Illinois biometric data law a threat to businesses

Despite reforms, litigation continues over the country’s toughest such law.

Illinois’ biometric privacy law, widely considered the most stringent in the country, will continue to hamper business unless it is reformed or repealed.

Passed in 2008, the Illinois Biometric Information Privacy Act established long-reaching regulations on emerging data technologies such as fingerprint scans and voice recognition. Before collecting a person’s data, private entities must inform the person in writing, provide the purpose and duration of the data storage and get written consent.

Lawsuits under BIPA were rare for years. That changed in 2019, when the Illinois Supreme Court ruled in Rosenbach v. Six Flags that individuals can sue under the law without having to prove an actual injury. Thus a company can be held at fault for a technical violation (such as failing to get written consent) even if no identity theft or monetary loss has occurred.

The Rosenbach ruling led to a wave of class actions. Since 2019, more than 1,500 lawsuits have been filed under the act in Illinois state and federal courts. Examples of big settlements:

• In 2020, Facebook paid $650 million to resolve a BIPA class action alleging its facial-recognition photo tagging feature scanned Illinois users’ faces without consent.
• In a settlement approved in 2022, the parent company of TikTok agreed to pay $92 million settlement to end litigation over alleged unlawful collection of face and voice data through the TikTok app. Illinoisans were to get the largest share of the money.
• In 2022, Google settled an Illinois class action for $100 million over its Google Photos tool, which had used face-recognition to group similar faces without the explicit consent required by BIPA.

Employers across Illinois, ranging from trucking companies to cosmetic companies to hospitals, have faced BIPA litigation. Companies can face $1,000 in damages per person affected and $5,000 in damages per each BIPA provision violated.

In one positive for business, Illinois courts and the General Assembly have limited how many claims someone can file and how much time a person has to file a BIPA lawsuit.

Business also got a recent court win, with an April 1 decision of the 7^th U.S. Circuit Court of Appeals that one law firm says “significantly reduces exposure for companies facing BIPA cases.”

BIPA is largely considered the country’s most restrictive biometric data law. Only three other states (Texas, Washington, and Colorado) have such laws, and those focus on consent and don’t allow private lawsuits.

Tort payouts in Illinois totaled over $21 billion in 2022, equal to 2.1% of the state’s gross domestic product, according to an April 1 report from the U.S. Chamber of Commerce Institute for Legal Reform.

Legal restrictions on the number of claims someone can file and the deadline to file have not slowed BIPA litigation, with at least 100 class actions filed in 2025.

Repealing the act would allow businesses to safely implement different types of data technologies without the constant threat of a lawsuit.