The Illinois House passed legislation aimed at reining in the potential for runaway damages under the state’s biometric privacy law Thursday, more than a year after the Illinois Supreme Court suggested the legislature revisit the law.
Illinois’ biometric privacy law, which the state legislature passed in 2008, requires companies to gain consent before they collect and store biometric information such as fingerprints or retina scans. It’s considered the strictest such law in the country, in part because it allows individuals to sue over alleged violations. Companies that have been caught in the law’s crosshairs include Facebook, which paid out a $650 million settlement over its facial tagging feature, and Google, which settled a case over its facial grouping tool on Google Photos for $100 million.
In February 2023, the Illinois Supreme Court suggested the legislature revisit the language of the law in a much-anticipated split opinion issued in a case involving fingerprint scanners used by employees at fast-food company White Castle.
In that case, the court ruled that damages under the law accrue each and every time a person provides their biometric information without prior informed consent. But in the majority opinion, the court acknowledged its reading of the statute opened the door to “potentially excessive” damages in BIPA cases and suggested the legislature revisit the language of the law.
“We continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” Justice Elizabeth Rochford wrote in the opinion. “We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”
The legislation passed Thursday amends the law to state that a violation of the act occurs — and damages under the law accrue — only once when an entity collects or discloses a person’s biometric information without consent, rather than every time.
Nine Republicans joined Democrats in the House supermajority to pass the measure in an 81-30 vote. After passing through the Senate last month in a 46-13 vote, the bill’s next stop is to Gov. J.B. Pritzker’s desk for his consideration.
“Once it reaches his desk, Governor Pritzker will give the final legislation careful review,” said Alex Gough, a spokesperson for the governor, in a statement.
“This is a really straightforward requirement in BIPA for a very significant and valuable privacy right,” said the bill’s main House sponsor, state Rep. Ann Williams, a Chicago Democrat. “This bill addresses the invitation by the court to address damages, and that’s exactly what we’re doing here.”
State Rep. Abdelnasser Rashid, a Democrat from Bridgeview, also defended the bill, saying it preserves the “critical privacy protections” at the core of the law, including shielding the public from social media companies’ data harvesting of personal information. But he also said the legislation adds “much needed clarity” to help small businesses operate in a more predictable, regulatory setting.
“I know that many small business owners will be relieved to see this measure pass,” Rashid, who co-sponsored the measure, said shortly before the House vote.
In March, a coalition of major business groups including the Chicagoland Chamber of Commerce, the Illinois Chamber of Commerce, the Illinois Hotel & Lodging Association, the Illinois Manufacturers’ Association and the Illinois Retail Merchants Association issued a statement saying they could not support the legislation in its form as introduced. Though the bill would place “some limits” on financial liability under BIPA, the group said, “it is not retroactive and therefore fails to help the thousands of businesses still fighting against massive judgments even though there is no proof that harm ever occurred.”
On Thursday, the Technology & Manufacturing Association, a trade organization for small and mid-sized manufacturers, praised the legislation and called for Pritzker to sign it into law.
“Many of the small and midsize manufacturers who have been impacted by BIPA are 2nd and 3rd generation manufacturers who don’t have a legal department and have been subject to annihilative lawsuits that made many get to a point where they had to consider closing their doors, but this new law fixes that from continuing to happen,” lobbyist David Curtin said in a statement.
One of the House Republicans who voted against the measure Thursday, state Rep. Dan Ugaste, said during floor debate he didn’t think the bill went far enough to be fair to businesses, especially if the violation was merely a mistake. He also raised concerns over whether data centers, which function as a storage apparatus for computer systems, could still be open to liabilities with the legislation.
“I don’t want anyone taking my biometric data and sharing it with anyone, neglecting proper care for it or doing anything of that nature,” said Ugaste, of Geneva. “But I also don’t believe a company should be penalized when no actual harm’s been done.”
“I just think we need to keep talking and go a step further in order to make certain that businesses do what they’re supposed to and protect the data they’re collecting, but at the same time aren’t punished unnecessarily,” Ugaste said. “Then if we’re going to apply a penalty to something, we make certain it’s something such as a data center can even comply with if we’re requesting it of them.”
Attempts to amend the biometric privacy law last year stalled after the legislation at the time didn’t address various concerns from business groups.
“It’s quite notable that this passed,” said Matthew Kugler, a law professor at Northwestern University’s Pritzker School of Law. “I think it shows how concerned people are in the wake of the White Castle decision.”
That said, Kugler added, the legislation — if the governor signs it into law — would not necessarily elicit a major departure from the status quo in terms of how settlements under the law typically shake out.
“It indicates that the long tail of high damages is not on the table,” he said. “In that sense, it should result in lower settlements. Having said that, I don’t think many prior settlements were based on the idea that you could recover (damages) for each individual scan.”
Damages under the law are $1,000 for negligent violations and $5,000 for “intentional” or “reckless” violations. When applied to each time a company collected someone’s biometric information, the potential for damages could grow exponentially.
The White Castle case — which could have left the company on the hook for $17 billion in damages had it lost at trial — was settled last month for $9.4 million in federal court in Chicago pending a final approval hearing in August.
Lior Strahilevitz, professor of law at the University of Chicago Law School, said he would expect damages in cases involving smaller groups of class members — such as employees in the White Castle case — to go down under the amended legislation, or for those cases to not even be brought in the first place.
“A plaintiffs’ lawyer has to make a decision about whether it’s worth their while,” Strahilevitz said. If a company has collected fingerprints from its 100 employees but not its customers, for instance, the maximum amount the plaintiffs’ could recover under the amended legislation would be $100,000 for negligent violations of the law. The attorneys, Strahilevitz said, would be “better off dealing with an automobile injury or taking a slip-and-fall case.”
But the types of BIPA cases many Illinois residents are more familiar with — those that resulted in checks from big tech companies for millions of Illinoisians, for instance — may not see as much impact because plaintiffs’ attorneys will still consider those large cases worth their trouble, Strahilevitz said.
“I think you’ll still continue to see large settlements in cases involving companies like Facebook that have millions of Illinois customers,” he said.