Is Illinois Moving Away from its Strict BIPA Law?


By now, you’ve probably heard of the Illinois Biometric Information Privacy Act (“BIPA”), even if it was just a message you received to the tune of “Facebook users in Illinois may be entitled to payment if their face appeared in a picture on Facebook after June 7, 2011.”

The law, the first in the country purpose-built to regulate only biometric information, is among the strictest biometric laws in the world right now. Among other things, it requires that data subjects be provided with notice and deliver a signed written release (as opposed to the more prevalent electronic consent) before facial recognition, fingerprints or other biometric features can be collected and used. That was the crux of the Facebook case, where the photo-tagging feature we all hate-to-love and love-to-hate, resulted in a $650M class action lawsuit settlement.

But the Illinois statute is not without its critics.

BIPA remains the only state law that allows private individuals to bring a suit and recover up to $5,000 in statutory damages (and much more if actual damages are proved) without having suffered anything approaching the harm required under other state privacy law regimes. As a result, with more than 200 class actions filed, many have expressed concern that BIPA has become good business for class-action attorneys, but bad business for actual businesses, especially Illinois’ small business community.

In an attempt to strike a new balance, on March 9, 2021 the Illinois House judiciary committee advanced House Bill 559 (“HB 559”) which would amend BIPA.

HB 559’s key amendments do the following:

  • permit notice of biometric data collection to be made specifically to affected data subjects, rather than generally to the public
  • allow electronic consent to be used instead of written releases
  • create a one year statute of limitations (currently, there is no BIPA-specific statute of limitations)
  • require a 30 day notice and cure period before private actions can be brought
  • allow an otherwise offending party to prevent suit by private parties, whether as individuals or via a class action, if the noticed violation is cured and certain other conditions are met (including the provision of written assurances)
  • implicitly require that actual damages be shown insofar as it would do away with liquidated (aka “statutory”) damages
  • permit recovery of those actual damages by private individuals for negligent violations
  • consolidate and raise the standard for enhanced damages from intentional or reckless to solely “willful”
  • impose the same implied actual damages requirement for willful violations as is used with negligent violations, but does allow the right to seek recovery of double damages from willful violators; and
  • provide that BIPA will no longer apply to union employees who are covered by collective bargaining agreements.

We will continue to monitor the status of HB 559 and keep a close eye on the legal landscape if the Bill becomes law. In the meantime, it is always a good idea to review the current law and ensure that your company’s practices are aligned.

New York Introduces Its Own Version of Illinois’ BIPA

In 2010, Illinois passed the Biometric Information Privacy Act, leading to over one thousand class action complaints between the years 2015 and 2020, alone. On January 6, 2021, the New York state legislature introduced Assembly Bill 27, titled the New York Biometric Privacy Act (“BPA”), which is a carbon copy version of the Illinois law.

New York’s BPA proposes to prohibit private entities from capturing, collecting, or storing a person’s biometrics without first implementing a policy and obtaining the person’s written consent. The New York BPA would provide for the identical remedies as the Illinois version, specifically, a private right of action with the ability to recover $1,000 for each negligent violation, $5,000 for each intentional or reckless violation, along with reasonable attorneys’ fees and costs.

While New York’s BPA is only proposed, if the language of the bill remains unchanged, New York companies can expect a similarly heavy flow of litigation. Companies operating in New York that utilize data that at all resembles biometric data should consider immediate steps towards prospective compliance. Companies should be auditing their practices and begin to develop written procedures so that, in the event New York’s BPA passes as written, exposure is limited from the outset. The language of the bill provides that the BPA shall take effect ninety (90) days after becoming law. We will continue to monitor the progress of the proposed legislation as it moves through the Assembly and the Senate.