Biometric Privacy Fines in Illinois Would Be Tamed in State Bill

Illinois lawmakers are working to curb potential damages under the state’s biometric privacy law for companies that don’t secure written permission first to collect fingerprints, face scans, and other data.

A measure advancing in the state legislature seeks changes to the Biometric Information Privacy Act, or BIPA, which allows private lawsuits over violations. The 2008 law has spurred an increasing number of class actions and become a major irritant for businesses operating in the state.

The legislative action comes after notable litigation, including a recent $75 million settlement by BNSF Railway Co. The bill seeks to address a state Supreme Court ruling on how violations accrue that in the process opened the door to huge monetary damages for companies—though business groups say the proposal doesn’t go far enough.

The measure, which could receive a state Senate floor vote this week, would count biometric data repeatedly collected from the same person in the same way without consent as a single violation of the law rather than multiple violations. The change, for example, would limit the liability of employers who regularly collect fingerprints from an employee to clock in and out of work.

“Right now in Illinois, the punishment doesn’t fit the crime,” said state Sen. Bill Cunningham (D), sponsor of the bill. “And we wanted to right size that, and that’s what this bill does.”

Potential Damages Skyrocket

BIPA requires companies to obtain written consent before collecting or storing biometric identifiers as well as provide policies on how such data is retained and destroyed. Individuals can sue for damages of $1,000 for a negligent violation and $5,000 for an intentional or reckless violation.

Plaintiffs can bring forth separate claims for each instance their data such as fingerprints are collected without consent, according to a 2023 Illinois Supreme Court ruling. That determination came in a case against White Castle System Inc. by a longtime employee who used her fingerprint to clock in and out of work at the fast-food restaurant.

“What that meant, in practicality, was that the damages potential for a BIPA claim basically shot through the roof,” said Jonathan Ksiazek, partner at Neal, Gerber & Eisenberg LLP.

The high court invited the legislature to determine whether that was the intent of the law, Cunningham said. Businesses have warned that damages accrued every time data is collected—rather than per employee—could result in catastrophic penalties, though the justices also ruled that damages are discretionary and not mandatory.

Business Opposition

The goal of the legislation is to make the law fairer while still protecting biometric privacy, Cunningham said. The measure would also add electronic signatures to the definition of written consent to make it easier for companies to comply, he said.

“Businesses will be more confident to go to court and defend themselves knowing that the risk of losing is much less extreme,” he said.

The changes, though, don’t do enough to address billions of dollars at risk in pending BIPA litigation, said Lou Sandoval, president and CEO of the Illinois Chamber of Commerce. The chamber is one of several business groups opposing the measure.

The bill is a modest amendment to a law that has been “bad legislation from the get-go,” Sandoval said. Businesses argue that the damage limits should apply retroactively and BIPA should exempt certain uses of biometric technology for security purposes.

“It would have been more advantageous to business to cap damages retroactively similar to how we’re capping them moving forward,” Sandoval said.

BIPA Guidance Needed

A separate House bill addresses some of issues raised by businesses, but “we just don’t have the confidence that that one will go forward,” Sandoval said. That bill would include a BIPA security exemption, among other provisions.

TechNet, an industry group with members including Google and Meta Platforms Inc., agrees that more needs to be done to update the law but is supporting Cunningham’s bill as a step in the right direction, said Tyler Diers, TechNet’s executive director for Illinois and the Midwest.

“This bill doesn’t fix a lot of our members’ legitimate concerns with BIPA, but again, I’m not going to hold out my support for a good bill because it doesn’t go far enough,” Diers said.

The recent legal questions make legislative action likely this year. BIPA needs guidance around damages because the White Castle case “really did throw a lot of things up into the air,” Ksiazek said.

“The bill introduced by Senator Cunningham seems to me to be a logical step to bringing this back to what the actual intent of the statute was and bringing the damages back to a more realistic place,” he said.