Private entities that collect or otherwise possess biometric information or biometric identifiers are now subject to certain restrictions regarding that information and must develop and make available to the public a written policy regarding the entities’ retention and destruction of such information, pursuant to a recently enacted Illinois law (see 740 ILCS 14).
The Illinois law, effective October 3, 2008, defines “biometric information” as “any information, regardless of how it is captured, converted, stored or shared, based on an individual’s biometric identifier used to identify an individual.” A “biometric identifier” is defined as “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.” The definition of biometric identifier does not include photographs, written signatures, biological samples, demographic data, physical descriptions or similar items.
Pursuant to the new Illinois law, private entities must establish a retention schedule and guidelines for the destruction of any biometric identifiers and biometric information in their possession. The identifiers and information must be destroyed when the initial purpose for their collection has been satisfied or three years after the individual’s last interaction with the entity, whichever occurs first.
The Illinois law further requires that entities inform each individual from whom biometric identifiers or information are being collected of the purpose for collecting the information and the length of time that the information will be retained. Entities must obtain a written release from each such individual and may not sell, lease, trade or otherwise profit from an individual’s biometric identifiers or information. In addition, entities may not disclose or disseminate the biometric identifiers or information without the applicable individual’s consent, unless the disclosure completes a financial transaction requested or authorized by the individual or the disclosure is required by law or pursuant to a valid warrant or subpoena.
Finally, while in possession of biometric information, each entity must use reasonable care to store, transmit and protect the information from disclosure in the same, or a more protective, manner than the manner in which it would store, transmit and protect other confidential information.
Similar laws regulating the collection and retention of biometric information by private entities are in effect in Texas and Virginia. Illinois is the only state that requires entities to develop, maintain and make available a written policy regarding retention and disclosure of biometric data, however. The Texas law, enacted in 2001, requires the applicable individual’s consent to capture or disclose biometric information, but the law does not mandate retention limitations (see Tex. Bus. & Com. Code § 35.50). The Virginia law, enacted in 1999, requires destruction or return of fingerprints within 21 days after the relevant transaction’s completion, but Virginia law does not apply to other forms of biometric information (e.g., retina scans or voiceprints) and does not otherwise restrict the capturing or disclosure of biometric information (see Va Code § 59.1-478). Several other states, including New Jersey, California and Missouri, have considered, but to date have failed to pass, legislation regulating the collection of biometric information by private entities. However, the newly enacted Illinois law may foreshadow a new wave of biometric legislation. Entities that possess or plan to collect biometric identifiers or information of individuals should therefore keep abreast of existing and upcoming laws in all applicable states regarding the collection, retention and destruction of such information.