BIPA Update: Illinois Limits Liability and Clarifies Electronic Consent for Biometric Data Collection

Go-To Guide:

Illinois legislature amends Illinois Biometric Information Privacy Act (BIPA or the Act) to provide that a company which collects the same biometrics multiple times from the same individual in violation of the law is liable only for a single violation. The change addresses a 2023 Illinois Supreme Court ruling that each individual scan was itself a violation, resulting in potential penalties of $1,000 or $5,000 for each scan. The amendment also confirms that electronic signatures satisfy the requirement that businesses obtain written consent before collecting or sharing biometrics.

On Aug. 2, 2024, Illinois Gov. J.B. Pritzker signed SB 2979 into law, amending BIPA in two ways: significantly limiting potential damages and updating the Act's definition of "written release" to include an "electronic signature."

Background

The Illinois General Assembly enacted BIPA in 2008 to protect the security and privacy of individuals' biometric identifiers and biometric information possessed by private entities. Under BIPA, biometric identifiers include retina or iris scans, fingerprints, voiceprints, or scans of hand or facial geometry. Biometric information comprises any information based on biometric identifiers used to identify an individual.

Since its enactment, BIPA has been the subject of widespread litigation. Many claims assert liability under Section 15(b), which forbids private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person's biometric identifier or biometric information without prior written consent and disclosure of the purpose and length of term of collection, storage, or use of the data.

New Limitation on Damages

A prevailing plaintiff under BIPA may recover the greater of $1,000 for each negligent violation, $5,000 for each intentional or reckless violation, or actual damages. A prevailing party may also recover reasonable attorneys' fees and litigation costs.

Biometric systems often involve scanning biometric data to identify a user. For instance, employers may use biometric timeclock devices whereby employees scan their biometrics when they clock in and out of work. For years, parties disputed whether a Section 15(b) violation occurred each time someone scanned their biometric data into such a device without prior written consent, or only upon the initial collection of the data.

The difference in available damages under the competing views was potentially massive. For instance, an employee who has two biometric scans per day, five days a week, could have 500+ scans in a single year. If each scan is a separate violation, subject to up to $5,000 in damages per violation, then damages for a single employee could exceed $2.5 million. For a company with 1,000 employees, damages under BIPA could reach $2.5 billion in statutory damages for one year. Contrast that with damages totaling $5,000 per employee, or a total of $5 million, if damages were imposed only for the initial collection.

In 2023, the Illinois Supreme Court in Cothron v. White Castle Systems, Inc., ruled that Section 15(b) claims accrue and are subject to separate damages for each scantaken without written informed consent and that Section 15(d) claims, addressing the disclosure, redisclosure, and dissemination of biometric identifiers and biometric information without prior consent, accrue with each violative transmission. Cothron unlocked the possibility of financial ruin and bankruptcy for companies that had committed inadvertent, technical violations of BIPA, even where that plaintiffs did not suffer any actual damage.

After Cothron, the Illinois General Assembly passed SB2979, providing that a private entity that collects or discloses a person's biometric identifier or biometric information from the same person more than once in violation of Sections 15(b) or (d) commits a single BIPA violation, limiting the aggrieved party to a single recovery per individual. This legislative override of Cothron places guardrails around statutory damages for multiple scans of a single individual.

Written Release Update

SB2979 also updates the Act's definition of "written release" to clarify that an "electronic signature" is sufficient to secure a release under BIPA. The Act defines "electronic signature" as "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." This amended language resolves a contested issue in BIPA litigation and confirms that companies may procure releases in the form of, for example, a checkbox or other electronic confirmation.

Retroactivity of Limitation on Damages

The amended Act does not address whether it is to be applied retroactively, including to pending lawsuits. Under Illinois law, when statutory amendments are not explicit about retroactivity and do not have a savings clause, courts apply substantive amendments prospectively and procedural amendments retroactively.

As noted by the Illinois Supreme Court, "'procedural law' [is defined as] '[t]he rules that prescribe the steps for having a right or duty judicially enforced, as opposed to the law that defines the specific rights or duties themselves.' 'Substantive law' is in turn defined as '[t]he part of the law that creates, defines, and regulates the rights, duties, and powers of the parties."¹

Illinois courts have held that there is "no vested right in any statutory remedy" and an amendment "that affects merely procedures or remedies will ordinarily be applied to existing rights of action"² (emphasis added).

The Illinois General Assembly noted that SB2979 "[p]rovides that a private entity that more than once collects or discloses a person's biometric identifier or biometric information from the same person in violation of the Act has committed a single violation for which the aggrieved person is entitled to, at most, one recovery." Given this, we anticipate that defendants in pending BIPA lawsuits will argue that SB2979's provision limiting damages amends the "statutory remedy" under BIPA and therefore applies retroactively to existing matters. This question is likely to be subject to further litigation.

Conclusion

The amendment to BIPA has significantly changed the BIPA landscape, providing private entities who use biometric devices breathing room when facing BIPA litigation and considerably lowering the value of initiating a BIPA claim. Still, potential damages remain high for noncompliant companies, and the statute may apply even to unknowing or unintentional violations. Thus, companies should remain vigilant to ensure compliance.

¹Perry v. Dep't of Fin. & Prof'l Regulation, 2018 IL 122349, ¶ 70 (citation omitted)

²White v. Sunrise Healthcare Corp., 295 Ill. App. 3d 296, 300 (1998)

Public link

Please use the above public link if you want to share this noodl on another website.