CYBER RISK CLIENT ALERT: BIPA Cutbacks Stalled in Springfield - For Now.


In response to the Illinois Supreme Court’s ruling in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (actual harm is not required for standing under the Illinois Biometric Information Privacy Act), the Illinois legislature is now considering amending the statute, in part, by removing its private right of action.  

Illinois was the leader in enacting privacy protections for biometric data. Illinois is still one of only a few states to have such protections in place (along with Texas and Washington).  Arizona, Florida, and Massachusetts have proposed regulations to protect biometric identification, and California will have its biometric protections take effect on January 1, 2020. 

Only two states have followed Illinois in providing a private right of action for biometric identification privacy violations: Florida and California. Illinois, though, may be retreating. The Illinois Senate introduced SB 2134 in February 2019, one feature of which is to remove a private right of action.  In its place, violations of BIPA would fall under the Illinois Consumer Fraud and Deceptive Business Practices Act, vesting BIPA’s enforcement to the Illinois attorney general and providing a three-year statute of limitations.  Additionally, the amendment provides that if a BIPA violation occurs within the workplace, an employee or former employee may file a complaint with the Department of Labor within one year of the violation. 

This bill has most recently been re-referred to assignments, meaning the bill did not receive the requisite number of votes needed to move to the next phase for ratification. This bill, or something similar, will likely be proposed during the next session.  Illinois’ legislative session typically runs from January to the end of May.  However, there is also a two week session in the fall, during which time we may see progress on this Bill.

While the Illinois Senate is considering eliminating BIPA’s private right of action, the Illinois House is looking to expand BIPA to include “electrocardiography result from a wearable device” in HB 3024.  Presently, the proposal is less than clear on what would be considered a wearable device, leaving companies questioning whether they will be affected if this amendment were to go into effect.  The bill has most recently been re-referred to the rules committee after it did not receive enough votes to pass. 

Additional proposals limiting the protections of BIPA were made in the Illinois Senate (SB 3053) by excluding from BIPA’s reach a private entity’s use of biometric identification information when: (1) the information is strictly being used for employment purposes, (2) the private entity does not sell or share in any way the biometric identification information it collects, or (3) the private entity protects the biometric identification information in the same manner, or a more protective manner, than the manner in which it stores other confidential or sensitive information.  The bill has since been placed in adjournment sine die, meaning the legislative session ended and the bill did not pass.  Any further action on the bill is postponed till the next legislative session.   

It will be important for companies to monitor these amendments and any other legislation regarding biometric privacy. Segal McCambridge works closely with its clients to track the progress of legislative activity, not only in Illinois but across the United States, to ensure full compliance with BIPA and other privacy laws.

For further information regarding BIPA or privacy laws generally, contact Joseph Kish, or 312.644.3538.


Get Updates By Email

Blog Contributors