BIPA: The Most Important Biometric Privacy Law in the US?
Regulating Biometrics: Global Approaches and Urgent Questions, ed. Amba Kak (AI Now 2020), 96-103
8 Pages Posted: 5 Jan 2021
Date Written: October 30, 2020
This chapter explores the importance and limits of the Illinois Biometric Information Privacy Act (BIPA). Enacted in 2008, lawmakers designed BIPA to provide “safeguards and procedures relating to the retention, collection, disclosure, and destruction of biometric data.” It was the first state law in the US to specifically regulate biometrics.
BIPA’s substantive rules follow a traditional approach to data protection. Private entities must get informed consent before collecting or disseminating a person’s biometric information. They are prohibited from selling, leasing, trading, or otherwise profiting from a person’s biometric information. Companies must also follow specific retention and destruction guidelines. Finally, the statute binds private entities to a high standard of care in transmitting, storing, and protecting biometric information.
BIPA has a number of virtues. Thanks to BIPA’s private cause of action, it has become the key for holding companies that use biometric systems accountable. But notwithstanding BIPA’s remarkable effectiveness, it is probably not the best model for America’s biometric privacy identity. A private cause of action is necessary, but not sufficient, to respond to the risk of biometrics. BIPA is too rooted in a myopic and atomistic “notice and choice” approach to privacy. It is a guide for lawmakers not just because of what it provides but also because of what it lacks.
Keywords: privacy, data, surveillance, biometrics, data protection, technology, internet
Suggested Citation: Suggested Citation