Democratic leaders poised to revisit Biometric Information Privacy Act after court rulings
Nearly a year ago, the Illinois Supreme Court asked the General Assembly to clarify a 15-year-old law that’s led to hundreds of lawsuits and several high-dollar settlements with companies alleged to have illegally collected Illinoisans’ biometric data.
Now, Democratic leaders in the legislature appear ready to revive talks to reform the state’s Biometric Information Privacy Act, or BIPA, after business groups poured cold water on the majority party’s ideas last spring.
State Sen. Bill Cunningham, D-Chicago, a high-ranking member of the Senate, said the proposal he filed this week strikes a balance between business groups’ concerns over the law and its original intent.
“We think that the security restrictions embedded in (the law) are very important and we want to keep them in place, but we do want to address the way liability accrues so that businesses are not unfairly punished for technical violations of the act,” he said.
The law has made Illinois the only state that grants residents a private right to sue over businesses’ improper collection and mishandling of biometric data – whether they are an employee or a customer. A business can violate BIPA by not getting written consent from customers or employees for the data being collected, not having a storage policy in place or not properly protecting the data.
When BIPA became law in 2008, it was a novel concept meant to guard against technologies that, at the time, were still mostly the stuff of science fiction.
But as more and more companies began using technology like fingerprint and facial scans to identify customers and workers, it’s been the basis of hundreds of lawsuits across the state.
Upwards of 2,000 suits have been filed under BIPA since roughly 2018, resulting in a few high-profile settlements – including a $650 million class-action payout from Facebook in 2020. The social media giant paid more than 1 million Illinoisans roughly $400 each.
Business groups have been pushing for changes to the law for several years, arguing that companies don’t store actual biometric data, but rather convert it to a string of numbers that would be all but impossible to link back to a specific fingerprint or facial scan.
But industry groups’ worries were amplified last winter after the state’s high court issued a pair of rulings that strengthened the law. First, the court ruled unanimously that BIPA had a five-year statute of limitations – not the one-year limit sought by business groups.
Two weeks later, the court ruled 4-3 that each time a company improperly collected biometric data markers amounts to a separate violation of the law. In that case, fast food chain White Castle estimated it would be on the hook for up to $17 billion in penalties as the law provides for $1,000 in damages for “negligent” violations or $5,000 for “reckless” or “intentional” violations.
Cunningham’s Senate Bill 2979 would change BIPA’s violation accrual so that each initial collection of a fingerprint or other biometric data would amount to one violation, rather than a violation occurring for each individual scan. Employees might scan their fingerprints dozens of times per shift if they’re unlocking doors or cabinets with those scans.
The senator said that under his proposal, some “back-of-the-envelope math” indicates the change would dramatically reduce White Castle’s estimated $17 billion penalty down to anywhere between $10 million and $50 million.
“Some would call (the current understanding of violation accrual) annihilative liability,” Cunningham said. “It would essentially annihilate the business. It would cease to exist.”
In the White Castle decision last February, the majority was clear that it wasn’t ruling on the question of damages specifically, which means the legal question of how damages can accrue under BIPA is still unsettled. And while most BIPA cases are settled before ever going to trial, critics say the threat of high-dollar damages translates to similarly expensive settlements.
But the court did “respectfully suggest” the General Assembly review BIPA “and make clear its intent regarding the assessment of damages under the Act.”
Cunningham said his proposal answers that call. Business groups pushed back against a previous fix the senator floated last spring, which would have addressed the violation accrual issue but increased the damages for negligent violations from $1,000 to $1,500. He said he heard the business groups’ concerns, leading him to drop that part of his proposal.
“We appreciate Sen. Cunningham’s leadership and look forward to working with him on this important issue,” the business group coalition said in a statement.
State Rep. Ann Williams, D-Chicago, a key backer of BIPA, also supports Cunningham’s proposal. She’d previously been noncommittal to changing the law in the wake of the state high court’s rulings but said she’d pre-filed to be the measure’s House sponsor this year should it pass the Senate.
She said she’d like to see a solution that makes it easy for employers to follow the law while still protecting people’s data privacy.
“My main concern is to ensure that we keep the basic premise of the law intact,” Williams said. “I have no problem reassessing the damage structure to make it more palatable for businesses to comply.”
Capitol News Illinois is a nonprofit, nonpartisan news service covering state government. It is distributed to hundreds of newspapers, radio and TV stations statewide. It is funded primarily by the Illinois Press Foundation and the Robert R. McCormick Foundation, along with major contributions from the Illinois Broadcasters Foundation and Southern Illinois Editorial Association.