Private entities feel a sense of relief as the Illinois Legislature passes an amendment to the Biometric Information Privacy Act, limiting violation damages to “per person” liability, and moving away from the previous “per occurrence” liability.
Background
On October 3, 2008, the State of Illinois enacted the Biometric Information Privacy Act (BIPA) to regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information by private entities. Biometric identifiers include retina or iris scans, fingerprints, voiceprints, and scans of hand or facial geometry. The law requires private entities to have written policies on biometric information retention and destruction, provide information to individuals, and obtain written consent before collecting biometric data. Violations can result in penalties of $1,000 for negligence and $5,000 for intentional or reckless violations, along with attorney fees and other relief.
In 2023, a controversial ruling in Cothron v. White Castle System, Inc. (216 N.E.3d 918, Ill. 2023) interpreted BIPA to mean that each scan or transmission of an individual’s biometric identifier constitutes a separate violation, meaning businesses faced $1,000 and $5,000 penalties per each occurrence a business scanned an individual’s biometric information. This interpretation has led to significant penalties, such as the Cothron decision leaving White Castle facing an estimated $17 billion in damages.
SB 2979 Amendment Passes
On May 16, 2024, the Illinois legislature passed SB 2979, an amendment to BIPA aimed to limit the recovery of damages in light of concerns from businesses. The amendment currently awaits the Governor’s signature, although Governor Pritzker is expected to sign.
The amendment clarifies that where a business is alleged to have committed a violation, BIPA damages accrue just once per individual claimant; meaning that, for example, if a company were to collect an employee’s fingerprint multiple times without written consent, the business would face one single $1,000 or $5,000 penalty instead of penalties accruing with each scan.
The new amendment does still leave a few unanswered questions, as it does not provide clarification if more than one section of BIPA is violated simultaneously. Further, the new amendment does not speak to whether it can be applied retroactively to claims already in existence.
For more information on how this new provision may affect you or your organization, contact Michael A. Airdo at mairdo@airdowerwas.com, or Felicia Owen at Fowen@airdowerwas.com.