On May 16, 2024, the Illinois Legislature passed Senate Bill 2979 (SB2979), clarifying how damages are calculated under the Illinois Biometric Information Privacy Act (BIPA). 740 ILCS 14/1, et seq. This amendment confirms that the recoverable damages under BIPA arise on a per-person, rather than a per-scan, basis. SB2979 passed a year after the Illinois Supreme Court ruled that a violation occurs each time a company swipes a person’s biometrics without consent. See our analysis of that case here.
BIPA remains a material risk for companies that collect biometrics, even after SB2979. BIPA authorizes statutory damages for mere technical violations of the law. Even when calculated on a per-person basis, damages could be up to $5,000-$10,000 per class member. Large class sizes could therefore result in multi-million-dollar judgments.
Background
Biometrics, commonly utilized by companies for identity authentication, involve the scanning and retention of individuals’ biometric data, including fingerprints. This data is rescanned each time authentication is required. Employers, for example, often use biometric scans for employees to clock in and out of work. Currently, BIPA permits per-violation damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations.
In a landmark decision in 2023, the Illinois Supreme Court ruled that each scan of biometric information without consent constitutes a separate BIPA violation—not merely the initial collection. In Cothron, v. White Castle System, Inc., 2023 IL 128004, 216 N.E.3d 918, White Castle employees utilized finger scans to access paystubs and company systems, facilitated by a third-party vendor verifying each scan. White Castle had not obtained consent from its employees for the biometric scanning, leading to a class-action lawsuit by the affected employees. While White Castle contended that BIPA violations occurred only at the point of initial biometric data collection, the Illinois Supreme Court disagreed, ruling that violations arise with each scan. White Castle’s BIPA noncompliance resulted in a potential damage award of $17 billion.
Even before Cothron, recent BIPA judgments had reached hundreds of millions of dollars. For example, a jury found that BNSF Railway violated BIPA 45,600 times by scanning the fingerprints of employee truckers and awarded the plaintiffs $228 million. Rogers v. BNSF Ry. Co., 680 F. Supp. 3d 1927 (N.D. Ill. 2023). If Rogers had been decided after Cothron, the judgment may have been even higher.
If signed into law by Governor Pritzker, SB2979 would reduce damages available based on BIPA violations (which have already resulted in several settlements in the tens or hundreds of millions) and reduce plaintiffs’ leverage in negotiating BIPA settlements. To illustrate the impact of the amendment, if SB2979 had been in place at the time of the Cothron decision, White Castle’s estimated penalty would have likely been closer to $10-$50 million. See Democratic leaders poised to revisit Biometric Information Privacy Act after court rulings (capitolnewsillinois.com).
Key Provisions of SB2979
- Single Violation for Repeated Collection: A private entity that collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or information from the same person using the same method of collection more than once in violation of BIPA will be deemed to have committed a single violation. The aggrieved person would be entitled to one recovery under this section.
- Single Violation for Repeated Disclosure: A private entity that discloses, rediscloses, or otherwise disseminates the same biometric identifier or information from the same person to the same recipient using the same method of collection more than once in violation of BIPA will be deemed to have committed a single violation. The aggrieved person would be entitled to one recovery under this section.
This amendment would mitigate the risk of “annihilative damages,” where companies could face disproportionate penalties for repeated violations involving the same biometric data or disclosures to the same recipient. Should SB2979 become law, companies would face a per-person fine of $1,000 for negligent violations and $5,000 for intentional or reckless violations, irrespective of how many times they collect or disclose an individual’s biometric information. Notably, wrongfully disclosing biometrics is considered a separate violation from collecting biometrics without consent for the purposes of statutory damages. Therefore, there could be two penalties with respect to the same Illinois resident.
Additional Changes
Under BIPA, any entity gathering or obtaining biometrics must secure prior written consent from the individual. SB2979 also clarifies that companies may obtain consent electronically (an interpretation that many companies had already implemented).
Conclusion
SB2979 provides some relief to businesses by mitigating the severe financial risks posed by BIPA’s statutory damages. By limiting recoverable damages to a single violation per individual, regardless of repeated instances of biometric data collection or disclosure, SB2979 helps protect businesses from potentially devastating penalties. We anticipate that SB2979 will not be the only BIPA amendment, as many companies would also benefit from a clarification that information is subject to the law only if capable of (and used to) identify a specific individual or an amendment removing the bill’s statutory damages.
