Illinois softens penalties for violations of the Biometric Information Privacy Act
Five years ago, we wrote a blog post about how Illinois was a pioneer in passing a comprehensive statute protecting biometric information, and how other states were following suit. Illinois’ Biometric Information Privacy Act (BIPA), enacted in 2008, protects these biometric identifiers: fingerprints, retina scans, iris scans, hand geometry scans, voiceprints, and face geometry scans.
Illinois still distinguishes itself in that it is the only state that grants consumers the right to sue for monetary damages when their biometric data rights are violated. Other states, such as Texas and Washington, do not provide a private right of action; enforcement is typically reserved for the state attorney general.
Last August, Illinois amended BIPA so that an individual whose rights were violated under BIPA is entitled to only one recovery ($1,000 for a negligent violation and $5,000 for an intentional or reckless violation, along with reasonable attorneys’ fees and injunctive relief), regardless of the number of times the company disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient. Before the amendment, individuals could seek $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.
This amendment comes as a big relief to companies that collect biometric information from Illinois residents. Perhaps you remember hearing about what at the time was the largest privacy-related cash recovery in the U.S.: in January 2020, Illinois class action plaintiffs succeeded in getting Facebook to establish a $650 million fund for users whose BIPA rights were violated by “Tag Suggestions,” Facebook’s facial recognition feature. (Since then, Meta, Facebook’s parent company, has agreed to even larger data privacy settlements.)
Reach out to us if your business collects biometric information. We can help ensure that you are complying with applicable state law.
Categorised as: Biometrics non-compliance