While BIPA protects biometric identifiers (including fingerprints), it fully exempts financial institutions that are subject to the Gramm-Leach-Bliley Act (GLBA). Consequently, we do not believe your financial institution is required to comply with BIPA’s provisions.
We also note that the Illinois Personal Information Protection Act (PIPA) requires banks to implement and maintain reasonable security measures to protect personal information, including fingerprints, from unauthorized access. However, banks that comply with the GLBA’s information security standards — as implemented by the interagency guidance included in the resources below — are deemed to comply with PIPA’s requirements.
For resources related to our guidance, please see:
- BIPA, 740 ILCS 14/10 (“‘Biometric identifier’ means a . . . fingerprint . . .”)
- BIPA, 740 ILCS 14/25(c) (“Nothing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder.”)
- PIPA, 815 ILCS 530/45(a) (“A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.”)
- PIPA, 815 ILCS 530/5 (“‘Personal information’ means either of the following: . . . Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint . . .”)
- PIPA, 815 ILCS 530/45(d) (“A data collector that is subject to and in compliance with the standards established pursuant to Section 501(b) of the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, shall be deemed to be in compliance with the provisions of this Section.”)
- GLBA, 15 USC 6801(a) (“It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”)