Modern technologies found in sensors, software, and readers make it increasingly possible to use fingerprints, facial recognition, retinal or iris scans, voiceprint reading, gait analysis, or keystroke analysis to identify a person.

In response to these technologies, some state legislatures (Arkansas, California, Illinois, New York, Texas, Washington) have enacted biometric information privacy laws that govern the collection and use of this data.

For example, in Illinois, the Biometric Information Privacy Act (BIPA) provides a set of rules for companies collecting biometric data—and unlike the biometric data privacy statutes in Texas and Washington, it creates a private cause of action, allowing Illinois residents whose biometric data is improperly collected or used to file a lawsuit for the violation of the statute.

There are essentially five key features of the Illinois law known as BIPA:

• it requires informed consent prior to collection;

• it prohibits any profiting from biometric data;

• it allows only a limited right to disclose the data;

• it sets forth both protection obligations and data retention guidelines for businesses; and

• it creates a private cause of action for those harmed by BIPA violations.

In Illinois, the Biometric Information Privacy Act (BIPA) regulates the collection, use, and handling of biometric identifiers such as fingerprints, facial recognition, and iris scans. BIPA mandates that entities must obtain informed consent before collecting or storing an individual's biometric data. It strictly prohibits the sale or profiting from this data and limits the circumstances under which it can be disclosed. Companies are also required to follow specific data protection and retention guidelines to ensure the security and privacy of biometric information. Significantly, BIPA provides individuals with the right to sue and seek damages if their biometric data is mishandled or used in violation of the law, making it one of the strongest biometric privacy laws in the United States.