At a Glance

• Illinois Gov. Pritzker has signed an amendment to BIPA that caps liability for the most commonly asserted and extortionate BIPA claim — lack of consent required by Section 15(b) to the collection of one’s biometrics — to one “violation” per person.
• With statutory damages per violation capped at $5,000, exposure for class claims remains significant, but no longer potentially annihilating, and exposure for individual claims/demands is reduced to nuisance value.
• The amendment also clarifies that a person’s electronic signature constitutes a valid “written release” under the law — arguably unneeded given the federal E-SIGN Act and the Illinois Uniform Electronic Transactions Act.
• The amendment will complicate removal of BIPA cases under the Class Action Fairness Act, but otherwise is a significant victory for businesses in Illinois.
• The amendment applies retroactively based on the straightforward application of Illinois law, but we expect the issue to be disputed by the plaintiffs’ bar given the impact on BIPA case value.
• The amendment is consistent with a nationwide uptick in legislative and regulatory activity targeting biometrics.

On August 2, 2024, Illinois Gov. J.B. Pritzker signed into law an amendment to the Biometric Information Privacy Act (BIPA), which will limit defendants’ exposure to liability on a “per scan” basis and clarify that electronic signatures constitute a valid “written release” under the statute. See Public Act 103-0769. While private entities still face significant class action risks for violations of BIPA, companies are unlikely to see lawsuits and demands asserting individual claims under BIPA premised on a lack of consent to the collection or sharing of biometric data.

Background

BIPA prohibits private entities from collecting, capturing or otherwise obtaining a person’s biometric identifier or biometric information (biometrics) without a prescribed form of informed written consent. See 740 ILCS 14/15(b). BIPA also requires companies in possession of biometrics to develop a publicly available written policy for retaining and destroying biometrics (14/15(a)) and to implement security standards for the storage of biometrics that are consistent with industry best practices and the treatment of similarly sensitive information (14/15(e)), and prohibits companies in possession of biometrics from selling, leasing, trading, or otherwise profiting from biometrics (14/15(c)) or from disclosing biometrics except in limited circumstances (14/15(d)).

In recent years, BIPA has been a source of significant class action litigation. Pro-plaintiff decisions from the Illinois Supreme Court have held that no actual harm is required to state a claim; that a five-year statute of limitations applies to all BIPA claims; and that a BIPA claim under sections 15(b) and 15(d) accrues with each scan or collection of biometrics, not just on the first scan. These interpretations of BIPA have led to a surge in lawsuits and significant financial risks for businesses, including some settlements in the hundreds of millions of dollars.

“Per Scan” Violations

Last year, the Illinois Supreme Court decided Cothron v. White Castle Systems, Inc., 2023 IL 128004, ¶ 1 and held in a 4-3 opinion that “a separate claim accrues under the [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d)” of the Act. The majority’s holding prompted Justice Overstreet to write in dissent that the court’s “per-scan interpretation of the Act . . . authorized exorbitant damages awards threatening financial ruin for some businesses.” Id. at ¶ 82 (Overstreet, J., dissenting). Seeming to agree with this view of the dissent, while persisting in its interpretation of BIPA, the majority explained that “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature” and closed by “respectfully suggest[ing] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” Id. ¶ 43.

This spring, the Illinois legislature did so.

Under the amendment signed by Gov. Pritzker, “a private entity, that in more than one instance” violates Sections 15(b) or 15(d) “has committed a single violation . . . for which the aggrieved person is entitled to, at most, one recovery” under the applicable section of BIPA.

Electronic Signatures

BIPA prohibits private entities from collecting, capturing, purchasing or receiving through trade a person’s biometrics unless the private entity “receives a written release executed by the subject of the biometric[s]” (740 ILCS 14/15(b)(3)) (emphasis added). The new amendment clarifies that electronic signatures are enforceable means of satisfying the “written release” requirement of the law. This is an unnecessary clarification that nevertheless appears to reduce the plaintiffs’ bar’s ability to challenge the sufficiency of consent.

BIPA was adopted in 2008 before widespread use of electronic signatures. Even in 2008, however, electronic signatures were recognized as binding under both federal law via the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act)) and under Illinois state law via the Electronic Commerce Security Act (ECSA) (which was repealed and replaced in 2021 with the Illinois Uniform Electronic Transactions Act (UETA)). Thus, prior to this recent amendment, any electronic consent process that complied with the requirements of these laws satisfied the requirements of BIPA; and there was never a decision holding otherwise.

