Illinois Tightens Biometric Data Regulations

Illinois Tightens Biometric Data Regulations

In a significant shift for Illinois’ biometric privacy laws, Governor J.B. Pritzker recently signed an amendment to the Illinois Biometric Information Privacy Act (“BIPA”), the first such update since the law’s original passage in 2008. This change, which comes after years of contentious litigation and calls for reform, significantly alters the landscape for companies collecting, storing, and sharing biometric information. By addressing key issues related to consent, damages, and litigation risks, the amendment represents a win for businesses that utilize biometric data, while simultaneously aiming to clarify BIPA’s provisions for consumers and courts alike.

BIPA was groundbreaking when it was passed, establishing some of the most stringent biometric data privacy rules in the country. The law was designed to protect individuals from the potential misuse of their biometric data, such as fingerprints, facial recognition data, or iris scans, by imposing strict requirements for how companies must handle such sensitive information. Under BIPA, companies are required to obtain informed consent before collecting biometric data, and they must have written policies in place for storage and destruction.

However, BIPA’s potential for “annihilative” damages has become a significant concern in recent years. The law allows for statutory damages of $1,000 per negligent violation and $5,000 for reckless or intentional violations, with some courts interpreting each instance of biometric data collection or sharing as a separate violation. This interpretation created the possibility of massive penalties for businesses, especially in cases where biometric data was collected repeatedly, for example, through time clock systems that scanned employees’ fingerprints every day. As one Illinois Supreme Court ruling, Cothron v. White Castle System, Inc., demonstrated, this approach could result in ruinous damage awards for companies, a situation that many feared could ultimately lead to the stifling of technological progress.

The recently enacted amendment to BIPA addresses several of these challenges, signaling a more balanced approach to biometric data regulation. The following are the most impactful changes introduced by the amendment:

One of the amendment’s most notable reforms is the redefinition of what constitutes a violation under BIPA. Previously, businesses could face separate claims for each instance of biometric data collection or sharing without proper consent. This interpretation left companies exposed to astronomical liability, especially for routine practices such as employee timekeeping.

Under the new amendment, repeated biometric data collection or sharing using the same method is treated as a single violation. For example, if an employee uses a fingerprint scanner to clock in and out of work every day, this would now count as one violation instead of multiple daily infractions. Similarly, a company that shares biometric data with the same third party repeatedly would also face a single claim under the same method of sharing. This change significantly reduces potential damages and provides businesses with much-needed relief from the threat of crippling penalties.

BIPA has always required companies to obtain a “written release” before collecting biometric data. However, the amendment now explicitly allows electronic signatures to satisfy this requirement. This means businesses can collect consent through digital means, such as online forms or user agreements, rather than relying solely on physical documentation.

The inclusion of electronic signatures aligns BIPA with modern practices and technological conveniences, making compliance more straightforward for businesses while maintaining consumer protection. This clarification resolves ambiguities that could have previously been exploited in litigation, where plaintiffs might argue that electronic consent was invalid under the original statute.

While the amendment is clear about its immediate applicability, its retroactive impact on ongoing or past litigation remains unresolved. Hundreds of cases alleging per-scan violations are currently pending in state and federal courts. Businesses are likely to argue that the amendment merely clarifies the legislature’s original intent and should therefore apply retroactively. However, Illinois courts typically presume that legislative changes apply prospectively unless explicitly stated otherwise. Whether this amendment applies to past conduct is an issue that will likely be decided through further litigation.

For businesses, the amendment brings welcome relief. The clarification on damages and consent requirements reduces uncertainty and mitigates the risks associated with BIPA compliance. Companies now have clearer guidelines for implementing biometric technologies without the fear of excessive liability stemming from repetitive practices.

At the same time, the core principles of BIPA remain intact. Businesses must still adhere to strict requirements for obtaining informed consent and safeguarding biometric data. The amendment does not diminish the statute’s private right of action, meaning individuals can continue to pursue claims against companies that violate BIPA’s provisions. For consumers, the law remains a robust safeguard against the unauthorized use of their biometric information.

The significance of this amendment extends beyond Illinois, as BIPA has long been considered a trailblazer in biometric privacy regulation. Other states with existing biometric privacy laws, such as Texas and Washington, may look to Illinois’ example when considering their own legislative reforms. Additionally, states currently debating biometric privacy laws are likely to weigh the amendment’s approach to balancing consumer protections with business concerns.

While the BIPA amendment provides clarity on key issues, it is unlikely to quell all litigation. New disputes are anticipated, particularly regarding the retroactive application of the amendment and the interpretation of “same method of collection.” Furthermore, as technology evolves, untested provisions of BIPA may come under scrutiny, giving rise to new legal challenges.

Ultimately, the amendment represents a critical step in the ongoing evolution of biometric privacy law. By addressing excessive damages and modernizing consent requirements, Illinois has taken a pragmatic approach to balancing innovation with privacy. For businesses, the future of biometric data management is clearer, but still demands vigilance. Whether through compliance or advocacy, stakeholders must continue to adapt to the evolving legal landscape in this rapidly advancing field.

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.