On May 16, 2024, the Illinois General Assembly joined the Illinois Senate to pass SB 2979, a bill that amends the state’s landmark Biometric Information Privacy Act (BIPA) by limiting the potential harms of the plaintiffs according to the law. Under SB 2979, a defendant who violated BIPA by repeatedly collecting the same plaintiff identifier will be liable for a single violation under the law. The amendment also clarifies that entities subject to the act can obtain the plaintiff’s written release (i.e., consent) through an electronic signature.
This bill appears to be a direct response to the Illinois Supreme Court’s ruling in Cothron v. White Castle System, Inc., in which that court “respectfully suggested(ed)” that the legislature review policy concerns regarding the potential for excessive BIPA damage awards. and “make clear your intention with respect to the assessment of damages under the Act.” Now the legislature has substantially reduced the damages available to BIPA plaintiffs by clarifying that a violation occurs only in the initial non-consensual collection of biometric data.
The remainder of this post provides additional background on BIPA and the new damages rule under SB 2979, along with some key takeaways for businesses subject to the law.
BIPA Background
When it became law in 2008, BIPA represented a milestone in the landscape of state data privacy laws. The law imposed strict new rules on how entities can use biometric information, such as fingerprints, eye scans, voice prints, and facial geometry scans. BIPA requires entities that process such biometric data to obtain the consent of an individual before collecting, obtaining or disclosing that data.
In particular, the law created a private right of action for plaintiffs who have been harmed by a violation of the BIPA. It also includes a statutory damages provision, allowing the prevailing party to recover $1,000 for each negligent violation of BIPA and $5,000 for each intentional or reckless violation. The prevailing party may also recover attorneys’ fees and costs.
Unsurprisingly, the law sparked a wave of privacy-related litigation. In 2023 alone, hundreds of BIPA cases were filed in state and federal courts. An important case that was decided last year was Cothron. There, the plaintiffs were White Castle employees who were required to scan their fingerprints every time they accessed their pay stubs and computers. For each scan, White Castle shared your fingerprint with a third-party provider for verification. The plaintiffs argued that each scan and share, which would total hundreds per year per employee, constituted a violation of BIPA. The Illinois Supreme Court sided with them, ruling that a BIPA violation accrues whenever an entity collects, captures, or otherwise obtains a person’s biometric information without consent. But, as noted above, the court also asked the legislature to clarify whether it intended to create the possibility of such gargantuan damage awards.
Senate Bill 2979
Under SB 2979, the legislature announced a new BIPA damages rule, repealing Cothron holding: “(A private entity that, in more than one instance, collects, captures, purchases, receives through commerce or otherwise obtains the same biometric identifier or the same biometric identifier or biometric information). information from the same person using the same collection method. . . has committed a single violation” according to BIPA and therefore “is entitled to, at most, one recovery.” In other words, only the initial non-consensual use of biometric data would give rise to liability under the BIPA.
While SB 2979 passed both houses of the legislature, it awaits the signature of Illinois Governor JB Pritzker. He is expected to sign the bill into law, but it is unclear when he will do so.
Key takeaways
Assuming it becomes law, SB 2979 has some important implications. First, because the legislature has substantially limited plaintiffs’ maximum recovery, BIPA defendants can exert more influence during settlement negotiations. Second, the plaintiff bar may reconsider its strategy for BIPA lawsuits, focusing on cases with a large number of single violations rather than many repeat violations. But SB 2979 also has an important caveat for defendants: It does not apply retroactively. BIPA violations that occurred before the law was passed will still be accrued under the previous rule. That means the steady stream of BIPA cases with large potential damage awards may not slow down anytime soon.
Keynote USA
For the Latest Local News, Follow Keynote USA Local on Twitter.