On May 16, 2024, the Illinois Legislature passed Senate Bill 2979 (SB2979), marking a significant amendment to how damages are calculated under the Illinois Biometric Information Privacy Act (BIPA).1 This amendment refines the scope of recoverable damages under BIPA such that damages arise on a per-person rather than a per-scan basis. SB2979 was passed a year after the Illinois Supreme Court ruled that a violation occurs each time a company swipes a person’s biometrics without consent. See our analysis of that case here.
BIPA remains a material source of risk for companies that collect biometrics even after the amendment from SB2979. BIPA violations open the door to statutory damages for merely technical violations the law. If calculated on a per-person basis, damages could be up to $5,000-$10,000 per class member. Large class sizes could therefore result in multi-million-dollar judgements.
Background
Biometrics are commonly utilized by companies for identity authentication, involving the scanning and retention of individuals' biometric data such as fingerprints. This data is then rescanned each time authentication is required, with only matching biometrics granting access. For instance, employers often use biometric scans for employees to clock in and out of work.
In a landmark decision last year, the Illinois Supreme Court ruled that each instance a company scans a person's biometric information without consent constitutes a separate BIPA violation—not merely the initial collection.
Specifically, in Cothron, v. White Castle System, Inc.,2 White Castle employees utilized finger scans to access paystubs and company systems, facilitated by a third-party vendor verifying each scan. White Castle had not obtained consent for the biometric scanning, leading to a class-action lawsuit by the affected employees. White Castle contended that BIPA violations occurred only at the point of initial biometric data collection. However, the Illinois Supreme Court disagreed, ruling that violations arise with each subsequent scan.
Currently, BIPA permits per-violation damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations. White Castle’s BIPA’s noncompliance resulted in potential damage award of $17 billion. Prior to Cothron, recent judgments reached millions of dollars, for example, the jury found that BNSF Railway violated BIPA 45,600 times when they scanned fingerprints of their employed truckers and awarded the plaintiffs $228 million.3 If this ruling was decided after Cothron, the judgment may have been higher.
If signed into law by Governor Pritzker, SB2979 is poised to reduce damages available based on BIPA violations (which have already resulted in several settlements in the tens or hundreds of millions) and reduce plaintiffs’’ leverage in negotiation BIPA settlements. To illustrate the change, if SB2979 was in place at the time of the Cothron decision, White Castle’s estimated $17 billion penalty would have likely been closer to $10-$50 million.4
Key Provisions of SB2979
- Single Violation for Repeated Collection: A private entity that collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or information from the same person using the same method of collection more than once in violation of BIPA will be deemed to have committed a single violation. The aggrieved person would be entitled to one recovery under this section.
- Single Violation for Repeated Disclosure: A private entity that discloses, rediscloses, or otherwise disseminates the same biometric identifier or information from the same person to the same recipient using the same method of collection more than once in violation of BIPA will be deemed to have committed a single violation. The aggrieved person would be entitled to one recovery under this section.
This amendment seeks to mitigate the risk of "annihilative damages," where companies could face disproportionate penalties for repeated violations involving the same biometric data or disclosures to the same recipient. Should SB2979 become law, companies will generally face a one-time fine of $1,000 for negligent violations and $5,000 for intentional or reckless violations (and double given wrongful collection and disclosure), irrespective of how many times they collect or disclose an individual’s biometric information.
Additional Changes
Under BIPA, any entity gathering or obtaining biometrics must secure prior written consent from the individual. The amendment also clarifies that companies obtain consent electronically (an interpretation that many companies had already implemented).
Conclusion
SB2979 provides some relief to businesses by mitigating the severe financial risks posed by BIPA's stringent statutory damages. By limiting recoverable damages to a single violation per individual, regardless of repeated instances of biometric data collection or disclosure, SB2979 helps protect businesses from potentially devastating penalties. We hope that SB2979 represents the first of many BIPA reforms, as many companies would also benefit from clarifications that information is subject to the law only if capable of (and used to) identify a specific individual and remove of the bill’s statutory damages.
Footnotes
1 740 ILCS 14/1 et seq.
2 Cothron, v. White Castle System, Inc., 2023 IL 128004 (Feb. 17, 2023).
3 Richard Rogers v. BNSF Railway Company, 19 C 3083 (N.D. Ill. Jun. 30, 2023).
4 Democratic leaders poised to revisit Biometric Information Privacy Act after court rulings (capitolnewsillinois.com).
