Illinois legislature approves measure to amend state biometric privacy law

The Illinois House passed legislation aimed at reining in the potential for runaway damages under the state’s biometric privacy law Thursday, more than a year after the Illinois Supreme Court suggested the legislature revisit the law.

Illinois’ biometric privacy law, which the state legislature passed in 2008, requires companies to gain consent before they collect and store biometric information such as fingerprints or retina scans. It’s considered the strictest such law in the country, in part because it allows individuals to sue over alleged violations. Companies that have been caught in the law’s crosshairs include Facebook, which paid out a $650 million settlement over its facial tagging feature, and Google, which settled a case over its facial grouping tool on Google Photos for $100 million.

In February 2023, the Illinois Supreme Court suggested the legislature revisit the language of the law in a much-anticipated split opinion issued in a case involving fingerprint scanners used by employees at fast-food company White Castle.

In that case, the court ruled that damages under the law accrue each and every time a person provides their biometric information without prior informed consent. But in the majority opinion, the court acknowledged its reading of the statute opened the door to “potentially excessive” damages in Biometric Information Privacy Act cases and suggested the legislature revisit the language of the law.

The legislation passed Thursday amends the law to state that a violation of the act occurs — and damages under the law accrue — only once when an entity collects or discloses a person’s biometric information without consent, rather than every time.