I have questions about companies’ use of biometric data. You should, too.

But companies say move along, nothing to see here.

Ellen Beth Gill


In my state of Illinois, we have a law regulating companies’ collection of biometric identifiers. California, Texas, New York, and Washington also passed biometric privacy laws. I’m going to talk about Illinois’ law as it’s considered one of the toughest, and it’s not all that tough.

The Illinois Law

In Illinois, private companies cannot use biometric data without informed consent in writing. The Illinois law, casually called BIPA, contains a private right of action. That means individuals can sue under the law.

Under BIPA, biometric identifiers (BI) include retina or iris scans, fingerprints, voice prints, hand or facial scans, facial geometry, writing samples, photographs, tattoo descriptions, DNA, and other unique biological information, including old-fashioned descriptions of height, weight, hair color, and eye color. 740 ILCS 14/10.

Phone numbers and email addresses can be changed, but for the mostpart, BI is forever.

To comply with BIPA, companies in possession of BI must:

  • develop written BI collection, retention, and destruction policies and make those policies available to the public,
  • establish and comply with a retention schedule and destruction guidelines based on the specific purpose of collection, absent a valid…