Illinois Legislature Modifies Damages Rule Under BIPA

Azeezat Adeleke, Ali Jessani, Kirk Nahra
WilmerHale
Contact
LinkedIn
Facebook
X
Send
Embed

On May 16, 2024, the Illinois General Assembly joined the Illinois Senate in approving S.B. 2979, a bill that amends the state’s landmark Biometric Information Privacy Act (BIPA) by limiting plaintiffs’ potential damages under the law. Under S.B. 2979, a defendant found to have violated BIPA by repeatedly collecting a plaintiff’s same identifier will be liable for only a single violation under the law. The amendment also clarifies that entities subject to the law can obtain a plaintiff’s written release (i.e., consent) through an electronic signature.

This bill seems to be a direct response to the Illinois Supreme Court’s ruling in Cothron v. White Castle System, Inc., in which that court “respectfully suggest[ed]” that the legislature review policy concerns regarding the potential for excessive BIPA damage awards and “make clear its intent regarding the assessment of damages under the Act.” Now the legislature has substantially curtailed the damages available to BIPA plaintiffs by clarifying that a violation occurs only on the initial unconsented collection of biometric data.

The rest of this post provides additional background on BIPA and the new damages rule under S.B. 2979, along with a few key takeaways for businesses subject to the law. 

BIPA Background

When it became law in 2008, BIPA represented a landmark in the landscape of state data privacy laws. The act imposed strict new rules about how entities can use biometric information such as fingerprints, eye scans, voiceprints and facial geometry scans. BIPA requires that entities that process such biometric data obtain an individual’s consent before collecting, obtaining or disclosing that data.

Notably, the law created a private right of action for plaintiffs who have been aggrieved by a BIPA violation. It also includes a statutory damages provision, permitting the prevailing party to recover $1,000 for each negligent BIPA violation and $5,000 for each intentional or reckless violation. The prevailing party may also recover attorneys’ fees and costs.

Unsurprisingly, the act set off a wave of privacy-related litigation. In 2023 alone, hundreds of BIPA cases were filed in state and federal courts. One significant case that was decided last year was Cothron. There, the plaintiffs were White Castle employees who were required to scan their fingerprint each time they accessed their pay stubs and computers. For each scan, White Castle shared their fingerprint with a third-party vendor for verification. Plaintiffs argued that each scan and share—which would total hundreds per year per employee—was a BIPA violation. The Illinois Supreme Court sided with them, ruling that a BIPA violation accrues each and every time an entity collects, captures or otherwise obtains a person’s biometric information without consent. But, as noted above, the court also called on the legislature to clarify whether it intended to create the potential for such gargantuan damages awards.

Senate Bill 2979

Under S.B. 2979, the legislature announced a new BIPA damages rule, abrogating Cothron’s holding: “[A] private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection . . . has committed a single violation” under BIPA and is therefore “entitled to, at most, one recovery.” In other words, only the initial unconsented use of biometric data would give rise to liability under BIPA.

While S.B. 2979 passed both houses of the legislature, it awaits the signature of Illinois Governor J.B. Pritzker. He is expected to sign the bill into law, but his timing for doing so is unclear.

Key Takeaways

Assuming it does become law, S.B. 2979 has a few important implications. First, because the legislature has substantially limited plaintiffs’ maximum recovery, BIPA defendants may be able to exercise more leverage during settlement negotiations. Second, the plaintiffs’ bar may reconsider its strategy for BIPA lawsuits, focusing on cases with a large number of one-time violations rather than many repeated violations. But S.B. 2979 also has one major caveat for defendants: it does not apply retroactively. BIPA violations that occurred prior to passage of the law will still accrue according to the old rule. That means that the steady stream of BIPA cases with large potential damages awards may not slow down anytime soon.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WilmerHale | Attorney Advertising

Written by:

WilmerHale
WilmerHale
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

WilmerHale on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide