The US Biometric Information Privacy Act (BIPA) Bites Harder

Mobile Commerce digital transaction with biometric security

Strict Control On Biometrics

Globally, the use of biometric data is increasingly subject to strict control. The EU General Data Protection Act classifies biometric data as “sensitive data”, the use of which by private entities will normally require freely granted, informed, and explicit consent.

Much the same applies under the Illinois Biometric Information Privacy Act, BIPA. But whereas enforcement of the EU GDPR is largely left to EU Member States regulatory bodies (so-called data protection supervisory authorities), under BIPA, “any person aggrieved by a violation of [that] Act” is given a right of action, under which they may reclaim against a private party for each violation, “liquidated damages of $1,000 or actual damages, whichever is greater” (and even $5,000 if the violation was intentional or reckless), plus “reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses” (and other relief, including an injunction, as the state or federal court may deem appropriate) (section 20). There have already been substantial awards under the Act.

Illinois Supreme Court Determines BIPA Claims Accrue

On February 17, the Illinois Supreme Court ruled that a separate claim accrues each time a business unlawfully scans or transmits an individual’s biometric identifier or information, a decision that could drive up class action settlements against repeated Biometric Information Privacy Act (BIPA) violators. The Illinois defense bar warned that it could lead to “astronomical damage”.

Ensuring Compliance “By Design And Default”

EU data protection law including the GDPR requires all users of personal data to ensure compliance with their products and services “by design and default”; and they must be able to “demonstrate” such compliance “by design and default”.

ValidSoft Meets Those Requirements

ValidSoft’s voice biometric authentication solutions are always designed to meet the most demanding European and U.S legal standards “by design and default”. This includes technical measures such as the:

  • Non-reversibility, and “non-matchability” of the voiceprints used (meeting the main concerns of European supervisory authorities) and
  • Legal requirements relating to informing of individuals and obtaining their valid consent (“written release” in BIPA terms), and
  • Assistance in integrating its solutions with client’s systems so that each actual deployment of its solutions, too, is GDPR and BIPA compliant “by design and default”.

    Indeed, over the years, ValidSoft has uniquely obtained four European Privacy Seals for its solutions, confirming compliance with the demanding requirements of the EU GDPR and the Illinois BIPA (and other US privacy laws). No other Voice Biometrics provider, or location-based services provider has attained a Privacy Seal from the European Union.

Learn More at

Author: Prof. Douwe Korff
Data Protection Officer & Advisor

Share this post?