Passed in 2008, the Illinois Biometric Information Privacy Act (BIPA) “regulates the collection, use, safeguarding and storage of biometrics,” as state government officials became increasingly aware of the risk associated with forfeiting unique biological information to private companies. Because of this law, many private companies are shaping their approach to biometric data collection and privacy rights with Illinois’ nascent legislation in mind.

Origin of the BIPA

The biometric privacy response was sparked in the Midwestern state when national corporations piloted biometric-facilitated transactions in 2007. One of the companies, a California-based grocer who designed a fingerprint scanner for customers, revealed a plan to liquidate their fingerprint database during their bankruptcy court hearings. Illinois state representatives found that there was no way to re-issue biological data like a social security number—they concluded that they must legally safeguard this information to prevent biometric identity theft.

BIPA is the state’s way of giving ownership of biometric data to individual constituents. Firms operating in Illinois need to inform all subjects of their collection and use of biometric information and would need a written release by the subject in order to collect and use their unique biometric data.

BIPA’s Mixed Impact on Companies

Blue Line Technology LLC, a Missouri-based company, for instance, operates just miles away from the Illinois-Missouri border in Motomarts. Blue Line’s chief product is facial recognition software that alerts enterprises when threatening individuals enter their facility. They currently offer their “surveillance lock-out device” to about 50 convenience stores and gas stations in 12 states, enabling the store to collect facial data to identify a customer prior to their entry. Motomart’s adoption of Blue Line came in 2017 after a 25-year old store clerk was fatally shot by a masked robber and since, Motomarts in the region have seen reductions in crime and minimal robberies.

These Motomarts are the first stores in the country to install and use the Blue Line security system—just a few miles away in Illinois, however, Blue Line’s biometric software would be illegal unless each customer were to sign the proper documents upon entry. This is a standard that would prohibit Blue Line from operating in Illinois or any other state that follows in their footsteps. 

Critics of the law point to instances like Blue Line as a means to oppose its legitimacy. 

“Illinois state law has been weaponized,” says Jack Lavin, CEO and President of the Chicagoland Chamber of Commerce. “It’s created a cottage industry for suing companies.”

Supporters, though, stand their ground. 

“We aren’t trying to ban technology,” says Ed Yohnka, a spokesperson for The Illinois chapter of the American Civil Liberties Union. “We want to put protections in place to control, manage, inform and obtain consent.” They believe the rate of biometric data collection by private companies has outrun that of privacy legislation, pointing to the 750 lawsuits that have been filed in Illinois since 2015 finding widespread evidence of private companies, without disclosure or consent, collecting citizens’ biometric data. 

A Nationwide Inspiration

Texas and Washington state legislators have been working to develop and enforce biometric privacy laws. Cities have even followed suit—as of July 9th, 2021 New York City requires a clear sign at all commercial establishments to disclose that they collect or use biometric data. The city has further made it unlawful to sell or lease biometric data. 

New York State and Maryland have likewise proposed bills, A27 and SB16 respectively, both bearing strong resemblance to BIPA’s central tenets. 

ABOUT THE WRITER

Gunnar is a Tech Innovation Fellow at Identity Review from the University of Chicago. He has worked with numerous Silicon Valley Venture Capital firms and is interested in defense technologies & contracting.

Contact Gunnar at gunnar@identityreview.com.

Do you have information to share with Identity Review? Email us at press@identityreview.com.