Illinois is one of only three states with legal protections for a person’s biometric information. That law is called the Illinois Biometric Information Privacy Act (BIPA). The Act states that a private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining the identifiers or information has been satisfied; or within three years of the individual’s last interaction with the private entity. Illinois is the only state with a private right of action to enforce BIPA.
Privacy concerns are the reason for the law, as biometric data can be used to track an individual’s movements and activities. The data can also be used to unfairly discriminate against certain groups of people. In some cases, sensitive information can be revealed, such as whether a person accessed a particular type of healthcare, attended religious services or attended political or union meetings. The advancement of facial recognition technology has also brought forth significant privacy issues.
While the passage of BIPA was well intended, it has brought about a cottage industry of attorneys threatening small businesses who may have unknowingly violated BIPA with big money lawsuits. The Act provides for liquidated damages of $1,000 per violation, and that can add up quickly if an employer, for example, uses an employee’s fingerprint for their time clock system. As a result, businesses can suffer serious financial harm or bankruptcy even if there are no data breaches.
Businesses in our state need a path forward around this lawsuit abuse, and House Republicans have filed numerous bills to narrow the scope of BIPA and protect business owners. Recently, White Castle was held potentially liable for $17 billion in damages as a result of a ruling in February 2023 by the Illinois Supreme Court. However, the effects of that decision are not limited to White Castle. The decision confirmed the idea that damages under BIPA accrue every single time biometric data is collected, even if it’s the same data, collected the same way, such as in a fingerprint time clock. This means that businesses in Illinois could be liable for seemingly unlimited damages, despite there being no actual damage to the plaintiff.
This issue it is not going away anytime soon, unfortunately. The financial burden on businesses that unknowingly violated the Act is not sustainable. Lawyers are actively seeking out clients for new lawsuits, and business owners need protection from the threat of frivolous job-crushing settlements. House Republicans continue to work in a bipartisan manner to try to pass needed BIPA reforms.
“If Illinois is going to be attractive for job creators, to provide for the next generation of future economy workers, we need to be attentive, not only to the privacy requirements of our citizens, but also the changing dynamics of technology,” Rep. Jeff Keicher (R-Sycamore) stated. “Many small businesses are having difficulty adapting a 2008 law to 2023 realities of what is in place. As a result, many small businesses are paying fines of many hundreds of thousands, if not millions, of dollars for what is considered common employment practice in the rest of the country.”