Illinois Senate advances changes to state’s biometric privacy law after
business groups split
Send a link to a friend
[April 12, 2024]
By HANNAH MEISEL
Capitol News Illinois
hmeisel@capitolnewsillinois.com
 SPRINGFIELD – It’s been more than a year since the Illinois Supreme
Court “respectfully suggest(ed)” state lawmakers clarify a law that’s
led to several multi-million-dollar settlements with tech companies over
the collection of Illinoisans’ biometric data.
On Thursday, a bipartisan majority in the Illinois Senate did just that,
approving the first major change to Illinois’ Biometric Information
Privacy Act since it was originally passed in 2008.
“(The state Supreme Court) invited the General Assembly to address
this,” state Sen. Bill Cunningham, D-Chicago, said Thursday of a high
court decision last February that found fast food chain White Castle
violated BIPA each time its employees used their fingerprints in the
course of performing their jobs.
In that case, White Castle estimated it would be on the hook for up to
$17 billion in penalties as the law provides for $1,000 in damages for
“negligent” violations or $5,000 for “reckless” or “intentional”
violations.
Though the court made clear it wasn’t ruling on the question of how
damages stack up, it did “respectfully suggest” the General Assembly
review BIPA “and make clear its intent regarding the assessment of
damages under the Act.”
“This bill is a response to that invitation,” Cunningham said before
passage of Senate Bill 2979.
The legislation, which passed 46-13, would change BIPA’s violation
accrual so that each initial collection of a fingerprint or other
biometric data would amount to one violation, rather than a violation
occurring for each individual scan. Employees might scan their
fingerprints dozens of times per shift if they’re unlocking doors or
cabinets with those scans.
Illinois is the only state that grants residents the right to sue over
businesses’ improper collection and mishandling of biometric data –
whether they are an employee or a customer. A business can violate BIPA
by not getting written consent from customers or employees for the data
being collected, not having a storage policy in place or not properly
protecting the data.
Business groups have been clamoring for changes to BIPA in recent years
as upwards of 2,000 lawsuits have been filed under the law since roughly
2018, resulting in a few high-profile settlements – including a $650
million class-action payout from Facebook in 2020. The social media
giant paid more than 1 million Illinoisans roughly $400 each.
But it was a pair of decisions from the state Supreme Court last year
that galvanized business groups’ efforts to push for changes to the law.
First, the court unanimously ruled that BIPA had a five-year statute of
limitations – not the one-year limit sought by business groups. A few
weeks later in the White Castle case, the court ruled 4-3 that each time
a company improperly collected biometric data markers amounts to a
separate violation of the law.
[to top of second column]
|
State Sen. Bill Cunningham, D-Chicago, speaks to reporters after
passing an amendment to the state’s Biometric Information Privacy
Act through the Senate on Thursday. It now heads to the House for
consideration. (Capitol News Illinois photo by Jerry Nowicki)
When BIPA became law more than 15 years ago, it was a novel concept
meant to guard against technologies that, at the time, were still mostly
the stuff of science fiction.
But as more and more companies began using technology like fingerprint
and facial scans to identify customers and workers, it’s also led to
what opponents of the law have called a cottage industry for ambitious
attorneys.
Business groups have been divided on Cunningham’s proposal, with some
offering full-throated support after the bill’s passage on Thursday and
others pointing to continued opposition.
Senate Minority Leader John Curran, R-Downers Grove, noted the split
before he ultimately voted for the bill, but said he sided with the
industry groups that support it.
“I think they see it the way I see it,” Curran said. “While I wish there
was more in this...to do nothing leaves Illinois businesses subject to
really annihilistic judgments.”
After SB 2979 passed through a Senate committee last month, a coalition
of influential industry groups said it didn’t go far enough, especially
because it wasn’t retroactive and wouldn’t help companies that have
already been sued under BIPA.
Additionally, in recent weeks, advocates for Illinois’ burgeoning data
center industry have registered concern that Cunningham’s bill doesn’t
specifically shield data centers from liability for storing biometric
information on behalf of companies who may have violated BIPA.
After the bill’s passage Thursday, Cunningham, a high-ranking member of
the Senate, didn’t close the door on a future amendment to address
concerns from the data center industry.
“It’s a bicameral legislature, so we’ll see what happens in the House”
he said. “But I think what we see here – the guts of this bill are going
to stay in place and will, I think, be signed by the governor sometime
this spring or summer.”
Capitol News Illinois is
a nonprofit, nonpartisan news service covering state government. It is
distributed to hundreds of newspapers, radio and TV stations statewide.
It is funded primarily by the Illinois Press Foundation and the Robert
R. McCormick Foundation, along with major contributions from the
Illinois Broadcasters Foundation and Southern Illinois Editorial
Association.
 |
