On May 16, 2024, the Illinois Legislature approved legislation (SB 2979) that would significantly reduce the extent of liability private entities are likely to face under the Illinois Biometric Information Privacy Act (BIPA). In short, businesses that are found to have violated BIPA by repeatedly collecting a plaintiff's biometric identifier via the same method will be considered to have committed a single violation for claim accrual purposes. The bill also defines "electronic signature" for the first time and further provides the "written release" that businesses are required to obtain to comply with BIPA includes electronic signatures. Unquestionably, SB 2979 is the Legislature's much-needed response to a series of plaintiff-friendly decisions by the Illinois Supreme Court in BIPA litigation.
Background
In 2008, Illinois enacted BIPA to regulate the collection, use and
storage of biometric information, defined as a biological
measurement or physical characteristic that can be used to identify
individuals, such as fingerprint mapping, facial recognition and
retina scans. BIPA creates a private right of action for
individuals "aggrieved" by a violation of the
statute.
- Section 15(a) of BIPA requires private entities to develop written, publicly available policies that establish procedural safeguards for the retention and destruction of individuals' biometric data.
- Section 15(b) prohibits the collection of biometric data without the individual's informed, written consent.
- Section 15(c) regulates and prohibits entities from profiting from collected biometric data.
- Section 15(d) permits the disclosure or dissemination of biometric data under a limited right that requires an individual's consent.
- Section 15(e) regulates the storage of biometric data and requires entities to enact stringent protections for collected biometric data.
Prior to SB 2979, plaintiffs could recover damages for every single instance in which a business "collected" a biometric identifier, and a separate claim would arise each time a business disclosed, re-disclosed or otherwise disseminated a person's biometric data.
In Cothron v. Whitecastle, the Illinois Supreme Court considered whether a BIPA "violation" occurs each time a person's biometric data is collected, or only the first time. The Court ruled that each separate scan of a person's fingerprint constitutes a "collection" under section 15(b), and each separate disclosure of a person's biometric information to a third party constituted a "dissemination" under section 15(d). Accordingly, employees who worked five days a week and scanned their fingerprints to clock in and out of work each day, including when taking lunch breaks, were entitled to statutory damages valued at $1,000 per scan (or $5,000 per scan in cases of willful violations).
After Cothron, individual plaintiffs could seek damages awards as high as $4,000 per day – or $20,000 for one week's worth of violations in cases of non-willful violations. Simply stated, this would subject Illinois businesses to potentially crippling liability given that BIPA claims accrued on a "per violation" basis.
The Cothron majority opinion acknowledged that its
holding would subject businesses to "annihilative
liability," which in turn could lead to potentially
"unjust" results. Indeed, the Cothron dissent
posited that the Legislature did not intend to destroy Illinois
businesses. Notwithstanding the intent, the Cothron
opinion stated the Illinois Legislature was best positioned to
remedy this effect under the BIPA statute and essentially directed
the Legislature to amend BIPA to limit the extent of private
businesses' liability.
SB 2979
The passage of SB 2979 undoubtedly is a direct response to the
dubious Cothron decision. Going forward, businesses that
are found to have violated section 15(b) under BIPA by collecting a
plaintiff's biometric identifier will be considered to have
committed a single violation for claim accrual purposes provided
that the same collection method was used. Similarly, whenever the
unauthorized disclosure of a biometric identifier under section
15(d) is at issue, plaintiffs also would be limited to a single
recovery, regardless of the number of times information was
disclosed, provided that the biometric information belonged to the
same person and was disclosed to the same
recipient.
Additionally, prior to SB 2979 it was unclear whether electronic signatures could be used to satisfy BIPA's consent requirements. SB 2979 includes a new provision defining "electronic signature" and further provides that "written release" (which businesses are required to obtain under BIPA before collecting, disclosing or otherwise disseminating biometric data) includes an electronic signature. While other BIPA reforms were proposed, such as reducing the applicable limitations period from five years to three, the Legislature stopped short of including a shorter statute of limitations in the final version of the bill.
Takeaways
Since a person technically can lose their privacy interest in their
biometric information only once, SB 2979's new "single
recovery" liability framework seems to better align with the
precise harm BIPA sought to prevent – the loss of an
individual's right to maintain their biometric information as
private.
Moreover, in the wake of the Cothron decision, plaintiffs were incentivized to delay bringing suit as long as possible for purposes of "racking up" damages with each scan of an individual's biometric identifier. Accordingly, SB 2979 is a necessary step toward protecting businesses from further costly, frivolous BIPA litigation by reforming the operative claim accrual framework under BIPA.
Conclusion
SB 2979's passage comes just before the current legislative
session concludes on May 24. Notably, SB 2979 will not become
effective until it is signed by the governor of Illinois, who is
widely expected to sign the bill into law shortly. Although the
amendments will not retroactively apply to current BIPA lawsuits,
the new claim accrual framework will assuredly dictate – and
hopefully reduce – potential damages exposure in BIPA
lawsuits going forward.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.