SPRINGFIELD, IL – Illinois has recently amended its Biometric Information Privacy Act (BIPA), essentially reducing the financial risks for companies that mishandle biometric data such as eye scans, fingerprints, and facial recognition information. The changes, signed into law by Governor J.B. Pritzker on August 2, followed a growing trend of legal adjustments aimed at balancing consumer privacy rights with corporate concerns.
Key Changes to BIPA
Originally passed in 2008, BIPA was one of the first laws in the United States to establish strict guidelines for the collection, storage, and use of biometric data. The law required companies to obtain written consent before collecting biometric information and allowed individuals to sue for damages if their data was mishandled. Previously, victims could seek $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.
However, the recent amendment dramatically alters this infrastructure. Under the new rules, multiple violations involving the same person's biometric data will now be treated as a single infraction. This change effectively limits the potential damages a company might face, even if it repeatedly mishandles an individual's biometric information.
Impact on Legal Liability
This amendment overturns a 2023 Illinois Supreme Court ruling that held companies accountable for each instance of biometric data misuse. The ruling had stemmed from a class-action lawsuit against White Castle, where an employee accused the restaurant chain of repeatedly violating BIPA by improperly collecting her biometric data. With the new law in place, such claims will now result in lower financial penalties for companies, reducing the incentive for large-scale settlements.
Legal and Industry Reactions
Legal experts and industry groups have noted the implications of this amendment. Alan Friel, a lawyer with Squire Patton Boggs, observed that the change would likely decrease the settlement value of BIPA claims. He also underlined that the new law allows companies to fulfil the written consent requirement through electronic signatures, further easing the burden on businesses.
In the past, BIPA has led to substantial settlements, such as Facebook’s $650 million agreement in 2020 to settle claims that it violated the law by using facial recognition without user consent. This settlement resulted in individual payouts of over $400 to affected users. Illinois’ law is unique in allowing individuals to directly sue companies for violations, a provision that other states, such as Colorado, have not adopted.
The amendment comes amid a broader national debate over privacy laws and the responsibilities of corporations handling sensitive data. While Illinois has maintained a more consumer-focused approach, other states have taken different paths. For example, Texas recently secured a $1.4 billion settlement with Facebook’s parent company, Meta, over similar biometric privacy violations. However, in Texas, enforcement of such laws is handled by the state, not individual consumers.
The Information Technology and Innovation Foundation (ITIF), a think tank supported by various corporations, welcomed the changes to BIPA. Ash Johnson, ITIF’s Senior Policy Manager, argued that the amendment brings much-needed balance to the law, which had previously imposed steep fines for even minor infractions. According to Johnson, the previous version of BIPA had driven some companies to limit their technological offerings in Illinois or avoid the state altogether.
The recent amendment to Illinois’ Biometric Information Privacy Act marks a notable shift in how biometric data violations are handled, reducing the financial risks for companies while still aiming to protect consumer privacy. As states across the U.S. continue to grapple with how best to regulate biometric data, Illinois' experience with BIPA will likely serve as a critical case study for future legislation.