032823CM0056r Cunningham

SPRINGFIELD – In an effort to shield Illinois employers from costly lawsuits without rolling back the state’s strict digital privacy protections, State Senator Bill Cunningham filed Senate Bill 2979, which makes changes to the liability guidelines in the Biometric Information Privacy Act.

“Given the rash of cybersecurity breaches we hear about, Illinoisans should be proud that we have arguably the strongest digital privacy laws in the nation. However, our laws have not kept up with changes in technology, which has left some small businesses facing overwhelming financial liabilities,” said Cunningham, a Democrat who represents portions of Chicago and the Southwest Suburbs. “SB 2979 will keep the current privacy restrictions in place and hold violators accountable, as well as ensure businesses are not unfairly punished for technical violations of the law.”

Under BIPA, private entities must obtain written consent before collecting and storing biometric information, such as an employee’s fingerprint. If a business is sued for violating BIPA, they can be ordered to pay damages for each instance where biometric information is collected — even if they repeatedly collect the same information. This has led to situations where an employer can be ordered to pay millions in liquidated damages, and in a case involving White Castle, billions of dollars, because each collection counts as a separate violation. For instance, businesses that use digital fingerprinting systems for employee timekeeping often take swipes of each employee’s fingerprint multiple times per shift — like when the employee arrives for work, leaves for and returns from a lunch break, or checks out at the end of the work day. Under BIPA, each of those swipes can qualify as a violation of the law if the employee has not provided written consent, exposing the business to a minimum of $1,000 in damages every time a swipe is taken.

Cunningham’s bill would limit the number of claims accrued under that scenario should an employee bring a lawsuit against a company for a violation of BIPA. If a certain biometric identifier is collected by the same employer in the same manner, only one violation would accrue. In other words, the liability faced by the business would accrue on a per-employee basis, rather than a per-collection basis.

SB 2979 also modernizes the manner in which written consent can be granted to include the use of electronic signatures. The original BIPA legislation took effect in 2008 when electronic signatures were not widely used. Cunningham’s legislation clarifies that because using electronic signatures is a common practice to obtain consent, they can be used to comply with BIPA consent requirements. 

“Dozens of legislative proposals to update BIPA have been offered in recent years, but most of those efforts have attempted to remove or narrow privacy protections that have been embedded in the law,” said Cunningham. “SB 2979 does not take that approach. Rather, it puts a common-sense formula in place to determine the amount of financial damages that must be paid for violations of the act.”

Senate Bill 2979 was introduced by Cunningham on Wednesday.