have laws regulating the collection, storage, and disclosure of biometric identifiers, such as face scans, fingerprints, or voiceprints.  Of the state statutes, the Illinois Biometric Information Privacy Act (BIPA) is arguably the most detailed and burdensome.  The Illinois Supreme Court has held that plaintiffs can recover under BIPA based on a violation of the statute, without showing additional actual harm. Among other things, the law requires that companies:

  • Establish Retention Schedules.  Retention schedule and guidelines for permanently destructing biometric identifiers when the initial purpose for collection has been satisfied, or within three years of the individual’s last interaction with the company, whichever comes first.
  • Provide Notice.  Written notice must inform that: (i) a biometric identifier is being collected, (ii) the purpose of the collection, and (iii) the length of time for which it will be used and stored.
  • Obtain Consent.  Obtain written consent from individuals or their legally authorized representative prior to collecting biometric identifiers.
  • Do Not Sell.  Refrain from selling or otherwise profiting from a customer’s biometric identifiers.
  • Do Not Disclose.  Refrain from disclosing an individual’s biometric identifiers without the individual’s consent or as required for legal purposes.
  • Securely Store the Data.  Store, transmit, and protect biometric identifiers using industry-standard security mechanisms, and in a manner that is the same or more protective than how the company handles other confidential and sensitive information.
  • Timely Destroy.  Securely destroy biometric identifiers once the initial purpose of obtaining the information has been satisfied, or within three years of the individual’s last interaction, whichever is sooner.2


1 Rosenbach v. Six Flags Entm’t Corp., No. 123186 (Ill. Jan. 25, 2019).

2 740 Ill. Comp. Stat. 14/15(a)-(d).

More topics in this series