On August 5, 2024, Illinois Governor J.B. Pritzker signed into law SB 2979, significantly amending the state’s Biometric Information Privacy Act (BIPA). This update represents a considerable decrease in the potential for exorbitant financial liabilities for businesses that engage with biometric data while still maintaining the statute’s robust protections for individuals’ biometric data. The amendment went into effect immediately.
Most significantly, SB 2979 redefines the scope of potential liability from $5,000 per collection or disclosure to $5,000 per individual. Previously, the Illinois Supreme Court held that BIPA’s framework allowed for each biometric data interaction—such as a fingerprint scan—to be treated as a separate infraction, potentially resulting in overwhelming cumulative penalties. This ruling raised the financial stakes associated with BIPA violations considerably, particularly within employment settings. SB 2979 consolidates these infractions by treating the initial collection of biometric data as a singular violation, irrespective of the number of collections or disclosures. This change aims to strike a balance of commercial and individual interests, reducing the threat of existential judgments against businesses while preserving the law’s core protective measures.
The amended law does not apply retroactively, and thus it will not influence any pre-existing litigation. This element of the amendment addresses concerns from numerous industry stakeholders who have faced extensive legal challenges and significant settlements under the original BIPA provisions.
In addition to narrowing the potential for damages, the amendments modify the definition of “biometric identifier” to exclude certain types of biological and medical data. The revisions also make clear that an “electronic signature” is valid for obtaining written consent.
Despite these business-friendly adjustments, BIPA continues to empower Illinois residents with a private right of action, a unique feature not commonly found in similar laws across other states. Businesses must still secure written informed consent before collecting biometric data, and they must still adhere to stringent data protection and storage policies.
[View source.]
