Security News > 2024 > August > Illinois relaxes biometric privacy law so snafus won't cost businesses billions
The US state of Illinois has reduced penalties for breaches of its tough Biometric Information Privacy Act.
The first version of BIPA, which came into force in 2008, prohibited orgs doing business in Illinois from acquiring, using, storing, and sharing people's biometric data - think retina scans, face scans, fingerprints, and voiceprints - by any means without proper disclosure and consent.
That updated law still covers the capture and usage of the above biometric data and includes the same penalties - but it now counts multiple distributions of data as one violation.
Alan L Friel, deputy chair of the Data Privacy & Cybersecurity practice at law firm Squire Patton Boggs LLP, criticized the change.
"The new amendment to BIPA makes a bad law slightly better," she added, but lamented the statute's very existence deters Illinois-based businesses from using biometrics.
"There are countless beneficial uses of biometric data, and overly burdensome laws like BIPA place costly barriers in the way of reaping these benefits," Johnson wrote, and argued that "A balanced federal data privacy law that preempts state laws like BIPA would protect biometric and all other forms of personal data without hindering innovation."