The Takeaway
The recently enacted amendment (SB2979) to Illinois’ Biometric Information Privacy Act (BIPA) significantly reduces the damages available under the statute. This amendment may also reduce the overall volume of BIPA class action litigation in Illinois. More concretely, the amendment limits the danger of catastrophic damages awards that could bankrupt smaller employers.
Background of the Act
In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA) 740 ILCS 14. The stated intent behind BIPA is to limit safety and security concerns over the increased use of biometric-facilitated transactions. Given that biometric data is biologically unique to the individual, once compromised, it leaves the affected individual at a heightened risk for identity theft. Examples of biometric data protected by BIPA include fingerprints, hand scans, face scans, eye scans, and voiceprints.
To protect this biometric data, BIPA Section 15 imposes a variety of consent and notice requirements upon private entities. The Intent was to establish clear standards for how private entities should store and use consumer and employee biometric data. 740 ILCS 14/15.
Unintended Consequences of Initial Legislation
Since its passage in 2008, vagueness in the statutory language of Section 15 proved a consistent source of BIPA litigation. BIPA plaintiffs frequently allege that companies are collecting or disclosing their biometric data without following the requirements of Section 15(b) and 15(d), which govern collection and disclosure, respectively.
A significant amount of this litigation has been in class action suits. These actions frequently affect employers who utilize their employees’ biometric data. The most common example is the employer who uses fingerprint scanning to track when employees clock in and out of work. If the employer inadvertently violates BIPA, tens, hundreds, even thousands of employees could join a class action to resolve claims for violations of their biometric privacy.
In a 2023 decision [Cothron v. White Castle Systems, 216 N.E. 3d 918 (Ill. 2023)], the Illinois Supreme Court interpreted Section 15’s requirements to mean that each instance of unauthorized collection, storage, or use of biometric information without proper consent resulted in separate “per scan” damages. This meant that a private entity regularly using an individual’s biometric data without proper consent could be liable for hundreds or even thousands of BIPA violations per individual. Given that BIPA Section 20 allows prevailing plaintiffs to recover $1,000 for negligent violation and $5,000 for intentional or reckless violation, the Cothron v. White Castle decision generated concern that “per scan” damages could quickly add up and result in excessive damages awards against employers found in violation of the Act. Justice Overstreet voiced these concerns in his dissenting opinion, noting that the majority’s decision in Cothron would “lead to consequences that the legislature could not have intended,” namely “annihilative liability for businesses.”
The Remedy
In the wake of Cothron v. White Castle Systems, the Illinois legislature passed SB2979, which Governor Pritzker signed into law on August 2, 2024. SB2979 amends Illinois’ BIPA to eliminate the possibility of “per scan” damages. The amendment clarifies that if a private entity collects or discloses an individual’s biometric data multiple times, they have committed only a single violation of the Act. Therefore, an affected employee is limited to one recovery under Sections 15(b) and 15(d). Additionally, the Amendment clarifies that electronic signature is sufficient for a BIPA-compliant release.
- Associate