Certified Information Privacy Professional (CIPP): US - Biometric Privacy Laws, Illinois BIPA, Texas CUBI

CIPP/US – Biometric Privacy Laws (Illinois BIPA & Texas CUBI)

What This Is

Biometric privacy laws protect uniquely identifying physiological or behavioral characteristics—fingerprints, facial scans, voiceprints, iris patterns, etc.—that can be used to track an individual. In the U.S. the two most influential statutes are Illinois’ Biometric Information Privacy Act (BIPA) and Texas’ Capture or Use of Biometric Identifier (CUBI) Act. They impose strict notice, consent, data?security, and retention rules on any entity that collects, stores, or shares biometric data.

Real?world scenario: A national retailer rolls out a “scan?your?face” checkout lane in Chicago stores and a “finger?print clock?in” system for its Texas warehouse employees. Both programs trigger BIPA and CUBI compliance obligations—notice to employees, written consent, secure storage, and a clear retention schedule—otherwise the company faces per?record statutory damages that can quickly reach millions of dollars.

Key Terms & Provisions

• Biometric Identifier / Information (BII): Any data derived from a person’s physiological or behavioral characteristics (e.g., fingerprint, facial geometry, voiceprint). Both BIPA (IL) and CUBI (TX) treat these as protected data.
• Written Informed Consent (BIPA §15(b)): The subject must sign a clear statement authorizing the collection, use, and storage of their BII. Consent must be specific, not bundled with other agreements.
• Notice of Purpose (BIPA §15(a)): Prior to collection, a private entity must disclose the purpose and length of time the BII will be stored. Failure to give this notice is a standalone violation.
• Retention & Destruction Schedule (BIPA §15(d)): Entities must establish a publicly available policy for how long BII is kept and when it is destroyed. The schedule must be reasonable and adhered to.
• Reasonable Security Measures (BIPA §15(e) / CUBI §21): Technical, administrative, and physical safeguards must protect BII from unauthorized access, disclosure, or alteration. Encryption at rest and in transit is considered reasonable.
• Statutory Damages (BIPA §20; CUBI §21(b)): Each negligent violation can trigger $1,000 per violation (or $5,000 per intentional/reckless violation under BIPA) and $2,000 per violation under CUBI. Damages are assessed per record—not per person—so a single fingerprint scan can generate a claim.
• Private Right of Action (BIPA & CUBI): Individuals may sue directly; there is no need for a government agency to bring enforcement. Class actions are common.
• Capture vs. Use Distinction (CUBI): “Capture” means acquiring the biometric identifier; “use” means processing it for any purpose (verification, authentication, analytics). Both are prohibited without consent.
• Exemptions – Employment (BIPA §20?5): BIPA does not exempt employers; however, the Illinois Supreme Court has held that the employee?employer relationship does not automatically create a “business associate” relationship under HIPAA, so BIPA applies fully. Texas CUBI also applies to employees.
• Data Subject Access Request (DSAR) (BIPA §15(c)): Individuals can request a copy of their BII and any related disclosures. While not a standalone right in BIPA, courts treat it as an implied obligation.

Step?by?Step / Process Flow

1. Identify the Biometric Capture Point – Catalog every system (time?clock, access control, mobile app, kiosk) that collects BII.
2. Perform a Biometric Impact Assessment – Verify notice, consent, retention, and security controls against BIPA/CUBI requirements.
3. Draft & Publish Required Notices – Provide clear, stand?alone disclosures (purpose, retention period, third?party sharing) at the point of collection.
4. Obtain Written Informed Consent – Use a separate signature line (or electronic equivalent) that the individual can review before scanning. Store the consent form securely.
5. Implement Security Safeguards – Encrypt BII at rest, restrict access to a need?to?know list, and log all read/write events.
6. Maintain a Retention & Destruction Policy – Define a reasonable timeline (e.g., 2?years after employment termination) and securely delete BII when the period expires. Document each deletion.

