Illinois Legislature Set To Revisit Biometric Privacy Law That Rattled CRE
Illinois Democratic leaders are reportedly ready to revive conversations about reforming a 15-year-old data privacy law that has spurred hundreds of lawsuits, several multimillion-dollar settlements and something of a panic among CRE operators.
State Sen. Bill Cunningham is proposing a bill that may lower the liability companies face for collecting data, Crain’s Chicago Business reports.
“We think that the security restrictions embedded in [the law] are very important and we want to keep them in place, but we do want to address the way liability accrues so that businesses are not unfairly punished for technical violations of the act,” Cunningham told Crain’s.
The state’s Biometric Information Privacy Act, also known as BIPA, requires companies that collect biometric data, like fingerprints and face scans, to get written consent from employees and customers and to create a written policy about its collection, retention and destruction.
Last year, the Illinois Supreme Court ruled that each time a company collects someone’s biometric data in violation of the law, a separate claim for damages accrues. Under BIPA, that means $1K in damages for each negligent violation or $5K for each reckless or intentional violation.
“The upshot is that every single data collection creates another cause of action, and the court itself alluded to this as creating annihilative liability,” Goodwin Law partner Omer Tene previously told Bisnow of the potentially crippling financial fallout of violations.
The bill would change how violations stack up under BIPA so that each initial collection of a fingerprint or other biometric data point would amount to a single violation instead of a violation occurring for each individual scan, Crain’s reports. Workers may scan their fingerprints dozens of times during a shift to unlock doors, for instance.
At least 2,000 suits had been filed under BIPA since 2018 as of early 2023. This includes several high-profile, expensive settlements, like the $725M Facebook paid out in October 2023 after settling a class-action suit over allegations of biometric privacy law violations through facial recognition technology.
State Rep. Ann Williams told Crain’s she supports Cunningham’s proposal, adding she'd like a solution that makes it simple for employers to adhere to the law while still safeguarding people’s data privacy.
“My main concern is to ensure that we keep the basic premise of the law intact,” Williams told Crain’s. “I have no problem reassessing the damage structure to make it more palatable for businesses to comply.”
In addition to business groups’ concerns over the liability they incur with each data collection, they have also taken issue with another Illinois Supreme Court ruling last year. The court found the law provided for a five-year statute of limitations on lawsuits against companies that collected biometric information from employees or customers without proper notice. Businesses have argued for a one-year time limit.