Illinois Legislature Passes Amendment To BIPA To Respond To Plaintiff-Friendly Decisions By Illinois Supreme Court

WE
Wilson Elser Moskowitz Edelman & Dicker LLP

Contributor

More than 800 attorneys strong, Wilson Elser serves clients of all sizes across multiple industries. It maintains 38 domestic offices, another in London and enjoys more extensive international reach as a founding member of Legalign Global.  The firm is currently ranked 56th in the National Law Journal’s NLJ 500.
On May 16, 2024, the Illinois Legislature approved legislation (SB 2979) that would significantly reduce the extent of liability private entities are likely to face under the Illinois Biometric Information Privacy Act (BIPA).
United States Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

On May 16, 2024, the Illinois Legislature approved legislation (SB 2979) that would significantly reduce the extent of liability private entities are likely to face under the Illinois Biometric Information Privacy Act (BIPA). In short, businesses that are found to have violated BIPA by repeatedly collecting a plaintiff's biometric identifier via the same method will be considered to have committed a single violation for claim accrual purposes. The bill also defines "electronic signature" for the first time and further provides the "written release" that businesses are required to obtain to comply with BIPA includes electronic signatures. Unquestionably, SB 2979 is the Legislature's much-needed response to a series of plaintiff-friendly decisions by the Illinois Supreme Court in BIPA litigation.

Background
In 2008, Illinois enacted BIPA to regulate the collection, use and storage of biometric information, defined as a biological measurement or physical characteristic that can be used to identify individuals, such as fingerprint mapping, facial recognition and retina scans. BIPA creates a private right of action for individuals "aggrieved" by a violation of the statute.

  • Section 15(a) of BIPA requires private entities to develop written, publicly available policies that establish procedural safeguards for the retention and destruction of individuals' biometric data.
  • Section 15(b) prohibits the collection of biometric data without the individual's informed, written consent.
  • Section 15(c) regulates and prohibits entities from profiting from collected biometric data.
  • Section 15(d) permits the disclosure or dissemination of biometric data under a limited right that requires an individual's consent.
  • Section 15(e) regulates the storage of biometric data and requires entities to enact stringent protections for collected biometric data.

Prior to SB 2979, plaintiffs could recover damages for every single instance in which a business "collected" a biometric identifier, and a separate claim would arise each time a business disclosed, re-disclosed or otherwise disseminated a person's biometric data.

In Cothron v. Whitecastle, the Illinois Supreme Court considered whether a BIPA "violation" occurs each time a person's biometric data is collected, or only the first time. The Court ruled that each separate scan of a person's fingerprint constitutes a "collection" under section 15(b), and each separate disclosure of a person's biometric information to a third party constituted a "dissemination" under section 15(d). Accordingly, employees who worked five days a week and scanned their fingerprints to clock in and out of work each day, including when taking lunch breaks, were entitled to statutory damages valued at $1,000 per scan (or $5,000 per scan in cases of willful violations).

After Cothron, individual plaintiffs could seek damages awards as high as $4,000 per day – or $20,000 for one week's worth of violations in cases of non-willful violations. Simply stated, this would subject Illinois businesses to potentially crippling liability given that BIPA claims accrued on a "per violation" basis.

The Cothron majority opinion acknowledged that its holding would subject businesses to "annihilative liability," which in turn could lead to potentially "unjust" results. Indeed, the Cothron dissent posited that the Legislature did not intend to destroy Illinois businesses. Notwithstanding the intent, the Cothron opinion stated the Illinois Legislature was best positioned to remedy this effect under the BIPA statute and essentially directed the Legislature to amend BIPA to limit the extent of private businesses' liability.

SB 2979
The passage of SB 2979 undoubtedly is a direct response to the dubious Cothron decision. Going forward, businesses that are found to have violated section 15(b) under BIPA by collecting a plaintiff's biometric identifier will be considered to have committed a single violation for claim accrual purposes provided that the same collection method was used. Similarly, whenever the unauthorized disclosure of a biometric identifier under section 15(d) is at issue, plaintiffs also would be limited to a single recovery, regardless of the number of times information was disclosed, provided that the biometric information belonged to the same person and was disclosed to the same recipient.

Additionally, prior to SB 2979 it was unclear whether electronic signatures could be used to satisfy BIPA's consent requirements. SB 2979 includes a new provision defining "electronic signature" and further provides that "written release" (which businesses are required to obtain under BIPA before collecting, disclosing or otherwise disseminating biometric data) includes an electronic signature. While other BIPA reforms were proposed, such as reducing the applicable limitations period from five years to three, the Legislature stopped short of including a shorter statute of limitations in the final version of the bill.

Takeaways
Since a person technically can lose their privacy interest in their biometric information only once, SB 2979's new "single recovery" liability framework seems to better align with the precise harm BIPA sought to prevent – the loss of an individual's right to maintain their biometric information as private.

Moreover, in the wake of the Cothron decision, plaintiffs were incentivized to delay bringing suit as long as possible for purposes of "racking up" damages with each scan of an individual's biometric identifier. Accordingly, SB 2979 is a necessary step toward protecting businesses from further costly, frivolous BIPA litigation by reforming the operative claim accrual framework under BIPA.

Conclusion
SB 2979's passage comes just before the current legislative session concludes on May 24. Notably, SB 2979 will not become effective until it is signed by the governor of Illinois, who is widely expected to sign the bill into law shortly. Although the amendments will not retroactively apply to current BIPA lawsuits, the new claim accrual framework will assuredly dictate – and hopefully reduce – potential damages exposure in BIPA lawsuits going forward.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More