A new Illinois law limits the damages plaintiffs can seek under the state’s Biometric Information Privacy Act (BIPA). Our Labor & Employment Group explores the change’s impact on employers.
- The new law limits the claims for damages to once per person rather than once per scan
- The new law makes it easier for employers to establish written consent for scans
- It’s not clear whether the amended BIPA will apply retroactively
On August 2, 2024, Illinois Governor J. B. Pritzker signed into law Senate Bill 2979, overruling the Illinois Supreme Court’s decision that under the Biometric Information Privacy Act (BIPA), plaintiffs could recover liquidated damages of $1,000 or $5,000 for each unconsented scan of their biometric identifier. Effective immediately, a private entity that collects a person’s biometric data or discloses it without consent can only be found liable for one BIPA violation per person.
What Is BIPA?
BIPA is an Illinois state privacy law that restricts the collection, use, and retention of biometric data. BIPA has gained national attention in recent years as one of the strictest biometric laws in the country.
Under BIPA, a “biometric identifier” refers to a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” and “biometric information” means “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” The statute requires that private entities (1) provide notice and obtain consent before the collection of biometric data; (2) implement publicly available retention and destruction schedules; and (3) do not disclose biometric data (except in limited circumstances). BIPA includes a private right of action and provides that those affected by negligent violations of the statute are entitled to $1,000 in damages per violation and $5,000 for each intentional or reckless violation, plus reasonable attorneys’ fees and costs.
Last year, the Illinois Supreme Court held that plaintiffs who are repeatedly subjected to biometric technologies may recover statutory damages for each collection or disclosure that violates the statute. As a result of the Supreme Court’s interpretation of the penalty scheme under BIPA, settlements of BIPA class actions were enormous.
Amending BIPA
Besides expressly limiting BIPA claims to one violation per person, the new law makes it easier for private entities to establish written consent and expands the definition of “written release” to include an “electronic signature.” The amendments to BIPA take effect immediately, meaning that per-scan damages will no longer be available in any newly filed BIPA lawsuits. It remains unclear whether the amended statute will apply retroactively.
Looking Ahead
Despite the recent amendments, we do not foresee any downturn in BIPA lawsuits since the statute contains a private right of action and more employers continue to use new technologies in the workplace that use biometric information. Because of this, we expect that the BIPA legal landscape will continue to evolve, particularly since the manner in which businesses collect and use personal data is experiencing extreme growth at this time.
Compliance with BIPA must remain a focus for any employers located in Illinois or those that anticipate employing workers in the state in the future. We also encourage employers outside Illinois to take this opportunity to review their policies for any biometric technologies because we expect to see similar laws in more employee-friendly states in the near future.
[View source.]