Illinois considers how best to neuter its landmark biometric privacy law

Lawmakers in the U.S. state of Illinois finally are debating a viable way to save businesses using biometric scanners mountainous fines when they violate local data privacy law.

But pols think they have a way to also protect people’s identifiers from being misused in ways that would disadvantage them for life.

Ever since the first huge fines were handed down as a result of Illinois Biometric Information Privacy Act class actions, the question has been asked: When will politicians act on growing business frustration and even anger? The Illinois statehouse is as adept at currying favor from moneyed interests as any other government, if not moreso.

BIPA was enacted (and ignored) in 2008 to give people more control over their identifiers in business transactions. The law forced businesses to get express consent before collecting any biometric data from a person and to explain how the data will be managed.

But, crucially, the legislature and state courts have given people the right of private action and allowed fines of $1,000 or $5,000 for every time a non-conforming scan is recorded. They can also sue for actual damages.

Large employers in Illinois who have used a fingerprint scanner to track employees’ time have paid hundreds of millions of dollars in fines and one restaurant chain could face billions of dollars in fines.

Of course, BIPA has been around, sometimes, for decades before a biometric time clock was installed at most businesses. Even observers sympathetic to businesses have a hard time explaining how companies got themselves into their situation.

The new language so far has made it out of committee in the upper house.

Senate-crafted additions to the language of BIPA are not many but they are major and there’s a good chance they will be reviewed widely.

People could sue only for the first time they were the victim of a private entity violating the law.

That would limit payouts by orders of magnitudes smaller, possibly making them less attractive to attorneys and would-be plaintiffs. Even now, individual plaintiffs rarely take home more than $1,000 if their case is won.

Also, the bill would create a big, so-far vague loophole. A private entity wielding a biometric scanner would not need consent if it does so for security, if the identifier is used only for security, the data is held no longer than reasonably necessary for a process and a schedule for deletion is documented.

That noted, the legislation specifically calls out biometric time clocks and locks. They would be immune to the updated BIPA if they produce mathematical representations of biometric identifiers (templates) rather than images.

Assuming the relative strength of encryption algorithms holds, employees should be better protected against misuse of their identifiers.

Article Topics

biometric data  |  biometric identifiers  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  data protection  |  lawsuits  |  legislation