The amendment, however, does not reference the E-SIGN Act, the now defunct ECSA or the new Illinois UETA. Rather, it states only that “‘Electronic signature’ means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.” This definition is lifted verbatim from the E-SIGN Act (15 U.S.C. § 7006) and the Illinois UETA (815 ILCS 333/2(8)) without any of those laws’ other signature validity requirements. And the term “electronic signature was added to the definition of “written release” as follows: “‘Written release’ means informed written consent, electronic signature, or, in the context of employment, a release executed by an employee as a condition of employment.” Consequently, strict compliance with UETA and the E-SIGN Act is not required for a BIPA electronic signature to be valid and enforceable; and the plaintiffs’ bar will have a harder time arguing that the consent obtained as part of an electronic consent process was not sufficiently specific to be “informed,” because informed consent is no longer a requirement for electronic consent.

What This Means for Companies

The BIPA amendment will have at least three significant impacts:

First, the amendment will require more information about the purported class from defendants seeking to remove a BIPA class action. Before the amendment, back-of-the-envelope calculations of damages on a per-scan basis could quickly exceed the $75,000 threshold for diversity jurisdiction and the $5 million threshold for Class Action Fairness Act (CAFA) jurisdiction. Now, with Section 15(b) damages limited to the higher of actual damages or $5,000, diversity jurisdiction becomes a practical impossibility, and CAFA jurisdiction will require substantiation that at least 1,000 people were impacted (potentially fewer if other claims are asserted).

Second, courts likely will be required to readdress when a claim accrues under the amendment for purposes of the statute of limitations. In Cothron, the Illinois Supreme Court held that a claim accrues upon each and every scan. The question now is whether a claim accrues under the first scan, the last scan, or some other point in time. Defendants will have a solid argument that by limiting an aggrieved person to “one recovery” per violation of Section 15(b), the amendment clarifies that the General Assembly has endorsed the dissenting view in Cothron. That dissent explained “a section 15(b) claim accrues the first time a scan is taken without the required disclosures and consent. There was a single overt act from which damages flow, because the employer did not obtain anything with subsequent scans that it did not already have, and the employee did not lose control over and privacy in her biometric information with subsequent scans.” 2023 IL 128004, ¶ 53. That reasoning tracks with the amendment’s language clarifying that under Section 15(b), “an entity that obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation.”

Third, courts will be required to address the retroactive effect of the amendment to ongoing or yet-to-be-filed BIPA cases alleging violations that occurred prior to August 2, 2024 (the date of the governor’s signature). Retroactive applicability of a change in law turns on whether the amendment is substantive or procedural in nature, with Illinois courts applying amendments retroactively for procedural changes but not for substantive changes. See People ex rel. Madigan v. J.T. Einoder, Inc., 28 N.E.3d 758 (Ill. 2015). Here, the amendment is focused on addressing the quantum of damages recoverable, not whether damages are recoverable. Under Illinois Supreme Court precedent, this would make the amendment procedural in nature and therefore retroactive. See Ogdon v. Gianakos, 114 N.E.2d 686, 690 (Ill. 1953) (“[W]hen a change of law merely affects the remedy or law of procedure, all rights of action will be enforceable under the new procedure without regard to whether they accrued before or after such change of law and without regard to whether the suit has been instituted or not”).

The amendment also clarifies the legislature’s intent, which likewise makes the law retroactive. Royal Imperial Grp., Inc. v. Joseph Blumberg & Assocs., Inc., 608 N.E.2d 178, 181 (Ill. App. Ct. 1992) (“Another exception to the presumption favoring only prospective application of an amendatory act exists when an amendment merely clarifies existing law.”). As the dissent in Cothron explained, “[n]otwithstanding the majority’s inconsistent conclusions that [BIPA’s] language was clear and simultaneously in need of clarification by the legislature, it was the majority’s interpretation that caused the ambiguity for which it needed clarification by the legislature.” 2023 IL 128004, ¶ 81 (internal citations omitted). With this clarification supplied by the legislature, Cothron has been overruled, and the dissent’s interpretation codified.

Other Developments Involving Biometrics

While BIPA is being reigned in, other states and agencies are addressing the collection, use and storage of biometrics.

For example, on May 31, 2024, Colorado Gov. Polis signed Colorado House Bill 24-1130 (HB 1130) into law, amending the Colorado Privacy Act (CPA) to impose new requirements on controllers that process biometric data. The amendments go into effect July 1, 2025. Unlike BIPA, HB 1130 does not create a private right of action.

And on June 4, 2024, Texas Attorney General (AG) Ken Paxton announced the launch of a Texas data privacy and security law enforcement initiative by establishing a new unit focusing on Texas’ privacy laws, including the Texas Capture or Use of Biometric Identifier law (CUBI). On July 30, 2024, the Texas AG’s Office announced that it had reached a $1.4 billion settlement with Meta Platforms Inc. related to alleged violations of CUBI. We cover the CUBI in greater detail in a recent client alert.