BIPA (Biometric Information Privacy Act) was first introduced by Illinois in 2008 and requires informed consent of the collection of biometric data prior to collection, prohibits companies from profiting from biometric data, permits only a limited right to disclose data, mandates protection obligations and retention guidelines and creates a private right of action for any individuals harmed by violators of BIPA.
Albertson’s, which owns the popular Jewel-Osco chain of grocery stores in Chicago IL, disagrees with this law — so they’re taking the state to court. Albertson’s argues that the Illinois Biometric Information Privacy Act should be considered special legislation prohibited by the state’s constitution, because it applies to some companies while improperly leaving others out.
The grocery chain, who is fighting a lawsuit, claims that it shouldn’t have to face litigation for collecting employees’ fingerprints because there is no functional difference between it and the types of businesses excluded from liability under Illinois’ biometric privacy law. BIPA sets up many private employers for huge judgments, while exempting government and financial institutions.
One often forgotten requirement under BIPA is data retention. Like all other privacy laws, data retention is mandatory. BIPA states that PII (personal identifiable information) must be deleted within three years or organizations can face up to $1,000 in fines/violations. Robert Fowler, Director of Strategic Partnerships at Exterro, states that “BIPA is just another example of why it’s critical for organizations to know the kind of personal data they are collecting and ensure document retention requirements are enforced around it. In order to meet the requirements of BIPA, conducting a data inventory isn’t a nice to have anymore—it’s a necessity.”
Personal data you don’t have cannot be breached. A clear way to mitigate a lot of organizational risk is to get rid of data that you don’t need. It’s an unnecessary added liability to over-retain personal data that serves no business purpose.
Albertson’s issues surrounding compliance to BIPA start with the organization’s data map, which, for any organization, needs to be built the right way. Keeping the data inventory up-to-date can help prevent running afoul of data privacy laws like BIPA, or for larger organizations with an international presence, the EU’s General Data Protection Regulation (GDPR). Fines for violating such privacy laws can really add up, which makes it all the more important to ensure the only data retained by organizations is accurate and necessary for business purposes.