The US state of Illinois has reduced penalties for breaches of its tough Biometric Information Privacy Act (BIPA).
The first version of BIPA, which came into force in 2008, prohibited orgs doing business in Illinois from acquiring, using, storing, and sharing people's biometric data – think retina scans, face scans, fingerprints, and voiceprints – by any means without proper disclosure and consent. It also mandated that anyone using biometric data must have policies for protecting and deleting it.
Negligent violations of BIPA may cost law breakers $1,000 per instance per person affected. Intentional or reckless violations? Make that $5,000. That can add up to billions with enough people involved.
The amended version of BIPA was handed to Governor JB Pritzker in June and signed into law on Friday.
That updated law still covers the capture and usage of the above biometric data and includes the same penalties – but it now counts multiple distributions of data as one violation. If a business negligently sells the same person's data two, ten, or a thousand times, it would face just one $1,000 penalty for that one person, not multiples.
- Keir Starmer says facial recognition tech is the answer to far-right riots
- Car makers sold people's driving habits, location data for pennies, say US senators
- What does Google Gemini do with your data? Well, it's complicated...
- Meta to cough up $1.4B to end fight over 'unlawful' facial recognition of friends
Alan L Friel, deputy chair of the Data Privacy & Cybersecurity practice at law firm Squire Patton Boggs (US) LLP, criticized the change. Writing in the National Law Review, Friel opined the revised penalty regime "will be unwelcomed by plaintiffs' lawyers" as it "will significantly reduce the potential damages and lower the settlement value of BIPA claims."
But it'll make businesses happy.
The Information Technology and Innovation Foundation (ITIF) thinks such reductions are a good idea. A statement from the Foundation's senior policy manager Ash Johnson suggested "BIPA is a prime example of privacy legislation gone too far. With steep fines for even minor violations and a private right of action that has gone out of control, with multiple multi-million-dollar settlements."
"The new amendment to BIPA makes a bad law slightly better," she added, but lamented the statute's very existence deters Illinois-based businesses from using biometrics.
"There are countless beneficial uses of biometric data, and overly burdensome laws like BIPA place costly barriers in the way of reaping these benefits," Johnson wrote, and argued that "A balanced federal data privacy law that preempts state laws like BIPA would protect biometric and all other forms of personal data without hindering innovation."
One of the more notable BIPA suits was brought against Meta, for applying the names of six million Illinois residents to photos posted on Facebook. The number of times those photos appeared on Facebook was likely enormous – potentially meaning The Social Network was up for a $1,000 penalty for each view. Meta settled the matter for $550 million.
That is of course pocket change for Meta, which made $13.5 billion of net income in its last reported quarter, despite burning cash on AI and the metaverse.
BIPA isn't always an iron hammer for privacy advocates though. One Illinois citizen tried to sue McDonald's because its AI-powered drive thrus allegedly violated BIPA, tho the suit was dismissed in July 2023.
We reached out to Governor Pritzker's office for further comment. ®