Reforms in 2024 to Illinois’ Biometric Information Privacy Act may have slowed the frequency and severity of litigation, but there remain significant consequences for violation of the law.
Insurance Journal was able to ask expert Jason M. Rosenthal of Chicago-based Much Shelist, P.C. some questions about developments in the legislation, litigation trends, and best practices for companies.
You’ve been speaking about and advising companies on the Illinois Biometric Information Privacy Act for quite some time. In 2025, what is the single most important thing for companies in Illinois to keep in mind?
Compliance. Compliance is not difficult, but it is important. Companies need to understand the law and the requirements for collecting or using biometric information of various types. Just as non-Illinois companies operating in Illinois need to be aware of BIPA’s requirements, Illinois companies must also stay informed about privacy laws in other jurisdictions in which they operate or otherwise do business.
In 2024, there were some court rulings and new amendments to BIPA. Do any of those legislative changes apply retroactively? If so, to what extent will insurance companies be on the hook to pay damages? [This last question is unrelated to the issue of retroactivity]
Whether certain changes apply retroactively is still an ongoing issue in the courts. The biggest question is whether the amendment clarifying that repeated biometric data collection violations constitute a single violation for each plaintiff applies retroactively. Recently, different judges have reached different conclusions as to whether amendments apply retroactively, and the Illinois Supreme Court may ultimately need to decide the issue. Additionally, some judges have ruled differently on the same insurance coverage issues related to BIPA claims.
Are you anticipating more, less or the same amount of litigation around these issues in 2025?
There has already been a decline in the filing of BIPA cases, and I expect that decline to continue as more companies bring themselves into compliance. Most companies now are, or should be, familiar with BIPA, and the risks of non-compliance. That said, statutes like the Telephone Consumer Protection Act (TCPA) have been in place for decades. This statute governed the unauthorized sending of blast faxes. Despite the wide publicity of these cases and significant consequences of non-compliance, let alone the downturn in the use of facsimile machines, TCPA lawsuits are still occasionally filed. So, we will likely continue to see BIPA lawsuits in the years to come.
Do you foresee any major shifts in BIPA litigation in the next year?
I expect that this litigation should continue to subside; unless, of course, plaintiffs’ lawyers develop new, creative ways to argue non-compliance and companies fail to take proactive steps to ensure the proper consent documents are in place.
Are there any current cases you’re tracking that would have an impact on BIPA litigation and insurance coverage?
The question of whether the 2024 amendments apply retroactively is currently working its way through the courts, with likely further rulings expected in 2025. Additionally, litigation may continue over what constitutes biometric information under the statute and whether it applies. Most insurance policies now include express exclusions for biometric claims.
What steps can companies in Illinois take to ensure full compliance?
Contact appropriate legal counsel. It is important not only to have proper compliance in place, but also to understand what constitutes biometric information in the first place, and when compliance is necessary.
What are some common missteps you see companies take that could put them in serious risk?
A big misstep is failing to understand what constitutes biometric information and when the statute applies. Many of the original BIPA cases involved timeclocks, but those cases have dramatically decreased. Now, plaintiff-side class-action lawyers are becoming more creative in finding purported instances where companies are collecting or using biometric information, which may not be readily apparent. Thus, companies need to consider whether any information they are using could potentially fall within the ambit of the statute.
BIPA impacts Illinois companies, but why should companies in other states pay attention to what’s happening here?
Despite the arguably poor rollout of BIPA, other states are also enacting new laws governing privacy, including the use of biometric information. Many companies located outside Illinois but with operations in the state were caught off guard by the statute applying to their businesses. As more and more states—and even countries—enact privacy laws, companies must understand the laws in the jurisdictions in which they are doing business. Again, BIPA applies to companies acting in Illinois, regardless of whether they are an Illinois corporation or whether they are located here.
Topics Lawsuits
Was this article valuable?
Here are more articles you may enjoy.
EEOC Targets 20 Big Law Firms With Demand for DEI Data 
New DOJ Antitrust Chief Builds Team From Prior Administrations 
State Farm, Consumer Group Battle Ahead of Calif. Insurance Commissioner Decision 
California Insurance Commissioner Provisionally OKs State Farm’s 22% Rate Request 
