An Illinois Court has denied a Defendant’s motion to dismiss a case regarding potential BIPA violations. A number of individual’s have brought a case against a blood bank due to the collection of biometric data, in this case, fingerprints, without the necessary disclosures or consent. The Biometric Information Privacy Act (BIPA) is a regulation in the state of Illinois to regulate the collection, use and handling of biometric identifiers and information by private entities.
Biometric Information Privacy Act (BIPA)
BIPA requires covered entities to do certain things. The important things to note with regards to this case are:
- They must have a written policy, made available to the public, which establishes a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information
- Entities must comply with that policy; they must retain and destroy biometric information in accordance with the law; the policy must be published to the general public and not just to the people whose biometric data is collected
- It is unlawful to collect, capture, purchase, receive through trade, or otherwise obtain an individual’s biometric data without informing the subject in writing that the information is being collected and stored and the purpose and length of time the data is collected, stored, and used, or receive a written release from the subject of the information.
This blood bank was using finger scanners to track donors without providing a publicly available policy or making disclosures and obtaining written releases. It is also alleged that the company did not destroy the plaintiff’s data once the initial purpose had been satisfied. It’s has been argued that because of this the plaintiffs have been exposed to serious and irreversible privacy risks. They also argue that they have not been given information that they are entitled to.
FDA v. BIPA
The blood bank argued that there is a conflict between BIPA and Food and Drug Administration (FDA) regulations. Federal regulations require entities engaged in plasmapheresis to establish a donor identification system that positively identifies each donor and links the donor to their blood and its components as well as any other accumulated data. Those collecting blood components are also required to maintain records for at least 10 years.
As one of these laws requires data to be kept for 10 years and the other requires it to be destroyed within 3 years this creates a problem. The Defendant argued that the resolution of this dilemma must go in favor of the federal law, FDA.
It was established that the company are able to abide by both laws. While the regulations allow the use of biometric data to identify donor identities it is not a requirement. Furthermore, by using photographic identification, such as drivers licences, organizations are still able to easily identify donations and records while complying with both laws.
The Defendant tried to argue that three of the plaintiffs had signed written waivers before their biometric data was taken and so therefore they had no claim in this case. This was dismissed as the waivers do not contain the information required under BIPA. As well as written releases, the company needed to have informed the plaintiffs in writing:
- That a biometric identifier or biometric information was being collected or stored
- The purpose and length of time the information would be collected, stored and used.
The required disclosures were nowhere in the Consent Agreements the plaintiffs had signed.
Finally, the Defendant tried to argue that BIPA does not apply to them. While a fingerprint is considered biometric data under BIPA, biometric data do not include:
- Information captured from a patient in a health care setting
- Information collected, used, or stored for health care treatment, payment or operations
- An X-ray
- Roentgen process
- Computed tomography
- PET scan
- Mammography or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition.
However, because the fingerprints were not collected for healthcare treatment, payment or operation under HIPAA the court found that this does not apply to this case.
Should this company be found to have violated BIPA they could be looking at up to £5,000 fine per violation. See more about BIPA.