The Illinois General Assembly recently approved significant changes to the Illinois Biometric Information Privacy Act (BIPA) to mitigate excessive damages.

The bill, SB2979, responds to a suggestion made over a year ago by the Illinois Supreme Court. In Cothron v. White Castle, the high court urged lawmakers to reconsider the existing framework for penalties allowed under BIPA.

While the bill has yet to be signed into law, it will likely move forward without any obstacles given the Supreme Court’s urging. The General Assembly is expected to send the bill to Illinois Governor JB Pritzker within 30 days. Gov. Pritzker will then have 60 days to sign it into law. It will be immediately effective.

Background

Enacted in 2008, BIPA protects biometric data from misuse and unauthorized access and provides legal recourse for violations. It requires companies to obtain express consent from consumers and employees before collecting, storing, obtaining, capturing, purchasing, using, possessing or disclosing their biometric data. Biometric data includes biometric identifiers, such as fingerprints, retina scans and other uniquely identifiable information based on an individual’s biometric identifiers.

Initially, BIPA was an overlooked statute. Almost ten years after it was passed, however, a storm of cases overtook the Illinois and federal courts as plaintiff attorneys pursued class actions and cumulative penalties. Large companies such as Google, Facebook and Shutterfly were sued for millions of dollars on the grounds software they provided to consumers improperly accessed biometric data.

Over the years, the plaintiff bar turned their attention to Illinois-based employers, including smaller businesses. Commonly, they sue over the use of hand or fingerprint scans for employee time clocks. With penalties of up to $5,000 per violation and per individual, many smaller businesses have faced bankruptcy when defending against these claims.

The Changes

To halt the excessively punitive outcomes, Illinois lawmakers voted May 16, 2024, to amend BIPA. The new measure seeks to balance the need for protecting biometric data with the realities faced by businesses. Key changes in the amendment include:

1. Consent Requirements Clarified: The amendment provides clearer guidelines on how companies should obtain and document consent from individuals, aiming to reduce ambiguities that have previously led to litigation. Specifically, the amendment clarifies that an electronic signature can satisfy the written consent requirement within BIPA, and the amendment defines precisely what an electronic signature is for purposes of complying with the law.
2. Aggregation of Violations: The legislation eliminates concerns about cumulative penalties and now, multiple instances of the same violation involving the same biometric data and the same method of collection or dissemination will be treated as a single violation. For example, an employer that repeatedly collects or disseminates an employee’s fingerprint using the same method of collection would constitute a single violation, limiting the potential for multiple recoveries. This change applies to both the collection and disclosure of biometric data, providing a more predictable and fair enforcement landscape for businesses.

What’s Next?

For now, BIPA protections and requirements will not change. This amendment is only expected to reduce disproportionate financial penalties while maintaining robust protection for the biometric data of individuals. There is no indication that the amendment will apply retroactively for cases that are currently in litigation.

Thus, to stay compliant with BIPA and avoid incurring any penalties, a business must maintain written and publicly available policies that include:

• An explanation of how and why biometric data is needed for the business.
• A guideline regarding the retention and destruction of the biometric data.
• An acknowledgment and express request for consent of the individual to access their biometric data.

Businesses should also annually review their consumer and employee policies to ensure that each policy details the most up-to-date uses of biometric data.

[View source.]