Skip to main content
Front PageNews

Leading Business, Healthcare and Technology Groups Urge Reforms to Illinois’ Biometric Information Privacy Act Following Troubling State Supreme Court Decisions

March 2, 2023

Leading Business, Healthcare and Technology Groups Urge Reforms to Illinois’ Biometric Information Privacy Act Following Troubling State Supreme Court Decisions

Current Law Misused to Extort Businesses for Financial Gain

SPRINGFIELD – Leading business, healthcare and technology groups are calling on the General Assembly to enact reforms to the state’s outdated Biometric Information Privacy Act (BIPA) following recent Illinois Supreme Court decisions that leave companies vulnerable to massive financial damages and have a chilling effect on security, innovation and economic growth.

A coalition led by the Chicagoland Chamber of Commerce, Illinois Health Care Association, Illinois Health and Hospital Association, Illinois Hotel & Lodging Association, Illinois Manufacturers’ Association, Illinois Retail Merchants Association, Illinois Trucking Association and TechNet is urging immediate action by lawmakers. This includes updating the law to require proof that actual harm occurred to individuals before imposing fines; establishing a “notice and cure” period, which would allow businesses to address any potential issues in instances where there has been no actual harm; giving the Attorney General authority to provide companies with advisory opinions on whether or not their compliance efforts meet the requirements of the law; limiting the statute of limitations for legal action to one year; and rectifying the recent court decision that found every incident is a separate violation, resulting in exponentially higher awards.

In addition, businesses should be allowed to use biometric identifiers for routine human resources and recordkeeping purposes including timeclocks, as well as for security purposes such as managing access to controlled substances, preventing organized retail theft and other violent crimes, and accessing sensitive facilities, including electric plants and refineries. Legislators should also provide for electronic consent as well as “evergreen” consent, which would operate similarly to the federal Health Insurance Portability and Accountability Act (HIPAA) privacy rule, which allows a single waiver to encompass multiple instances in which information is shared.

BIPA first took effect in 2008, when biometric identifiers were just starting to be used in a variety of business, security, and industry settings. While technology has continued to improve since then, with businesses increasingly using biometrics to manage admittance to secure facilities, limit access to controlled substances, improve roadway safety, combat crime, modernize basic work functions, and better serve customers, the law has not kept pace with these advances. As a result, BIPA is routinely misused to extort businesses for financial gain while risking safety, security and diverting billions of dollars in economic investment.

“Illinois’ current BIPA law is outdated and flawed, resulting in thousands of lawsuits and billions of dollars in damages, even when there has been no harm to an individual. It’s time for lawmakers to put an end to this rampant abuse of the law and enact commonsense reforms that protect businesses while preserving privacy rights,” said Mark Denzler, President and CEO, Illinois Manufacturers’ Association.

“Since 2008 when BIPA was enacted, the way we live, work, and communicate has been transformed by innovation, yet the law has remained the same. We need a modern law that reflects what’s needed today and tomorrow, not yesterday,” said Tyler Diers, Executive Director of Illinois and the Midwest Region for TechNet, a bipartisan network of technology CEOs and senior executives that promotes the growth of the innovation economy. “We encourage lawmakers to reform BIPA in a way that helps our state’s businesses grow while ensuring consumers have access to the latest innovations, platforms, and services.”

In the 15 years since BIPA was enacted, more than 1,500 frivolous lawsuits have been filed by class action lawyers against manufacturers, retailers, hospitals, nursing homes, entertainment venues, hotels, and other businesses by claiming violation of employee or consumer rights even though there has been no harm to individuals, theft of identities or nefarious intent. Of those more than 1,500 lawsuits, the vast majority occurred after a 2019 Illinois Supreme Court decision in Rosenbach v. Six Flags, which held that a plaintiff need not demonstrate any form of harm beyond a violation of the law.

In recent weeks, the Illinois Supreme Court issued two additional rulings that exponentially expand the scope and costs of BIPA lawsuits. The first, Tims v. Black Horse Carriers, Inc., eliminated the possibility of a one-year statute of limitations for claims under BIPA, ruling that a “catchall” five-year statute of limitations applies to these cases, dramatically increasing the timeframe for which complaints can be brought. The second, Cothron v. White Castle, ruled that a claim arises each time data is collected rather than simply the first time. This means every violation may result in a fine of $5,000. For an employer who requires an employee to clock-in using their thumb, or to access prescription medicine in a healthcare setting, that could easily result in fines of more than $20,000 per day, per employee. In the White Castle case, it’s estimated the company could be fined as much as $17 billion.

“These sorts of fines will quickly add up for long-term care facility operators, which require employees to clock-in using their thumbprint multiple times a day to meet state and federally mandated quality of care standards,” said Matt Hartman, Executive Director of the Illinois Health Care Association, which represents long-term care facilities throughout the state. “With the addition of the lack of liability protections long term care providers have in Illinois, there is a real risk of facility closure and a significant impact on access to care if legislative revisions to BIPA are not made.”

“Without action from the General Assembly, hospitals providing critical front-line healthcare will struggle to afford costly legal action, even though that was not the original intent of this law,” said Karen Harris, Senior Vice President and General Counsel for the Illinois Health and Hospital Association. “We can and we must balance personal privacy concerns with the technology needed for daily healthcare and business operations to thrive and save lives.”

In addition to threatening the stability of healthcare facilities, the current law also raises public safety concerns. Cameras are routinely used in the cab of trucks transporting goods on roadways to monitor driver performance and ensure safe vehicle operation. But the recent legal rulings will make it difficult to continue these safety investments. It will also prevent the use of cameras to identify and apprehend criminals, including those participating in organized retail crime, which is usually performed by criminal groups with the goal of reselling stolen items to fund further illicit activities.

“The trucking industry invests $9.5 billion each year to keep our truck drivers safe and to keep the motoring public safe. In Illinois, BIPA deters trucking companies from investing in new safety technology that could make our roads even safer,” said Matt Hart, Executive Director of the Illinois Trucking Association.

“Illinois just put in place nation-leading measures to combat organized retail crime and go after ring leaders who use profits to fund dangerous crimes including gun, drug, and human trafficking. But without reforms to BIPA, we are taking two steps back in that fight and efforts to protect customers and team members,” said Rob Karr, President and CEO of the Illinois Retail Merchants Association.  “Balance has always been missing and the most recent Court action makes that crystal clear.”

Changes to BIPA should not come at the expense of privacy protections. It is already illegal to sell or trade biometric information, and those provisions should remain.

“For years, the Chamber has warned that this law would have dangerous unintended consequences. Failure to make these prudent updates will put businesses of every size and sector at risk for predatory lawsuits and jeopardize jobs and economic opportunity across the state,” said Brad Tietz, Vice President of Government Relations and Strategy for the Chicagoland Chamber of Commerce. “These lawsuits disproportionately impact small and midsize companies, as well as non-profits seeking to serve our communities, who simply can’t sustain these legal fees and keep their doors open. Illinois cannot afford continued state-sanctioned misuse of the law.”