Nearly one and a half years after the Illinois Supreme Court saddled businesses with the potential for massive damage awards under the state’s landmark biometric law, Governor J.B. Pritzker just signed into law amendments that will drastically reduce potential liability and provide businesses across the state a chance to breathe a sigh of relief. SB 2979, signed into effect Friday evening, amends the Illinois Biometric Information Privacy Act (BIPA) so that a separate claim no longer accrues each time a private business scans or discloses an individual’s biometric information or identifier without prior written consent, but instead accrues on a more conservative one-claim-per-person standard. Here’s what Illinois employers and companies doing business in the state need to know.

Reminder, What is BIPA?

The Illinois legislature passed BIPA in 2008 to regulate how private companies collect, use, and store biometric data, such as fingerprints, voiceprints, retina scans, and facial geometry. BIPA class actions and lawsuits against employers and companies began flooding the Illinois courthouses beginning in 2018, and thousands of companies have been sued under BIPA class actions. 

The class actions first predominantly targeted the use of finger or hand scanning timeclocks, but more recently have expanded to attack various other types of technology. This includes headsets, facial try-on technology, security cameras and systems, and cab cameras used in the transportation industry. Illinois businesses also have seen a rise of BIPA lawsuits targeting new technologies that use artificial intelligence (AI).

To comply with this state law, companies must provide informed, written consent before the capture, use, and storage of biometric information, as well as notice specifying the company’s data collection and retention practices. Damages for each negligent violation can amount to $1,000, with reckless or intentional violations potentially incurring $5,000.

Landmark Ruling Opened Doors Wide Open for Massive Damage Awards

In February 2023, the Illinois Supreme Court issued a landmark decision that stung businesses by greatly expanding the potential damages they could suffer for BIPA violations. The Cothron v. White Castle Systems ruling held that a BIPA violation accrued every time a person used biometric technology and scanned their biometric information. You can read a summary of this decision here.

While it relied on its interpretation of the statutory language, the Illinois Supreme Court made its second explicit call to the Illinois legislature to “review these policy and concerns and make clear its intent regarding the assessment of damages under the Act.” The dissent concluded that BIPA could subject Illinois businesses to “annihilative” damages and “punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier.”

Changes to BIPA

After these explicit calls for reform from Illinois’ highest court, as well as strong outcry from Illinois businesses and advocacy groups, the Illinois Legislature passed SB 2979 on May 17, and the governor signed it into law on the evening of Friday, August 2. The law provides two important amendments to the BIPA statute.

• The first and most significant change revises the accrual of statutory damages from a per-scan method of calculation to a more conservative per-person method. The amendment provides “an aggrieved person is entitled to, at the most, one recovery” regardless of the number of violations of BIPA's collection and disclosure obligations occurs. This means that, where employers repeatedly collect or disclose an individual’s biometric information using the same methods (such as using fingerprints to clock in and out of shifts), plaintiffs are limited to a single recovery of statutory damages.
• SB2979 also affirms companies can obtain valid consent from employees and individuals for purposes of satisfying BIPA’s informed consent requirement through electronic signatures. This resolves previous uncertainty surrounding companies’ collection of employee signatures on BIPA consent forms through the use of e-signature platforms such as DocuSign or Adobe Sign since the statute had used the term “written release” without further clarification.

Takeaways for Companies

The new BIPA amendment is welcome news for companies doing business in Illinois. Yet, the legislature did not specifically address whether SB 2979’s amendments apply retroactively, and that issue now will be litigated in the courts. Companies currently subject to pending BIPA class actions and litigation should review their defenses under this new amendment.

The bill also is unlikely to curtail the deluge of BIPA cases which have flooded Illinois courts in recent years. These cases, even with the more favorable damages standard provided the amendment, remain sources of high potential exposure for companies and employers across the state because businesses with large numbers of employees or customers still could face lawsuits by large putative classes. Therefore, companies should use the amendments as an opportunity to review their current biometric data practices to ensure compliance with BIPA.