The long-awaited amendment provides immediate relief to corporate defendants from business-destroying liability
On August 2, 2024, Senate Bill 2979 went into effect limiting available damages under Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). Individuals can now only recover statutory damages once per type of violation. Previously companies doing business in Illinois risked thousands of dollars in damages each time an individual’s biometric information was captured, collected, disclosed, redisclosed, or otherwise disseminated without their consent. The amendment further clarifies that “written release” related to biometric data can be obtained via electronic signature, making it easier for companies to obtain consent.
Senate Bill 2979 passed the Illinois Senate in April and the Illinois House in May. Governor JB Pritzker signed the bill on August 2, 2024, and it took effect immediately.
Illinois’ Groundbreaking Data Privacy Law
As background, BIPA became law in 2008 without much fanfare after being passed with unanimous support in the Illinois legislature. BIPA requires consent before a private entity can collect, obtain, or disclose biometric information. Protected biometric data includes fingerprints, voiceprints, eye scans, and scans of hand or face geometry. 740 ILCS 14/10. The law further requires private entities to create and publish policies on the use, retention, and destruction of biometric data, and prohibits companies from selling or profiting from biometric information. 740 ILCS 14/15.
BIPA has become the leading biometric data privacy law in the country due to its private right of action for injured individuals. 740 ILCS 14/20. BIPA provides for liquidated damages of $1,000 for negligent violations and $5,000 for reckless or intentional violations, plus attorneys’ fees and costs. Id. BIPA applies to all businesses and organizations with users, members, customers, employees, or operations in Illinois, regardless of size, except for government entities and certain financial institutions. 740 ILCS 14/10; 740 ILCS 14/25. Biometric data collected in healthcare settings can also be exempt. Id. Plaintiffs have five years to bring BIPA claims. Tims v. Black Horse Carriers, Inc., 2023 IL 127801.
Hundreds of BIPA lawsuits have been filed by plaintiffs in the past five years after momentous rulings by the Illinois Supreme Court expanding available recovery for BIPA violations. In Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the Illinois Supreme Court clarified that plaintiffs need not prove actual harm or damages caused by a defendant’s actions to recover damages – mere violation of the law suffices. Since 2019, international public companies, particularly in the tech sector, have settled BIPA claims for tens or even hundreds of millions of dollars.
The risk of BIPA liability destroying companies became even more clear in 2022 when the first BIPA jury trial resulted in a $228 million verdict for plaintiffs. Rogers v. BNSF Railway Co., N.D. III. No. 19 CV 3083, Dkt. No. 225 (Oct. 12, 2022).
Illinois Supreme Court Invites BIPA Reform
The Illinois Senate took up Senate Bill 2979 months after the Illinois Supreme Court invited the legislature to reconsider damages available under BIPA in light of its “annihilative liability.”
In Cothron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court ruled that BIPA damages accrued per injury, not per individual. The case involved a certified question from the Seventh Circuit after a White Castle manager brought a class action lawsuit in the Northern District of Illinois related to her employer’s alleged non-consensual use of fingerprint technology to access paystubs and computers from 2008 to 2018. Cothron argued that BIPA claims accrue every time a private entity collects or disseminates biometrics without prior consent, i.e., each time White Castle scanned an employee’s fingerprint or transmitted a fingerprint to their third-party vendor for verification. White Castle, on the other hand, asserted that BIPA claims accrue only once –- when an individual’s biometric data is first scanned or transmitted without consent. White Castle raised policy arguments in favor of its position, including that per-violation damages (particularly those that involve daily biometric scans by numerous employees) could be business-ending; in this case alone, Cothron sought $17 billion in damages from White Castle.
The majority agreed with Cothron’s interpretation: under Sections 15(b) and (d) of BIPA, a separate claim accrues each time an entity scans or transmits an individual’s biometrics. The court acknowledged the concerns of White Castle and over a dozen pro-business amici that their per-violation damages holding could result in “astronomical” damages, but found the plain language of the statute required their interpretation.
While the Illinois Supreme Court had to follow the plain language of the statute, it noted that there was no evidence that the legislature intended BIPA to “authorize a damages award that would result in the financial destruction of a business,” and “respectfully suggest[ed]” that the legislature review BIPA’s damages provisions. 2023 IL 128004, ¶¶ 42-43.
Senate Bill 2979
In direct response to Cothron, the Illinois legislature took up Senate Bill 2979 in January 2024 to amend two provisions of BIPA.
First, the bill makes clear that for awards under BIPA Sections 15(b) and (d), when a private entity collects or obtains, “the same biometric identifier or biometric information from the same person" -- and disseminates or discloses that information to the same recipient when applicable -- "using the same method of collection” in violation of BIPA, the private entity has “committed a single violation . . . for which the aggrieved person is entitled to, at most, one recovery[.]” Senate Bill 2979 (amending 740 ILCS 14/20).
Second, the bill amends BIPA Section 10 to make clear that written releases to use or transmit biometric data can be signed via “electronic signature,” making it easier for companies to obtain valid consents from its users, customers, or employees.
These amendments to BIPA have been in effect since August 2, 2024.
Future of BIPA Claims
This amendment provides significant relief for business facing BIPA liability. Consider, for example, a company of 100 employees required its employees to clock in each day with an eye scan for a year without their consent. Assuming 260 workdays a year, that employer faced $130 million in per-violation damages if the violations are found to be reckless or willful. Post-reform, that same employer’s potential liability falls to just $500,000. Public Bill 2979 makes it more likely a small- or mid-sized company can survive a BIPA class action, and its passage can and should be used to defend against and settle ongoing BIPA lawsuits.
BIPA liability will continue to pose significant risk to companies who do business in Illinois. Plaintiffs continue to push the boundaries of BIPA liability through an increasingly expansive application of BIPA to new technologies, including AI and virtual try on technologies. Companies with a high number of impacted employees or customers will continue to have multi-million-dollar damages exposure due to class size even if damages are limited by individual. Finally, the language of Public Bill 2979 does not state whether the bill applies retroactively to claims accrued before August 2, 2024. While the issue of retroactive will be litigated in the near future, one of the bill’s sponsors indicated during floor debate that the law would not apply retroactively. Public Bill 2979 may thus have limited impact until the five-year statute of limitations tolls on pre-August 2024 BIPA claims.
Public Act 2979 is one of many bills considered by the Illinois legislature to amend BIPA; many pushed for amendment in light of concerns that BIPA makes Illinois unfriendly to business. Additional BIPA reform may be on the horizon.
Contact King & Spalding about biometric data collection and use practices to avoid BIPA liability, including review of BIPA-required biometric data retention and use policies, review of contracts with vendors providing biometric services or devices, and effective written consent policies.