Lawmakers revisit data collection privacy laws
Send a link to a friend
[March 11, 2021]
By GRACE BARBIC
Capitol News Illinois
gbarbic@capitolnewsillinois.com
 SPRINGFIELD – State lawmakers are
considering changes to an internet privacy law that recently led to a
$650 million settlement between Facebook and more than 1 million of the
website’s users in Illinois.
A state House judiciary committee advanced House Bill 559 on Tuesday, a
measure that would revisit the Biometric Information Privacy Act of
2008, known as BIPA, to include provisions which sponsors say will
protect small businesses but detractors say will render the privacy law
obsolete.
House Minority Leader Jim Durkin, R-Western Springs, introduced the
bill, saying thousands of BIPA related lawsuits have been filed against
big businesses and small businesses alike, hitting the “small guys” the
hardest.
The bill advanced to the House floor on a 10-5 vote Tuesday, with five
Democrats opposed and one voting present. The committee vote in favor
was bipartisan, although most of the support came from Republicans.
Durkin said he is concerned that the language of BIPA is outdated and
that it has created a “cottage industry for a select group of lawyers to
file class action lawsuits against big and small employers and nonprofit
agencies.”
BIPA is one of the strictest privacy laws in the nation, and it became
law at a time when some of the current day’s most ubiquitous
technologies, such as the iPhone, were still new. It requires Illinois
business owners that collect biometric information, such as fingerprints
or face prints for facial recognition, to have certain policies in place
for the collection, storage and use of this personal identification.
The business is required to notify the employee or customer and obtain a
written release from the individual if biometric information is being
collected. BIPA also states that the business is not authorized to
disclose this biometric information to a third party without the
individual’s consent.
If a private entity, which is defined as any individual, partnership,
corporation, limited liability company, association or other group,
violates any portion of this policy, the individual has a right to take
legal action.
One of the major lawsuits, Rosenbach v. Six Flags, set a precedent for
future BIPA lawsuits because of the Illinois Supreme Court’s ruling that
a person can seek “liquidated damages” based on a technical violation of
BIPA, even if there was no “actual injury,” according to the National
Law Review.
Liquidated damages refer to penalties for breaking the BIPA law, which
are numbered at $1,000-$5,000 in existing law depending on whether the
offense was negligent, reckless or intentional.
In that case, a woman purchased a season pass to Six Flags Great America
for her son, and his fingerprint was scanned to be used as a means to
enter the theme park. At issue is that neither the woman nor her son
were given written notice and they did not sign a written release for
this biometric information to be collected or used, both of which are
required under BIPA.
While there was no actual injury, the Illinois Supreme Court ruled in a
unanimous decision that “an individual need not allege some actual
injury or adverse effect, beyond violation of his or her rights under
the Act, in order to qualify as an ‘aggrieved’ person and be entitled to
seek liquidated damages and injunctive relief pursuant to the Act.”
Under HB 559, the “aggrieved party” must provide a 30-day written notice
of a violation to the business or employer and the entity in violation
must “cure” the violation within 30 days, otherwise they are subject to
litigation.
“We think this is fair,” Durkin said. “This is what I believe is an
appropriate balance between the rights of privacy and the employees, and
also what I think is a fair shake for employers.”
Facebook is facing the $650 million class action lawsuit under BIPA
because of a feature that utilizes facial recognition technology to
suggest other users to tag in photos. It started with three different
Illinois residents that filed suit against Facebook in 2015, and now
includes nearly 1.6 million Illinois Facebook users that believe
Facebook violated their rights under BIPA.
[to top of second column]
|
House Minority Leader Jim Durkin, R-Western Springs,
presents House Bill 559 before the Illinois House Judiciary Civil
Committee on Tuesday. The bill would revisit the Biometric
Information Act of 2008. (Credit: Blueroomstream.com)
Clark Kaericher, Vice President of the Illinois Chamber of Commerce,
said despite the fact that most of the headline-making cases are
against big companies, it’s mostly small companies in the state
facing lawsuits.
“Since that case (Rosenbach v. Six Flags), we’ve seen an explosion,”
Kearicher said. “As of last month, we were up to 1,076 cases filed,
both open and closed, in a two year period here in Illinois alone.”
Notably, the Salvation Army, nursing homes, hospitals and other
businesses have been targets of BIPA lawsuits as of late because of
their timekeeping system that uses a fingerprint scan for clocking
in and out to avoid wage litigation and timekeeping fraud.
According to BIPA, a claimant subject to a negligence violation is
entitled to at least $1,000 in liquidated damages, up to the cost of
actual damage, whichever is more. Penalties for intentional or
reckless violation amount to the greater of $5,000 or actual
damages. BIPA also provides that an individual can recover
reasonable attorneys’ fees and costs, or other relief such as an
injunction.
“It’s enough to put any small business into insolvency and we think
that alone is reason to relocate this law,” said Kearicher.
HB 559 contains several changes to the original bill language,
including allowing companies to receive “consent” for biometric data
use instead of the “written release” required in the original bill,
and it allows for the consent to be given through “electronic
means.”
It would also change the penalty structure for damages. For
negligence violations, it would remove the $1,000 liquidated damages
penalty, limiting claimants in that category to reimbursement of
“actual damages,” which are quantifiable repercussions of the
violation of the law.
For “intentional or reckless” violations, the language would be
changed to “willful” violations, and the $5,000 number for
liquidated damages would be removed. Instead, claimants would be
entitled to “actual damages plus liquidated damages up to the amount
of actual damages.”
Advocates for the reform also argued that BIPA has innovation
killing aspects, taking competitiveness away from Illinois
businesses which worry about implementing new technology out of fear
of BIPA’s liability.
Opponents are more concerned that the bill will render the existing
law useless.
Sapna Khatri, advocacy and policy counsel for the ACLU of Illinois,
noted that BIPA has been called the most effective and important
privacy law in the country because of its simplicity.
“We are here because BIPA is working precisely as it was intended,”
Khatri said. “This (new bill) is prioritizing corporate profits over
personal privacy and granting companies wide latitude to collect and
exchange our biometric information like currency. This is not a
solution.”
Opponents to HB 559, such as Rep. Ann Williams, D-Chicago, and Rep.
Jennifer Gong-Gershowitz, D-Glenview, argued that as technology
advances, BIPA as it stands is imperative to protecting Illinois
residents’ most personal private data.
“At a time when our neighbors and other states are modeling
legislation around BIPA and issuing bans on the use of invasive
biometric technology, like facial recognition, HB 559 presents a
massive step back for Illinois,” Khatri said.
Capitol News Illinois is a nonprofit, nonpartisan
news service covering state government and distributed to more than
400 newspapers statewide. It is funded primarily by the Illinois
Press Foundation and the Robert R. McCormick Foundation. |
