With so much focus on California’s Consumer Privacy Act, its Jan. 1 effective date, the proposed regulations implementing it, the revisions to those proposed regulations, and so on, it can be tempting to overlook another state privacy law that has been on the books for more than a decade: the Illinois Biometric Information Privacy Act (BIPA).

But this state law, enacted in 2008 to foster greater transparency and security regarding the collection and use of biometric data, has been generating some headlines of its own lately. Facebook had to pay $550M in a settlement related to it, Jumio recently settled a class action, and Google is facing a new one. Even as businesses scramble to comply with California’s law, the perhaps lesser known Illinois statute seems to be gaining traction in terms of litigation and settlements.

“The floodgates of cases will likely continue for the foreseeable future,” opines Joseph Moreno, a partner at the law firm Cadwalader. “The fact that more and more employers and companies are collecting biometric information such as facial recognition data, fingerprints, and voice scans means that BIPA’s reach will only continue to grow.”

What exactly is BIPA?

BIPA “aggressively” requires organizations to “advise individuals of the fact that their biometric data is being collected, to acquire consent to collect that data, to prevent that data from being sold, and to take steps to protect that data,” explains Jason Schwent, senior counsel at the law firm Clark Hill.

Put simply, the Illinois law “requires several delineated things with respect to compliance,” says Jeffrey Rosenthal, a partner at the law firm Blank Rome. Think “a privacy policy, notice, written release/consent, and reasonable security practices,” he continues.

So-called “biometric identifiers” such as retina scans, fingerprints, and face scans are subject to the Illinois law. A private right of action provision in the statute allows any person “aggrieved by a violation” of the law to file suit and to recover damages of at least $1,000 for negligent violations and $5,000 for intentional ones.

More limited than the CCPA

Still, the Illinois law seems not to generate publicity the way the California Consumer Privacy Act has. Part of the reason stems from the Illinois law’s more limited scope. While some businesses collect biometric data, “just about all” of them collection personal information, observes Joseph Lazzarotti, leader of the Privacy, Data and Cybersecurity Practice Group at the law firm Jackson Lewis. “Although there are some limitations on the CCPA’s reach, California’s privacy law will reach many more businesses” than the Illinois biometric data privacy law does, he explains.

Even so, the regulated community probably would be well-advised not to disregard the Illinois law. “I suspect most organizations did not expect that the failure to maintain a policy concerning the collection of biometric information, for example, without any actual harm would permit a person to recover $1,000, at a minimum,” Lazzarotti says.

Interestingly, BIPA “does not seem to have significantly curtailed companies’ desire to collect or use biometric data,” says Ana Tagvoryan, a partner at Blank Rome. “Rather, the impact is seen mostly with respect to how companies collect and use data,” such as by providing notice and obtaining consent before any such data is collected, she continues.

The law’s reach has turned out to have been more extensive than some may have anticipated. “Many companies—especially in the technology sector—have been targeted for allegedly violating Illinois’ biometrics law even though they maintain no physical presence [or] operations within the state,” Rosenthal notes.

“I suspect most organizations did not expect that the failure to maintain a policy concerning the collection of biometric information, for example, without any actual harm would permit a person to recover $1,000, at a minimum.”

Joseph Lazzarotti, Principal, Jackson Lewis

“One of the leading causes of litigation in this area are fingerprint timeclocks—which prevent employees from clocking in for one another like in the good-ole days,” Schwent says. The time clocks “are provided by vendors who collect the data and process it on behalf of” a business, he explains.

Businesses and vendors “are being sued for failure to adequately provide notice and protection of that biometric data,” Schwent reports. This, in turn, is forcing companies to “question whether they need the biometric time clocks” in the first place. To the extent that they can, some businesses are also putting “the responsibility and liability for properly collecting and storing this information” on vendors, he says.

More states join in

At the very least, BIPA “has been effective—both inside and outside Illinois—in raising awareness about the treatment of biometric data,” says Tagvoryan. Indeed, the Illinois law inspired other states to pursue their own biometric privacy laws.

Texas and Washington have similar biometric laws, Lazzarotti notes. “But that is not the end of the story,” he cautions.

“The CCPA has provisions affecting biometric information,” Lazzarotti points out. In addition, “many state data breach notification laws include biometric information in the definition of personal information,” he says. An entity collecting biometric data that isn’t covered by the Illinois law may well be covered by another one.

What CCOs need to know

At bottom, “regardless of industry and size, companies must understand the impact of digital breadcrumbs being generated deliberately or inadvertently,” says Andy Gandhi, a managing director at Alvarez & Marsal Disputes and Investigations. “Right sizing compliance is important,” he continues.

Smaller organizations need to make an effort to understand the biometric information they are using, how it is used, and where it is kept (on local hardware or in the cloud), Gandhi suggests. “Additionally, they must make sure they are aware of the security risks of losing that information, and that they have consent from the employees for what it’s being used for (e.g. time keeping only, vs. selling to a third-party).”

Ultimately, larger outfits need more comprehensive data governance programs so they “know where any data is at all times, how it’s being used, and if they have adequate protections in place for that information,” Gandhi says. The cost of compliance should “not be treated as a compartmentalized cost for each regulation,” he explains. “Once there is a mature data governance program, it can address all privacy regulations.”

Lori Tripoli is a writer based in the greater New York City area who focuses on legal and regulatory issues.