* Background is here if you need it. Press release…
In an effort to shield Illinois employers from costly lawsuits without rolling back the state’s strict digital privacy protections, State Senator Bill Cunningham filed Senate Bill 2979, which makes changes to the liability guidelines in the Biometric Information Privacy Act.
“Given the rash of cybersecurity breaches we hear about, Illinoisans should be proud that we have arguably the strongest digital privacy laws in the nation. However, our laws have not kept up with changes in technology, which has left some small businesses facing overwhelming financial liabilities,” said Cunningham, a Democrat who represents portions of Chicago and the Southwest Suburbs. “SB 2979 will keep the current privacy restrictions in place and hold violators accountable, as well as ensure businesses are not unfairly punished for technical violations of the law.”
Under BIPA, private entities must obtain written consent before collecting and storing biometric information, such as an employee’s fingerprint. If a business is sued for violating BIPA, they can be ordered to pay damages for each instance where biometric information is collected — even if they repeatedly collect the same information. This has led to situations where an employer can be ordered to pay millions in liquidated damages, and in a case involving White Castle, billions of dollars, because each collection counts as a separate violation. For instance, businesses that use digital fingerprinting systems for employee timekeeping often take swipes of each employee’s fingerprint multiple times per shift — like when the employee arrives for work, leaves for and returns from a lunch break, or checks out at the end of the work day. Under BIPA, each of those swipes can qualify as a violation of the law if the employee has not provided written consent, exposing the business to a minimum of $1,000 in damages every time a swipe is taken.
Cunningham’s bill would limit the number of claims accrued under that scenario should an employee bring a lawsuit against a company for a violation of BIPA. If a certain biometric identifier is collected by the same employer in the same manner, only one violation would accrue. In other words, the liability faced by the business would accrue on a per-employee basis, rather than a per-collection basis.
SB 2979 also modernizes the manner in which written consent can be granted to include the use of electronic signatures. The original BIPA legislation took effect in 2008 when electronic signatures were not widely used. Cunningham’s legislation clarifies that because using electronic signatures is a common practice to obtain consent, they can be used to comply with BIPA consent requirements.
“Dozens of legislative proposals to update BIPA have been offered in recent years, but most of those efforts have attempted to remove or narrow privacy protections that have been embedded in the law,” said Cunningham. “SB 2979 does not take that approach. Rather, it puts a common-sense formula in place to determine the amount of financial damages that must be paid for violations of the act.”
Senate Bill 2979 was introduced by Cunningham on Wednesday.
I’ll update if I hear back from business groups.
- Nick - Wednesday, Jan 31, 24 @ 1:28 pm:
>>>If a certain biometric identifier is collected by the same employer in the same manner, only one violation would accrue. In other words, the liability faced by the business would accrue on a per-employee basis, rather than a per-collection basis.
This sounds quite reasonable to me?
Screw up with 500 employees in the same exact way, here’s 500 fines.
- TheInvisibleMan - Wednesday, Jan 31, 24 @ 1:29 pm:
–private entities must obtain written consent before collecting and storing biometric information–
The solution to avoiding large financial penalties, is getting consent. That’s not a problem with the law.
Yes, each time you do something without consent, it counts as an instance of doing something without consent.
electronic signatures are already valid in all U.S. states and are granted the same legal status as handwritten signatures under state laws.
There is nothing to fix here.
Just.Get.Consent.
- Suburban Mom - Wednesday, Jan 31, 24 @ 1:47 pm:
Per-employee fines, rather than per-collection fines, won’t be high enough for employers to bother to comply. $1500 per employee is a cost of doing business, not a fine that gets the employer to change behavior.
E-signatures would be a good clarification.
But if they actually want to make BIPA more business-friendly, rather than completely defanging it, I could suggest a variety of technical changes to the law. For example, face-blurring is generally done algorithmically, which requires the algorithm to recognize a face is a face in order to blur it. This arguably falls within BIPA’s remit (there is a pending lawsuit on this point). Allowing privacy-protective technology like that to operate would go a lot farther towards protecting Illinoisians while reducing the regulatory burden on businesses.
