Capitol Fax.com - Your Illinois News Radar » Sen. Cunningham tries again to limit BIPA’s scope
SUBSCRIBE to Capitol Fax      Advertise Here      About     Exclusive Subscriber Content     Updated Posts    Contact Rich Miller
CapitolFax.com
To subscribe to Capitol Fax, click here.
Sen. Cunningham tries again to limit BIPA’s scope

Wednesday, Jan 31, 2024 - Posted by Rich Miller

* Background is here if you need it. Press release…

In an effort to shield Illinois employers from costly lawsuits without rolling back the state’s strict digital privacy protections, State Senator Bill Cunningham filed Senate Bill 2979, which makes changes to the liability guidelines in the Biometric Information Privacy Act.

“Given the rash of cybersecurity breaches we hear about, Illinoisans should be proud that we have arguably the strongest digital privacy laws in the nation. However, our laws have not kept up with changes in technology, which has left some small businesses facing overwhelming financial liabilities,” said Cunningham, a Democrat who represents portions of Chicago and the Southwest Suburbs. “SB 2979 will keep the current privacy restrictions in place and hold violators accountable, as well as ensure businesses are not unfairly punished for technical violations of the law.”

Under BIPA, private entities must obtain written consent before collecting and storing biometric information, such as an employee’s fingerprint. If a business is sued for violating BIPA, they can be ordered to pay damages for each instance where biometric information is collected — even if they repeatedly collect the same information. This has led to situations where an employer can be ordered to pay millions in liquidated damages, and in a case involving White Castle, billions of dollars, because each collection counts as a separate violation. For instance, businesses that use digital fingerprinting systems for employee timekeeping often take swipes of each employee’s fingerprint multiple times per shift — like when the employee arrives for work, leaves for and returns from a lunch break, or checks out at the end of the work day. Under BIPA, each of those swipes can qualify as a violation of the law if the employee has not provided written consent, exposing the business to a minimum of $1,000 in damages every time a swipe is taken.

Cunningham’s bill would limit the number of claims accrued under that scenario should an employee bring a lawsuit against a company for a violation of BIPA. If a certain biometric identifier is collected by the same employer in the same manner, only one violation would accrue. In other words, the liability faced by the business would accrue on a per-employee basis, rather than a per-collection basis.

SB 2979 also modernizes the manner in which written consent can be granted to include the use of electronic signatures. The original BIPA legislation took effect in 2008 when electronic signatures were not widely used. Cunningham’s legislation clarifies that because using electronic signatures is a common practice to obtain consent, they can be used to comply with BIPA consent requirements.

“Dozens of legislative proposals to update BIPA have been offered in recent years, but most of those efforts have attempted to remove or narrow privacy protections that have been embedded in the law,” said Cunningham. “SB 2979 does not take that approach. Rather, it puts a common-sense formula in place to determine the amount of financial damages that must be paid for violations of the act.”

Senate Bill 2979 was introduced by Cunningham on Wednesday.

I’ll update if I hear back from business groups.

       

6 Comments
  1. - Nick - Wednesday, Jan 31, 24 @ 1:28 pm:

    >>>If a certain biometric identifier is collected by the same employer in the same manner, only one violation would accrue. In other words, the liability faced by the business would accrue on a per-employee basis, rather than a per-collection basis.

    This sounds quite reasonable to me?

    Screw up with 500 employees in the same exact way, here’s 500 fines.


  2. - TheInvisibleMan - Wednesday, Jan 31, 24 @ 1:29 pm:

    –private entities must obtain written consent before collecting and storing biometric information–

    The solution to avoiding large financial penalties, is getting consent. That’s not a problem with the law.

    Yes, each time you do something without consent, it counts as an instance of doing something without consent.

    electronic signatures are already valid in all U.S. states and are granted the same legal status as handwritten signatures under state laws.

    There is nothing to fix here.

    Just.Get.Consent.


  3. - Suburban Mom - Wednesday, Jan 31, 24 @ 1:47 pm:

    Per-employee fines, rather than per-collection fines, won’t be high enough for employers to bother to comply. $1500 per employee is a cost of doing business, not a fine that gets the employer to change behavior.

    E-signatures would be a good clarification.

    But if they actually want to make BIPA more business-friendly, rather than completely defanging it, I could suggest a variety of technical changes to the law. For example, face-blurring is generally done algorithmically, which requires the algorithm to recognize a face is a face in order to blur it. This arguably falls within BIPA’s remit (there is a pending lawsuit on this point). Allowing privacy-protective technology like that to operate would go a lot farther towards protecting Illinoisians while reducing the regulatory burden on businesses.

    As I commented a couple of days ago, there are BIPA-clone bills that stand a good chance of passing this session in Vermont and Colorado. There are more BIPA clones in other states (with uncertain chances of passage). EU regulators and regulators in other parts of the world are copying BIPA. Illinois businesses are way ahead of the rest of the world on biometrics because BIPA forced them to be. The rest of the world is catching up, and BIPA-like regulations are going to be everywhere. Why would you throw away that first-mover advantage that our businesses already accrued?


