Many consider Illinois Biometric Information Privacy Act to be the gold standard when it comes to protecting personal data. This Act creates rules for how the data is collected and secured for those that operate in the state. However, recent court cases have started to reveal potential pratfalls concerning exceptions to the Act.
The law, passed in 2008 is extremely comprehensive in its wording. The law ensures that individuals are in control of their own biometric data and prohibits private companies from collecting it unless they:
- Inform the person in writing of what data is being collected or stored. (e.g. fingerprint is stored when using TouchID to log into bank account app on phone)
- Inform the person in writing of the specific purpose and length of time for which the data will be collected, stored and used. (e.g. fingerprint is stored for ease of logging into app and only for a duration of six months)
- Obtain the person’s written consent. (e.g. user signs their name before sharing their fingerprint)
Biometric information includes retina or iris scans, fingerprints, voiceprints, hand scans, facial geometry, DNA, and other unique biological information. (1)
However, a recent decision by the Illinoi Supreme Court has revealed that exceptions can be found depending on the circumstances. In Mosby vs Ingalls Memorial Hospital, nurses with the hospital sued their employer on two different grounds. First, they alleged that to get into the company systems employees had to fingerprint every time they did, which was not outlined in their contract. Second, independent of the first, they had not given their consent to have their information collected under BIPA’s guidelines and is protected by HIPPA. Ingalls replied that they didn’t need consent because they interpreted that only needed consent for patient data and their employees were not exempt.
In the district court and appellate courts, they agreed with the defendants. They interpreted section 10 of BIPA only applied to patients. Section 10 provides that biometric information does not include “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [HIPAA].” (2) The argument is that because patient data is already covered by HIPPA, they are also protected by BIPA, but healthcare workers are exempt from this protection because they fell under the treatment and operations wording.
The Illinois Supreme Court however reversed this to a degree, determining that BIPA applied to everyone in the health care field. The court determined that BIPA excepted from its protections the biometric information of health care workers where that information is collected, used or stored for health care treatment, payment or operations, as HIPAA defines those functions. The court cautioned, however, that in making this conclusion, it was “not construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from health care workers.” Instead, the court explained that the exception only applies to situations where, like in Mosby, biometric information was collected, used, and stored to access medications and medical supplies for patient health care treatment. (3) The court’s decision, while it applies the exemption to healthcare workers, it still does not explain how BIPA exempts patients. Further litigation may evolve these definitions as they play out.
BIPA was an act ahead of its time when it was passed in 2008. But as the years have passed, the Act continues to evolve through litigation and other legislative interpretations. As long as this Act is in effect, Illinois businesses will be subjected to these rules.
