About 90 minutes into Mark Zuckerberg's testimony on Capitol Hill on Tuesday, in which the Facebook CEO was grilled on the social media company's privacy practices, U.S. Sen. Dick Durbin, D-Illinois, gave a shout-out to his home state's Biometric Information Privacy Act, or BIPA—a law governing the collection and storage of biometric indicators like fingerprints, facial features and iris scans.

“We're now in a fulsome debate on that,” said Durbin, referring to proposed legislation in Illinois to roll back portions of the law. “I'm afraid that Facebook has taken the position of trying to carve out exceptions to [BIPA]. I hope you'll fill me in on how that is consistent with protecting privacy,” Durbin said.

Durbin's pro-BIPA commentary came as a committee of the Illinois state Senate prepares to hold a hearing Thursday on proposed modifications to the state law.

Critics including the Illinois Chamber of Commerce claim the law has prompted a spate of litigation against Illinois business, especially as workplace fingerprint scanners become more commonplace. The proposed changes would allow companies to collect biometric data without consent so long as they protect it in the same way they handle other sensitive data. The changes would also limit claims under BIPA to those using biometric data for commercial purposes, and exempt companies using biometrics for security purposes.

“We've got members who are being sued and they're coming to us saying, 'What the hell is this thing?'” said Tyler Diers, the director of legislative relations for the Illinois Chamber. Diers said that as of December 2017 he had counted nearly 40 private lawsuits targeting Illinois business over fingerprint scans alone. He noted that while Texas and Washington have followed suit with their own biometric laws since BIPA was enacted in 2008, those laws don't include a private right of action.

“Other states that have followed our lead seem to let employers use this technology without being subject to” a wave of litigation, he said.

Patrick Castle, an associate at Shook, Hardy & Bacon who also has been tracking BIPA litigation, said that the current wave of suits fall “pretty far away” from the original intent of the law: to govern how biometric identifiers were used in conducting financial transactions.

Castle pointed out that defendants landed a significant win in BIPA cases from an Illinois appellate court in a case called Rosenbach v. Six Flags Entertainment. There the Second District Appellate Court of Illinois held that plaintiffs must allege “actual harm” to get BIPA claims to stick. The plaintiffs in the Six Flags case are seeking review from the state's high court. Castle said that the proposed legislation would go a step further than the appellate court to make it “more difficult for creative plaintiff lawyers from coming up with clever things to allege to get past motion to dismiss” and nudge defendants into settlement talks.

The proposed changes could also potentially have an outsized impact on Facebook. The company faces class action lawsuits in federal court in San Francisco claiming that Facebook violated BIPA with its “tag suggestions” function, which prompts users to identify friends in pictures uploaded to Facebook. Facebook faces significant potential exposure since BIPA carries statutory damages of $1,000 for negligent violations, and $5,000 for those that are “intentional and reckless.”

Facebook declined to comment on the pending legislation.

Adam Schwartz, a senior staff attorney with Electronic Frontier Foundation, a BIPA proponent, said that the proposed changes would “effectively gut” BIPA and likely sidetrack the Facebook litigation, which is currently set for trial in July before U.S. District Judge James Donato of the Northern District of California.

“It's an ironic moment here, when all eyes are turned on congressional hearings on data privacy, here in Illinois people are trying to reduce data privacy,” Schwartz said. “It's the wrong direction.”