LLMpediaThe first transparent, open encyclopedia generated by LLMs

Illinois Biometric Information Privacy Act

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Electronic Frontier Foundation Hop 3
Expansion Funnel Raw 71 → Dedup 13 → NER 13 → Enqueued 8
1. Extracted71
2. After dedup13 (None)
3. After NER13 (None)
4. Enqueued8 (None)
Similarity rejected: 10
Illinois Biometric Information Privacy Act
NameIllinois Biometric Information Privacy Act
Enacted2008
JurisdictionIllinois
Citation740 ILCS 14
Statusin force

Illinois Biometric Information Privacy Act

The Illinois Biometric Information Privacy Act is a 2008 Illinois statute that regulates collection, use, and storage of biometric identifiers and biometric information, developed amid debates involving National Institute of Standards and Technology, American Civil Liberties Union, Federal Trade Commission, Electronic Frontier Foundation, and Illinois General Assembly. The Act emerged during policy discussions influenced by litigation such as Loomis v. Wisconsin, regulatory activity by U.S. Department of Commerce, and legislative responses similar to California Consumer Privacy Act and European Union General Data Protection Regulation. The statute intersects with technologies deployed by firms including Facebook, Inc., Google LLC, Amazon (company), Microsoft Corporation, Apple Inc., Clearview AI, NEC Corporation, IBM, and Accenture.

Background and Purpose

The law was introduced in the 95th Illinois General Assembly following advocacy from organizations like the ACLU of Illinois, Illinois State Bar Association, Illinois Attorney General, and civic groups echoing concerns from cases such as Carpenter v. United States and reports by Electronic Privacy Information Center. Legislators cited incidents involving vendors such as Facebook, Inc. and technologies from NEC Corporation and Cognitec Systems while referencing standards from NIST Special Publication 800-63 and positions of International Association of Privacy Professionals. The Act aimed to protect biometric modalities including fingerprints, retina scans, and facial recognition used by corporations like Bank of America, Walmart, Uber Technologies, and agencies such as Chicago Transit Authority.

Key Provisions

The statute defines "biometric identifiers" and "biometric information" and prescribes notice, consent, retention, and destruction requirements, drawing parallels with regulatory frameworks like GDPR and statutes such as the California Consumer Privacy Act. It requires entities—ranging from Target Corporation to United Airlines—to obtain informed written consent prior to collecting identifiers, to establish a policy reviewed by counsel from firms like Sidley Austin or Kirkland & Ellis, and to implement reasonable safeguards inspired by guidance from NIST and ISO/IEC. The Act limits disclosure to third parties including vendors such as SafeGraph or Clearview AI without explicit consent, and imposes record-keeping duties similar to obligations under Health Insurance Portability and Accountability Act when combined with health data handled by organizations like Kaiser Permanente.

Litigation and Case Law

Litigation under the Act featured high-profile plaintiffs and defendants including Facebook, Inc. and BNSF Railway Company, producing decisions from courts such as the United States Court of Appeals for the Seventh Circuit, Northern District of Illinois, and the Supreme Court of Illinois. Notable cases referenced constitutional principles appearing in Riley v. California and evidentiary reasoning from Daubert v. Merrell Dow Pharmaceuticals, Inc.. Key rulings addressed standing, statutory construction, and damages with involvement by firms like Akin Gump and judges associated with the United States Court of Appeals for the Second Circuit. Precedents influenced later matters involving Google LLC and startups like Clearview AI, and echoed issues from litigation such as Jones v. Parmley and In re Facebook Biometric Information Privacy Litigation.

Enforcement and Penalties

Enforcement mechanisms include private right of action and statutory damages, with remedies ranging from injunctive relief to liquidated damages, comparable to enforcement in California Consumer Privacy Act suits and regulatory patterns from the Federal Trade Commission. Illinois Attorneys General and civil litigants have invoked the law against corporations including Walgreens Boots Alliance, Wal-Mart Stores, Inc., and Kroger, while defense teams from Skadden, Arps, Slate, Meagher & Flom and Jones Day argued about preemption and scope by referencing federal statutes like Electronic Communications Privacy Act and Stored Communications Act. Courts have debated damage calculations similar to disputes in AT&T Mobility LLC v. Concepcion and remedial frameworks discussed in Massachusetts v. EPA.

Impacts and Criticism

The statute prompted changes in corporate practice at companies such as Facebook, Inc., Google LLC, Microsoft Corporation, Walmart, and Bank of America, influencing biometric deployments by vendors like NEC Corporation and contractors to municipalities including City of Chicago and Los Angeles Police Department. Critics including technology firms, trade associations like the CTIA, and some academic commentators from Harvard University, Stanford University, and University of Chicago argued the Act imposes compliance costs, stifles innovation in startups like Clearview AI and FaceFirst, and creates uncertainty reminiscent of debates over Section 230 of the Communications Decency Act. Supporters from civil liberties groups such as the ACLU and Electronic Frontier Foundation maintain the law protects privacy rights highlighted in decisions like Carpenter v. United States and policy proposals by European Data Protection Board.

Category:Illinois law