Reforming the Biometric Information Privacy Act (BIPA) in Illinois: Protecting Privacy Without Punishing Small Businesses


Illinois’s Biometric Information Privacy Act (BIPA) was enacted with good intentions – to safeguard individuals’ biometric privacy, including fingerprints and eye scans. The protection of biometric data is crucial in an increasingly digital world, but the current state of BIPA raises concerns. Thousands of small businesses that utilize biometric technology are facing lawsuits under this law, with the most prominent case being White Castle, which potentially faces a staggering $17 billion in exposure. It’s essential to acknowledge that BIPA was established to protect people, but its poorly written provisions are causing unintended consequences. This essay will delve into the issues with BIPA and propose a reasonable reform to balance privacy protection and small business survival.

The Good Intentions Behind BIPA

BIPA was originally enacted to safeguard individuals’ biometric information from misuse or unauthorized access. Biometric data, such as fingerprints and eye scans, are unique identifiers that, if mishandled, could result in significant privacy breaches. Therefore, it is crucial to have laws protecting such sensitive information and holding those who misuse it accountable. However, the current implementation of BIPA has created a situation where small businesses are disproportionately affected.


The Problematic Application of BIPA

One of the major issues with BIPA lies in its overly punitive nature, particularly concerning small businesses. The heart of the problem is the requirement to provide a privacy notice each time an employee checks in and out of work using biometric data, such as a fingerprint scan. Failure to do so results in statutory violations ranging from $1,000 to $5,000 per instance, which can add up to crippling damages very quickly. 


It is important to emphasize that BIPA violations do not involve any harm to individuals. These violations stem solely from a lack of privacy notice at the time of data collection, not from any misuse or breach of biometric data. Imposing such punitive fines for minor administrative lapses places an undue burden on small businesses, potentially forcing some to close their doors.


A Sensible Reform Proposal

A more balanced approach to BIPA is needed, one that respects individuals’ privacy while preventing the annihilation of small businesses. A simple and reasonable reform could impose a fine on employers only at the initial collection of biometric data without a privacy notice, not each time after that when the employee checks in and out of work with a fingerprint scan. This approach acknowledges the importance of informing individuals about using their biometric data and ensures that privacy protection is upheld while preventing excessive fines for minor violations.


Illinois’ Biometric Information Privacy Act was crafted with the laudable goal of protecting individuals’ biometric data. However, its current application needs to be revised, particularly for small businesses. The excessively punitive nature of the law can lead to astronomical fines for minor infractions, jeopardizing the livelihoods of many. It is essential to reform BIPA to strike a more reasonable balance between privacy protection and the economic survival of small businesses. By implementing a fine only at the initial data collection, we can continue to safeguard people’s biometric privacy while fostering a more business-friendly environment that promotes economic growth and innovation. It’s time to ensure BIPA achieves its intended purpose without unintentionally harming the businesses it was meant to protect.