Common Mistakes

• Mistake: Bundling biometric consent with a general employment agreement.
  Correction: Consent must be a stand?alone, written acknowledgment that the employee can review independently.

• Mistake: Assuming “one?time” collection means one?time liability.
  Correction: Each subsequent use, disclosure, or storage of the BII is a separate violation; treat the entire lifecycle as a series of compliance checkpoints.

• Mistake: Relying on “reasonable security” without documented encryption.
  Correction: Adopt industry?standard encryption (AES?256) and retain logs; courts have deemed unencrypted storage as unreasonable under both statutes.

• Mistake: Believing that a federal law (e.g., HIPAA) preempts state biometric statutes.
  Correction: BIPA and CUBI are state?level statutes that operate independently of HIPAA; compliance with HIPAA does not excuse BIPA/CUBI violations.

• Mistake: Thinking that a “minor” violation (e.g., a single fingerprint scan) is de?minimis.
  Correction: Statutory damages are per?record; even one scan can generate $1,000–$5,000 (IL) or $2,000 (TX) in liability.

CIPP Exam Insights

1. Scope vs. Exemption: Exams love to ask whether BIPA applies to employees. Remember: Yes – there is no employee exemption (unlike some state privacy statutes).
2. Statutory Damage Calculation: Be ready to compute damages: Illinois – $1,000 negligent, $5,000 intentional per violation; Texas – $2,000 per violation.
3. Notice Requirement Nuance: BIPA’s §15(a) requires purpose and duration notice before collection. CUBI mirrors this but does not require a retention schedule; however, a policy is still advisable.
4. Consent Form Content: Both statutes demand written consent; oral or click?through consent is insufficient.

Quick Check Questions

1. Question: A Chicago?based retailer installs a facial?recognition camera at its entrance and posts a sign that says “We use facial recognition for security.” No consent form is provided. Which BIPA provision is violated?
   Answer: Notice of Purpose (§15(a)) and Written Informed Consent (§15(b)).
   Explanation: The sign satisfies the “notice” element but does not provide the required written, specific consent before capturing the biometric data.

2. Question: A Texas logistics firm captures employees’ fingerprints for time?clock purposes and stores the raw images on an unencrypted shared drive for three years after termination. Which CUBI violation(s) exist?
   Answer: Capture without consent (§21(a)), Failure to implement reasonable security (§21(b)), and Improper retention (no policy).
   Explanation: The firm lacks written consent, stores data insecurely, and retains it beyond a reasonable period without a documented policy.

3. Question: An Illinois hospital shares patients’ iris scans with a third?party analytics vendor under a Business Associate Agreement (BAA). The vendor later experiences a breach. Can the hospital claim a BIPA defense because the vendor is a “business associate”?
   Answer: No.
   Explanation: BIPA imposes direct liability on the entity that collects the BII; a BAA does not shield the hospital from BIPA claims.

Last?Minute Cram Sheet

1. Illinois BIPA – §15(a): Must give purpose and retention period notice before biometric collection.
2. Illinois BIPA – §15(b): Requires written (not electronic click?through) informed consent for each collection.
3. Illinois BIPA – §20: $1,000 per negligent violation; $5,000 per intentional/reckless violation (per record).
4. Texas CUBI – §21(a): Prohibits capture of a biometric identifier without written consent.
5. Texas CUBI – §21(b): $2,000 statutory damages per violation (per record).
6. Retention Rule: BIPA §15(d) – publish a public policy; CUBI has no explicit retention provision but courts expect a reasonable policy.
7. Security Standard: Encryption at rest & in transit is considered reasonable under both statutes; lack of encryption = automatic violation.
8. Private Right of Action: Both statutes allow individual and class?action suits; no need for regulator involvement.
9. Exam Trap: BIPA does not exempt employees; many test?takers mistakenly think the employment exception applies.
10. Exam Trap: “One?time scan”-“one?time violation.” Statutory damages accrue per record, so a single scan can generate the full per?record penalty.

Use this guide to audit any biometric program, draft compliant policies, and ace the exam.