Illinois changes biometric privacy law to help corporations avoid big payouts

Biometric Information Privacy Act —

Possible damages payments dramatically lowered by change to 2008 Illinois law.

Illustration of a woman's face being scanned for a facial recognition system.

Getty Images | imaginima

Illinois has changed its Biometric Information Privacy Act (BIPA) to dramatically limit the financial penalties faced by companies that illegally obtain or sell biometric identifiers such as eye scans, face scans, fingerprints, and voiceprints.

The 2008 law required companies to obtain written consent for the collection or use of biometric data and allowed victims to sue for damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation. But an amendment enacted on Friday states that multiple violations related to a single person’s biometric data will be counted as only one violation.

The amendment, approved by the Illinois Legislature in May and signed by Gov. J.B. Pritzker on August 2, provides “that a private entity that more than once collects or discloses a person’s biometric identifier or biometric information from the same person in violation of the Act has committed a single violation for which the aggrieved person is entitled to, at most, one recovery.”

As Reuters reports, the “changes to the law effectively overturn a 2023 Illinois Supreme Court ruling that said companies could be held liable for each time they misused a person’s private information and not only the first time.” That ruling came in a proposed class action brought against the White Castle restaurant chain by an employee.

Change lowers potential for big settlements

The change to the privacy law “will significantly reduce the potential damages and lower the settlement value of BIPA claims. The amendment also provides that an e-signature satisfies the written requirements for the release,” Squire Patton Boggs lawyer Alan Friel wrote in National Law Review yesterday.

In 2020, Facebook agreed to a $650 million settlement after being sued by users who alleged violations of the Illinois law. Settlement class members received over $400 each.

The Illinois law is unique in letting individuals sue for damages, Friel wrote. “Colorado recently enacted a BIPA-like biometrics law, but like other states except only Illinois, it does not have a privacy right of action and can only be enforced by the state,” he wrote. “However, states are active in enforcing their privacy laws as illustrated by a recent Texas settlement with a social media company for biometric consent claims that included a 9-figure civil penalty payment.”

Friel was referring to Facebook-owner Meta agreeing to a $1.4 billion settlement with Texas Attorney General Ken Paxton. The Texas AG alleged that Meta “unlawfully captur[ed] the biometric data of millions of Texans without obtaining their informed consent as required by Texas law.” The claim was over Facebook using facial recognition for a feature that makes it easier to tag people in photographs.

The Information Technology and Innovation Foundation, a research group funded by various corporations, said the change to BIPA “makes a bad law slightly better.”

“BIPA is a prime example of privacy legislation gone too far,” ITIF Senior Policy Manager Ash Johnson said. “With steep fines for even minor violations and a private right of action that has gone out of control, with multiple multi-million-dollar settlements. This has led companies to limit the technology available to Illinois consumers or even pull out of the state entirely.”