Why an Illinois law is at the center of Congress’ debate on new data privacy legislation

As lawmakers on Capitol Hill continue to negotiate federal privacy rules, many advocacy groups and Democrats are calling attention to an Illinois law as an example for how certain provisions can lead to critical reforms.

The law, known as the Biometric Information Privacy Act (BIPA), mandates companies that collect or obtain an Illinois resident’s biometric identifier — including fingerprints, faceprints, or iris scans — to alert that individual beforehand and get their consent in writing. Passed by the state legislature in 2008, the law has had an astonishing reach in part because it allows private citizens to individually sue companies for privacy violations.

The inclusion of a so-called private right of action into proposed federal privacy laws has become a battleground topic that could potentially threaten such legislation from ever going into effect. Big tech strongly opposed the federal American Data Privacy and Protection Act (ADPPA) last year in large part because it included a limited private right of action, which the tech industry group NetChoice said at the time would encourage “abusive litigation.”

Privacy advocates, meanwhile, say they won’t support a version of the bill if it does not include a meaningful private right of action, which they assert is a critical enforcement mechanism when so many state and federal agencies lack the bandwidth to bring their own lawsuits — or, they allege, sometimes have been “captured” by industry.

The ADPPA didn’t advance to the House or Senate floor last year despite having overwhelming bipartisan support in the House Energy and Commerce Committee. Committee Chair Cathy McMorris Rodgers (R-WA) is now focused on recrafting the bill to be more business-friendly by potentially scaling back its private right of action element, according to two sources with knowledge of the effort and McMorris Rodgers’ own comments at a March committee hearing.

At the hearing, McMorris Rodgers called the private right of action a “tough nut to crack” and cautioned about potential abuse by “plaintiff attorneys who would rather laws be so stringent so businesses are more likely to be out of compliance in order to sue.” In fact, a private right of action may sink the ADPPA precisely because of how individual plaintiffs have succeeded at enforcing Illinois’ BIPA law and winning big settlements from businesses, according to one of the sources with knowledge of the negotiations underway among Energy and Commerce Committee Republican members.

“The Chair is apparently working through the provisions that are most controversial — preemption, private right of action — with the design of making them more business friendly, which probably means it will be DOA with the Dems,” the source said via email.

An Illinois law with global impact

Chicago-based lawyer Jay Edelson’s record of winning large settlements under BIPA’s private right of action have made him a derided figure among big tech companies. His firm holds records for the largest trial verdict in a consumer privacy case — $925 million — and the largest consumer privacy settlement ($650 million against Facebook, which shuttered its facial recognition system months after the settlement’s approval).

Edelson is both gregarious and fearsome. His firm's website notes his love of beach volleyball and “LA Law” — and boasts that The New York Times has called him a “baby-faced … boogeyman.”

He filed a class action BIPA lawsuit against Facebook in 2015, the first in what would become a series of landmark consumer privacy cases he has spearheaded. More recently, in 2020, Edelson teamed up with the ACLU to sue Clearview AI for building what the ACLU calls a “secretive tracking and surveillance tool using biometric identifiers.”

Clearview captured more than three billion faceprints from images available online, selling access to private companies and law enforcement, Edelson and the ACLU contend. The case was settled in May 2022.

In a prepared statement from its attorney, legendary First Amendment lawyer Floyd Abrams, Clearview said that the settlement “does not require any material change in the company’s business model or bar it from any conduct in which it engages at the present time.” The statement also said that Clearview does not “provide its services to law enforcement agencies in Illinois, even though it may lawfully do so.”

Edelson says that establishing strong biometric privacy norms is more important now than ever, given how the AI revolution will create more potential for private companies and law enforcement to track people through biometrics. He also pointed to last year’s Dobbs decision overturning Roe v. Wade as an example of how biometric identification is leading to troubling practices, including law enforcement tracking women crossing state lines to obtain abortions.

“When we started bringing the suits, it was a little bit more theoretical,” Edelson said in an interview. “Now it’s clear how prescient the Illinois legislature was.”

Edelson emphasized the power of the Illinois law to influence behavior affecting people globally, pointing to the Facebook lawsuit. The company maintained “enormous databases internationally, which captures a huge, huge percentage of people,” Edelson said. “And that’s really scary.”

A spokesman for Facebook did not reply to a request for comment, but the platform said in a November 2021 blog post that the decision to shutter its facial recognition system was “part of a company-wide move to limit the use of facial recognition in our products.” The post also said that as a result of the decision people who had opted in to facial recognition would “no longer be automatically recognized in photos and videos.”

Although many privacy advocates applaud Edelson’s lawsuits, they also attract criticism that has reached lawmakers in Washington as shown by McMorris Rodgers’ comments in March.

Carl Szabo, vice president and general counsel of NetChoice, a tech industry group whose members include Facebook, holds Edelson up as a perfect example for the abuses of BIPA by plaintiffs’ lawyers, saying that he “has been made incredibly rich because of this law.”

Szabo called BIPA one of the most litigated laws in existence and said that more than 750 lawsuits have been brought under it. As a result of BIPA, he said, biometric identification technology allowing, for example, doorbell cameras are not available to Illinois residents.

“It is safe to say that the privacy of Illinois residents is not better off,” he said, contending that BIPA’s main impact has been to strip Illinois residents of “technology that would help keep people safe and make their lives better.”

The Future of ADPPA

Last year’s stalled draft of the ADPPA bill included a so-called “right to cure,” under which companies could avoid lawsuits if they addressed alleged privacy problems within 45 days after a lawsuit was filed.

But many still worried the legislation would “open the door for expensive, frivolous lawsuits,” as the Information Technology and Innovation Foundation (ITIF) asserted at the time. (ITIF receives funding from Facebook, Google, Clearview AI and many Fortune 500 companies).

An ITIF blogger wrote that since the only lawsuits individuals would be proceeding with under the ADPPA “are those that neither the FTC nor any attorney general decides to pursue, these are likely to be meritless.”

Privacy advocates say that characterization is ridiculous, citing the fact that both Washington state and Texas have biometric identification privacy laws on the books but have only brought two cases between them — one of which was against Facebook for obtaining biometric identifiers from user photos and videos. It followed the Edelson settlement and was not brought until last year.

BIPA is the “gold standard” for privacy legislation in large part due to its private right of action provision, said Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation (EFF), a nonprofit focused on digital privacy and free speech. She said EFF will not support a comprehensive federal privacy bill unless it includes a substantial private right of action provision.

States’ attorney general offices normally don't have designated privacy departments, she said. Those that do are only staffed with a couple attorneys.

“They don’t have the bandwidth to pursue all the cases that even they would like to pursue,” Tsukayama said.

More than 10 states now have laws modeled after BIPA’s private right of action in development, said Chad Marlow, senior policy counsel at the ACLU. Maine is the furthest along, he said, but even right leaning states like Kentucky have private right of action biometric privacy legislation underway.

Marlow said one of the reasons the BIPA model has caught on besides the effectiveness of the private right of action stems from the recognition that biometric identification information is uniquely worthy of privacy protections — something that resonates with people across the political spectrum.

He pointed out that unlike a credit card or even a Social Security number, “once you lose it, you can't get it back and you can't change it.”

Marlow called the Texas and Washington laws “barely worth the paper they're written on because they don't contain a private right of action.”

“There is a reason why technology companies and big tech have been fighting so hard to get rid of BIPA — either to challenge it with lawsuits, or to get the law overturned — and they've been doing this for over a decade,” Marlow said. “And the reason why they've been doing it year after year after year is because it works.”