This resource outlines BIPA legislation introduced in 2021, providing bill numbers, links, short descriptions, key sponsors, and each bill's legislative history.
The Illinois Biometric Information Privacy Act, in effect since 2008, is the first comprehensive biometric privacy statute in the United States. In recent years, BIPA litigation has significantly increased, revealed several enforcement challenges and given rise to numerous legislative initiatives.
In 2021, 11 BIPA-related bills were introduced in the 102nd Illinois General Assembly. At the moment, all of the bills were referred to assignments and were not heard by the 2021 deadline. However, these initiatives may be reintroduced in 2022 and considered during the next legislative session. In this regard, it seems helpful to track all these legislative initiatives and compare their key provisions.
As for the content of these introduced bills, nine of the bills aim to introduce several amendments to BIPA, such as expressly identifying the statute of limitations, eliminating or, at least, limiting recovery of damages, carving out some exemptions (e.g., processing biometric data for security purposes, keeping a record of an employee's work hours, etc.). Some bills abolish the private right of action and/or replace it with government enforcement procedures (i.e., enforcement by the Illinois attorney general and state attorney's offices or the Illinois Department of Labor). Additionally, two bills propose to repeal BIPA in its entirety.
Back in 2008, BIPA introduced various requirements on handling Illinois residents' biometric information (e.g., refraining from profiting from the processing of biometric information, obtaining written consent for collecting and storing biometric information, and developing a written policy, etc.). BIPA does not expressly identify its territorial scope and may significantly affect all entities processing biometric information of Illinois residents. The pivotal component of BIPA is the private right of action that allows an aggrieved person to sue for liquidated damages in the amount of (i) $1,000 for each negligent violation, (ii) $5,000 for each intentional or reckless violation.
In practice, among the most controversial issues are BIPA's broad scope and vague definitions, lack of an express limitations period as well as cure period, and unlimited possibilities of recovery of damages. For instance, recent BIPA-related cases (see, e.g., Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563) reveal a heated debate on whether a one-year or five-year statute of limitations period applies to BIPA claims.
In this regard, most current BIPA bills address these practical challenges.
Amends BIPA’s provisions regarding the private right of action and limits recovery of damages.
Overview of Key Provisions
Introduces a one-year period of limitation for actions brought under BIPA.
Introduces a cure period of 30 days (i.e., private action could not be initiated if the violation is rectified in 30 days upon receiving written notice of the violation.)
Limits recovery of damages to actual damages and attorney’s fees. Liquidated damages up to the amount of actual damages may be recovered only in case of a willful violation.
Sponsors/Authors
Sen. Terri Bryant
Legislative History/Status
Filed and introduced (first reading): Jan. 29, 2021.
Narrows the scope of BIPA, amends certain BIPA’s rigid procedural requirements (i.e., consent requirements, time frames, etc.), limits recovery of damages.
Overview of Key Provisions
Excludes “information derived from biometric information that cannot be used to recreate the original biometric identifier” from the definition of biometric information under BIPA.
The term “written release” is replaced with “written consent” and is defined as “informed written consent.” It provides written consent may be obtained by electronic means.
The written policy is required to be made available to the person from whom biometric information (rather than to the public).
Excludes companies whose employees are covered by a collective bargaining agreement and relevant data protection policies.
Mostly the same as HB0559, certain definitions and procedures are amended.
Overview of Key Provisions
Introduces the same amendments as HB0559 with the following amendments:
The definition of “written release” is amended by adding the clarification that written consent includes consent obtained by electronic means (unlike HB0559, the term “written release” remains).
Introduces accrual of BIPA claims (upon a person’s first use of the technology/upon the first disclosure or redisclosure of the person’s biometric identifier).
Introduces limitations regarding the collection and use of biometric information to detect or contain the spread of COVID-19.
Sponsors/Authors
Sen. Jason A. Barickman
Legislative History/Status
Filed and introduced (first reading): Feb. 19, 2021.
Replaces the private right of action by government enforcement procedures.
Overview of Key Provisions
Introduces the same amendments as HB0559, except provisions regarding the private action and enforcement are amended as follows:
Abolishes the private right of action.
The Illinois Department of Labor is authorized to enforce BIPA in case of violations resulting from collecting biometric information by an employer for employment, human resources, fraud prevention or security purposes.
The Illinois attorney general and state attorney’s offices are authorized to enforce BIPA in the case of violation of the Consumer Fraud and Deceptive Business Practices Act.
Introduces a one-year period of limitation for filing the complaint.
Sponsors/Authors
Rep. Jim Durkin
Rep. Dan Caulkins
Rep. Thomas M. Bennett
Legislative History/Status
Filed: Feb. 2, 2021.
Introduced (first Reading): Feb. 8, 2021.