As I commented a couple of days ago, there are BIPA-clone bills that stand a good chance of passing this session in Vermont and Colorado. There are more BIPA clones in other states (with uncertain chances of passage). EU regulators and regulators in other parts of the world are copying BIPA. Illinois businesses are way ahead of the rest of the world on biometrics because BIPA forced them to be. The rest of the world is catching up, and BIPA-like regulations are going to be everywhere. Why would you throw away that first-mover advantage that our businesses already accrued?
- Common Sence Reform - Thursday, Feb 1, 24 @ 3:21 pm:
It is important to protect people’s biometric data, but Illinios’ BIPA law need revision. Here is the situation that led the Supreme Court to find White Castle liable for up to $17 Billion.
1. An employee submits fingerprint data to employer (with written privacy consent)
2. Employee checks into work using scan of finger print to match the finger print already collected (not a new finger print collection) - no written privacy consent
3. Employee checks out of work for lunch using scan of finger print to match the finger print already collected (not a new finger print collection) - no written privacy consent
4. Employee checks back into work just as before.
5. Employee check out of work just as before.
6. The employees data was never used for any other purpose and at all times remained anonymized and secure. No employees were hurt form any data breach.
Under current interpretation of the law, the employee has violated BIPA 4 times in 1-day, incurring $1000 to $5000 fines for each instance. Multiply that by many employees over a long stretch of time and you have employers on the potential hook for millions or billions for a statutory violation that caused no real harm to anyone.
The penalty far outpaces the sin. Senator Cunningham’s bill maintains a proper balance of compelling employers to protect biometric privacy (and very important goal because people can’t change their biometrics) and proportional fines that aren’t as the Supreme Court called “annihilative” to employers.
- Concerned Consumer - Thursday, Feb 1, 24 @ 7:23 pm:
Follow the money! BIPA was drafted in 2008 to keep a bankrupt company’s fingerprint records from being sold on the dark web. The intent was to punish real wrongdoing and that’s why it has tough penalties. After the Supreme Court found an “aggrieved person” was anyone who didn’t provide written consent, even though the person knew they were being fingerprinted, litigation floodgates opened. Not to protect people who didn’t provide consent – after all, they knew they were being fingerprinted. But rather to collect millions of dollars in attorneys’ fees! Check out where the money goes from class action settlements and individual BIPA suits.
This proposed bill will not stop BIPA lawsuits. It just limits damages, but not attorneys’ fees. BIPA says you get attorneys’ fees even for technical violations that cause no harm. Attorneys will continue to file individual lawsuits or class actions – whichever they think will give them more money. So suits will continue, employer costs will rise, and we, the consumers, will have to foot the bill in the form of increased prices! Everyone forgets we end up paying for this!
- Suburban Mom - Thursday, Feb 1, 24 @ 9:17 pm:
CSR, you have made up a story about how you think the law works, what you think white castle did, and how you assume biometric scanners work, in order to exonerate White Castle and make the law seem unreasonable.
Nothing in BIPA prevents an employer from getting a durable biometric consent for repeated collections for the same purpose (I suggest one year to my customers, and reupping it when you reup safety trainings or compliance trainings).
Also, the data was quite obviously NOT “anonymized and secure.” The purpose of a biometric time clock is to identify that specific employee as the one clocking in or out. If the biometric time clock can’t do that, it’s just people randomly pushing a button and (for some reason) having their fingerprints repeatedly collected.
There is also no way to irreversibly anonymize a fingerprint, which is the entire point of fingerprint scanners. (I suppose you could burn your fingerprints off, that would irreversibly anonymize the prints.)
Data is also never fully secure. It’s always at risk. It might be adequately protected to provide an acceptable level of risk, but it’s never fully secure. Best practice is to assume all your data will eventually be breached — because it will be.
Anyway, maybe don’t stan for fingerprint time clocks if you don’t have the first idea of how they work.