  4. - Common Sence Reform - Thursday, Feb 1, 24 @ 3:21 pm:

    It is important to protect people’s biometric data, but Illinios’ BIPA law need revision. Here is the situation that led the Supreme Court to find White Castle liable for up to $17 Billion.

    1. An employee submits fingerprint data to employer (with written privacy consent)

    2. Employee checks into work using scan of finger print to match the finger print already collected (not a new finger print collection) - no written privacy consent

    3. Employee checks out of work for lunch using scan of finger print to match the finger print already collected (not a new finger print collection) - no written privacy consent

    4. Employee checks back into work just as before.

    5. Employee check out of work just as before.

    6. The employees data was never used for any other purpose and at all times remained anonymized and secure. No employees were hurt form any data breach.

    Under current interpretation of the law, the employee has violated BIPA 4 times in 1-day, incurring $1000 to $5000 fines for each instance. Multiply that by many employees over a long stretch of time and you have employers on the potential hook for millions or billions for a statutory violation that caused no real harm to anyone.

    The penalty far outpaces the sin. Senator Cunningham’s bill maintains a proper balance of compelling employers to protect biometric privacy (and very important goal because people can’t change their biometrics) and proportional fines that aren’t as the Supreme Court called “annihilative” to employers.


  5. - Concerned Consumer - Thursday, Feb 1, 24 @ 7:23 pm:

    Follow the money! BIPA was drafted in 2008 to keep a bankrupt company’s fingerprint records from being sold on the dark web. The intent was to punish real wrongdoing and that’s why it has tough penalties. After the Supreme Court found an “aggrieved person” was anyone who didn’t provide written consent, even though the person knew they were being fingerprinted, litigation floodgates opened. Not to protect people who didn’t provide consent – after all, they knew they were being fingerprinted. But rather to collect millions of dollars in attorneys’ fees! Check out where the money goes from class action settlements and individual BIPA suits.

    This proposed bill will not stop BIPA lawsuits. It just limits damages, but not attorneys’ fees. BIPA says you get attorneys’ fees even for technical violations that cause no harm. Attorneys will continue to file individual lawsuits or class actions – whichever they think will give them more money. So suits will continue, employer costs will rise, and we, the consumers, will have to foot the bill in the form of increased prices! Everyone forgets we end up paying for this!


  6. - Suburban Mom - Thursday, Feb 1, 24 @ 9:17 pm:

    CSR, you have made up a story about how you think the law works, what you think white castle did, and how you assume biometric scanners work, in order to exonerate White Castle and make the law seem unreasonable.

    Nothing in BIPA prevents an employer from getting a durable biometric consent for repeated collections for the same purpose (I suggest one year to my customers, and reupping it when you reup safety trainings or compliance trainings).

    Also, the data was quite obviously NOT “anonymized and secure.” The purpose of a biometric time clock is to identify that specific employee as the one clocking in or out. If the biometric time clock can’t do that, it’s just people randomly pushing a button and (for some reason) having their fingerprints repeatedly collected.

    There is also no way to irreversibly anonymize a fingerprint, which is the entire point of fingerprint scanners. (I suppose you could burn your fingerprints off, that would irreversibly anonymize the prints.)

    Data is also never fully secure. It’s always at risk. It might be adequately protected to provide an acceptable level of risk, but it’s never fully secure. Best practice is to assume all your data will eventually be breached — because it will be.

    Anyway, maybe don’t stan for fingerprint time clocks if you don’t have the first idea of how they work.


Sorry, comments for this post are now closed.


* Uber’s Local Partnership = Stress-Free Travel For Paratransit Riders
* Isabel’s afternoon roundup
* Showcasing The Retailers Who Make Illinois Work
* Some election news (Updated)
* Meanwhile… In Opposite Land
* Roundup: Former ComEd board appointee testifies about Madigan’s role in securing his seat
* This judge needs to be pulled off of domestic violence cases (Updated x2)
* Caption contest!
* Open thread
* Isabel’s morning briefing
* SUBSCRIBERS ONLY - Supplement to today's edition
* SUBSCRIBERS ONLY - Today's edition of Capitol Fax (use all CAPS in password)
* Live coverage
* Selected press releases (Live updates)
* Yesterday's stories

Support CapitolFax.com
Visit our advertisers...

...............

...............

...............

...............

...............

...............


Loading


Main Menu
Home
Illinois
YouTube
Pundit rankings
Obama
Subscriber Content
Durbin
Burris
Blagojevich Trial
Advertising
Updated Posts
Polls

Archives
November 2024
October 2024
September 2024
August 2024
July 2024
June 2024
May 2024
April 2024
March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004

Blog*Spot Archives
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005

Syndication

RSS Feed 2.0
Comments RSS 2.0




Hosted by MCS SUBSCRIBE to Capitol Fax Advertise Here Mobile Version Contact Rich Miller