Assigned to Judiciary-Civil Committee: March 2, 2021.
Limits recovery of damages by deleting provision on recovery of damages for each BIPA violation.
Introduces one-year period of limitation for filing the claim.
Continuing violations or violations of separate BIPA provisions are considered the same occurrence and subject to the one-year statute of limitations calculated from the date of the initial violation.
Provides that an employee may waive any BIPA violation after an explanation of rights.
Introduces an exemption for licensed operators of a facility collecting, storing, or transmitting biometric information.
Sponsors/Authors
Rep. Thaddeus Jones
Legislative History/Status
Filed and introduced (first reading): Feb. 19, 2021
Assigned to Judiciary-Civil Committee: March 16, 2021.
Assigned to Judiciary-Civil Committee: March 16, 2021.
Introduces the obligation to show actual harm, limiting recovery of liquidated damages, excludes timekeeping systems used by employers.
Overview of Key Provisions
Excludes “numeric algorithms created by a fingerprint, hand scan, facial geometry or retinal scan and used as part of an employer’s timekeeping system” from the definition of biometric identifier.
Excludes “organizations regulated by the Day and Temporary Labor Services Act” from the definition of a private entity.
Defines actual harm as “a realized or actual identity theft, realized or actual loss, or a realized or actual injury.”
Violations not resulted in actual harm do not fall under the scope of BIPA (i.e., solely subject to investigation and enforcement by the attorney general as violations of the Consumer Fraud and Deceptive Business Practices Act).
Reduces the amount of the liquidated damages to $250 (for negligent actions) and $500 (for intentional or reckless actions).
Liquidated damages are recovered only for the initial (rather than each) BIPA violation.
Introduces the following period of limitation for filing the claim: (i) one-year - if no actual harm occurred, (ii) three-years - if actual harm has occurred.
Amendments are supposed to apply retroactively (to Oct. 3, 2008).
Sponsors/Authors
Rep. Eva Dina Delgado
Legislative History/Status
Filed: Feb. 18, 2021.
Introduced (first reading): Feb. 19, 2021.
Assigned to Civil Procedure & Tort Liability Subcommittee: March 23, 2021.
Simplifies the use of biometric information for security purposes.
Overview of Key Provisions
Excludes “information captured and converted to a mathematical representation, including, but not limited to, a numeric string or similar method that cannot be used to recreate the biometric identifier” from the definition of biometric identifier.
Electronic communications are included in the definition of “written release.”
Introduces new definitions: “biometric lock,” “biometric time clock,” “electronic signature,” “in writing,” and “security purpose.”
It is enough to inform the subject or receive consent during the initial collection for the same repeated process of collecting the biometric identifier/information.
Waives certain procedural requirements relating to the collection of biometric information for security purposes.
Narrows the BIPA scope by excluding information captured by: (i) an alarm system installed by a licensed person; (ii) a biometric time clock, or (iii) a biometric lock that converts a person’s biometric identifier to a mathematical representation.
Requires the Illinois Department of Labor to include information regarding the BIPA requirements on its website.
Sponsors/Authors
Sen. Bill Cunningham
Legislative History/Status
Filed and Introduced (first reading): Feb. 24, 2021.
Simplifies the use of biometric information for security and HR purposes, grants the sole authority to enforce BIPA to the attorney general in instances of actual harm.
Overview of Key Provisions
Includes “electronic consent” and “electronic release” in the definition of “written release.”
Defines “security purpose” as “the purpose of preventing shoplifting, fraud, or any other misappropriation or theft of a thing of value, including tangible and intangible goods and services, and other purposes in furtherance of protecting the security or integrity of software, accounts, applications, online services, property, or any person.”
The attorney general and state attorney have the sole authority to enforce BIPA.
An action under BIPA may be brought only if a violation causes actual harm (unlike SB0602, actual harm is not defined).
Creates an exemption for employers using biometric identifiers/information for: (i) keeping a record of an employee’s work hours; (ii) a security purpose; (iii) facility access; or (iv) use by the HR department or HR employees of the employer. These exemptions are applied only if the employer retains the biometric identifier/information no longer than is reasonably necessary to satisfy a security purpose.
Sponsors/Authors
Sen. Bill Cunningham
Legislative History/Status
Filed and introduced (first reading): Feb. 26, 2021.
Senate Committee Amendment No. 2 Assignments Refers to Judiciary: April 13, 2021.
Resource Center / Web Conferences / Anticipating and preparing for changes in AI policy
Anticipating and preparing for changes in AI policy
Original broadcast date: August 2025
Register for Web ConferenceView all Web Conferences
From the AI Action Plan to Agentic AI, the rapid chan...
This article series analyzes the laws, policies, and broader contextual history and developments relevant to AI governance across different jurisdictions....
