SPRINGFIELD – State lawmakers are considering changes to an internet privacy law that recently led to a $650 million settlement between Facebook and more than 1 million of the website’s users in Illinois.
A state House judiciary committee advanced House Bill 559 on Tuesday, March 9 a measure that would revisit the Biometric Information Privacy Act of 2008, known as BIPA, to include provisions which sponsors say will protect small businesses but detractors say will render the privacy law obsolete.
House Minority Leader Jim Durkin, R-Western Springs, introduced the bill, saying thousands of BIPA related lawsuits have been filed against big businesses and small businesses alike, hitting the “small guys” the hardest.
The bill advanced to the House floor on a 10-5 vote on March 9, with five Democrats opposed and one voting present. The committee vote in favor was bipartisan, although most of the support came from Republicans.
Durkin said he is concerned that the language of BIPA is outdated and that it has created a “cottage industry for a select group of lawyers to file class action lawsuits against big and small employers and nonprofit agencies.”
BIPA is one of the strictest privacy laws in the nation, and it became law at a time when some of the current day’s most ubiquitous technologies, such as the iPhone, were still new. It requires Illinois business owners that collect biometric information, such as fingerprints or face prints for facial recognition, to have certain policies in place for the collection, storage and use of this personal identification.
The business is required to notify the employee or customer and obtain a written release from the individual if biometric information is being collected. BIPA also states that the business is not authorized to disclose this biometric information to a third party without the individual’s consent.
If a private entity, which is defined as any individual, partnership, corporation, limited liability company, association or other group, violates any portion of this policy, the individual has a right to take legal action.
One of the major lawsuits, Rosenbach v. Six Flags, set a precedent for future BIPA lawsuits because of the Illinois Supreme Court’s ruling that a person can seek “liquidated damages” based on a technical violation of BIPA, even if there was no “actual injury,” according to the National Law Review.
Liquidated damages refer to penalties for breaking the BIPA law, which are numbered at $1,000-$5,000 in existing law depending on whether the offense was negligent, reckless or intentional.
In that case, a woman purchased a season pass to Six Flags Great America for her son, and his fingerprint was scanned to be used as a means to enter the theme park. At issue is that neither the woman nor her son were given written notice and they did not sign a written release for this biometric information to be collected or used, both of which are required under BIPA.
While there was no actual injury, the Illinois Supreme Court ruled in a unanimous decision that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”
Under HB 559, the “aggrieved party” must provide a 30-day written notice of a violation to the business or employer and the entity in violation must “cure” the violation within 30 days, otherwise they are subject to litigation.
“We think this is fair,” Durkin said. “This is what I believe is an appropriate balance between the rights of privacy and the employees, and also what I think is a fair shake for employers.”
Facebook is facing the $650 million class action lawsuit under BIPA because of a feature that utilizes facial recognition technology to suggest other users to tag in photos. It started with three different Illinois residents that filed suit against Facebook in 2015, and now includes nearly 1.6 million Illinois Facebook users that believe Facebook violated their rights under BIPA.
Clark Kaericher, vice president of the Illinois Chamber of Commerce, said despite the fact that most of the headline-making cases are against big companies, it’s mostly small companies in the state facing lawsuits.
“Since that case (Rosenbach v. Six Flags), we’ve seen an explosion,” Kearicher said. “As of last month, we were up to 1,076 cases filed, both open and closed, in a two year period here in Illinois alone.”
Notably, the Salvation Army, nursing homes, hospitals and other businesses have been targets of BIPA lawsuits as of late because of their timekeeping system that uses a fingerprint scan for clocking in and out to avoid wage litigation and timekeeping fraud.
According to BIPA, a claimant subject to a negligence violation is entitled to at least $1,000 in liquidated damages, up to the cost of actual damage, whichever is more. Penalties for intentional or reckless violation amount to the greater of $5,000 or actual damages. BIPA also provides that an individual can recover reasonable attorneys’ fees and costs, or other relief such as an injunction.
“It’s enough to put any small business into insolvency and we think that alone is reason to relocate this law,” said Kearicher.
HB 559 contains several changes to the original bill language, including allowing companies to receive “consent” for biometric data use instead of the “written release” required in the original bill, and it allows for the consent to be given through “electronic means.”
It would also change the penalty structure for damages. For negligence violations, it would remove the $1,000 liquidated damages penalty, limiting claimants in that category to reimbursement of “actual damages,” which are quantifiable repercussions of the violation of the law.
For “intentional or reckless” violations, the language would be changed to “willful” violations, and the $5,000 number for liquidated damages would be removed. Instead, claimants would be entitled to “actual damages plus liquidated damages up to the amount of actual damages.”
Advocates for the reform also argued that BIPA has innovation killing aspects, taking competitiveness away from Illinois businesses which worry about implementing new technology out of fear of BIPA’s liability.
Opponents are more concerned that the bill will render the existing law useless.
Sapna Khatri, advocacy and policy counsel for the ACLU of Illinois, noted that BIPA has been called the most effective and important privacy law in the country because of its simplicity.
“We are here because BIPA is working precisely as it was intended,” Khatri said. “This (new bill) is prioritizing corporate profits over personal privacy and granting companies wide latitude to collect and exchange our biometric information like currency. This is not a solution.”
Opponents to HB 559, such as Rep. Ann Williams, D-Chicago, and Rep. Jennifer Gong-Gershowitz, D-Glenview, argued that as technology advances, BIPA as it stands is imperative to protecting Illinois residents’ most personal private data.
“At a time when our neighbors and other states are modeling legislation around BIPA and issuing bans on the use of invasive biometric technology, like facial recognition, HB 559 presents a massive step back for Illinois,” Khatri said.