News

Illinois Senate advances changes to state’s biometric privacy law after business groups split

State Sen. Bill Cunningham, D-Chicago, speaks to reporters after passing an amendment to the state’s Biometric Information Privacy Act through the Senate on Thursday. It now heads to the House for consideration.

SPRINGFIELD – It’s been more than a year since the Illinois Supreme Court “respectfully suggest[ed]” state lawmakers clarify a law that’s led to several multi-million-dollar settlements with tech companies over the collection of Illinoisans’ biometric data.

On Thursday, a bipartisan majority in the Illinois Senate did just that, approving the first major change to Illinois’ Biometric Information Privacy Act since it was originally passed in 2008.

“[The state Supreme Court] invited the General Assembly to address this,” state Sen. Bill Cunningham, D-Chicago, said Thursday of a high court decision last February that found fast food chain White Castle violated BIPA each time its employees used their fingerprints in the course of performing their jobs.

In that case, White Castle estimated it would be on the hook for up to $17 billion in penalties as the law provides for $1,000 in damages for “negligent” violations or $5,000 for “reckless” or “intentional” violations.

Though the court made clear it wasn’t ruling on the question of how damages stack up, it did “respectfully suggest” the General Assembly review BIPA “and make clear its intent regarding the assessment of damages under the Act.”

“This bill is a response to that invitation,” Cunningham said before passage of Senate Bill 2979.

The legislation, which passed 46-13, would change BIPA’s violation accrual so that each initial collection of a fingerprint or other biometric data would amount to one violation, rather than a violation occurring for each individual scan. Employees might scan their fingerprints dozens of times per shift if they’re unlocking doors or cabinets with those scans.

Illinois is the only state that grants residents the right to sue over businesses’ improper collection and mishandling of biometric data – whether they are an employee or a customer. A business can violate BIPA by not getting written consent from customers or employees for the data being collected, not having a storage policy in place or not properly protecting the data.

Business groups have been clamoring for changes to BIPA in recent years as upwards of 2,000 lawsuits have been filed under the law since roughly 2018, resulting in a few high-profile settlements – including a $650 million class-action payout from Facebook in 2020. The social media giant paid more than 1 million Illinoisans roughly $400 each.

“While I wish there was more in this, ... to do nothing leaves Illinois businesses subject to really annihilistic judgments.”

—  Senate Minority Leader John Curran, R-Downers Grove

But it was a pair of decisions from the state Supreme Court last year that galvanized business groups’ efforts to push for changes to the law. First, the court unanimously ruled that BIPA had a five-year statute of limitations – not the one-year limit sought by business groups. A few weeks later in the White Castle case, the court ruled 4-3 that each time a company improperly collected biometric data markers amounts to a separate violation of the law.

When BIPA became law more than 15 years ago, it was a novel concept meant to guard against technologies that, at the time, were still mostly the stuff of science fiction.

But as more and more companies began using technology like fingerprint and facial scans to identify customers and workers, it’s also led to what opponents of the law have called a cottage industry for ambitious attorneys.

Business groups have been divided on Cunningham’s proposal, with some offering full-throated support after the bill’s passage on Thursday and others pointing to continued opposition.

Senate Minority Leader John Curran, R-Downers Grove, noted the split before he ultimately voted for the bill, but said he sided with the industry groups that support it.

“I think they see it the way I see it,” Curran said. “While I wish there was more in this, ... to do nothing leaves Illinois businesses subject to really annihilistic judgments.”

After SB 2979 passed through a Senate committee last month, a coalition of influential industry groups said it didn’t go far enough, especially because it wasn’t retroactive and wouldn’t help companies that have already been sued under BIPA.

Additionally, in recent weeks, advocates for Illinois’ burgeoning data center industry have registered concern that Cunningham’s bill doesn’t specifically shield data centers from liability for storing biometric information on behalf of companies who may have violated BIPA.

After the bill’s passage Thursday, Cunningham, a high-ranking member of the Senate, didn’t close the door on a future amendment to address concerns from the data center industry.

“It’s a bicameral legislature, so we’ll see what happens in the House” he said. “But I think what we see here – the guts of this bill are going to stay in place and will, I think, be signed by the governor sometime this spring or summer.”

Capitol News Illinois is a nonprofit, nonpartisan news service covering state government. It is distributed to hundreds of newspapers, radio and TV stations statewide. It is funded primarily by the Illinois Press Foundation and the Robert R. McCormick Foundation, along with major contributions from the Illinois Broadcasters Foundation and Southern Illinois Editorial Association.

Hannah Meisel - Capitol News Illinois

Hannah Meisel is a state government reporter for Capitol News Illinois