On August 2, 2024, Illinois Gov. J.B. Pritzker signed S.B. 2979 into law. As previously reported, S.B. 2979 amends the Illinois Biometric Information Privacy Act ("BIPA") to more clearly specify the scope of liability where multiple violations are alleged.
What is BIPA?
BIPA, enacted in 2008, regulates how private entities collect, use, share, and store biometric data. BIPA's expansive definition of biometrics includes retinal or iris scans, fingerprints, voice prints, and facial geometric scans. Under BIPA, private entities could be liable for liquidated damages ranging from $1,000 to $5,000 per violation.
White Castle v. Cothron broadens BIPA claim accrual
In February 2023, the Illinois Supreme Court issued a significant holding addressing the accrual of BIPA claims. See Cothron v. White Castle System, Inc., 216 N.E.3d 918 (Ill. 2023). In Cothron, a plaintiff filed a class action alleging that his employer violated BIPA by failing to obtain a written release before implementing a policy requiring its employees to scan their fingerprints to clock in and out of their shifts. White Castle moved to dismiss the plaintiff's claims as time-barred under the statute, arguing the plaintiff's claims accrued in 2013, five years after BIPA was enacted into law, and when the plaintiff's first actionable biometric scan would have occurred.
The Illinois Supreme Court, however, sided with the plaintiff, who argued that a BIPA violation occurred each and every time employee biometrics were scanned and transmitted to third-party data processors. The Court reasoned that because BIPA contained no text limiting accrual to the first scan, each subsequent scan embodied a separate violation, thus extending the limitations period and significantly increasing the possible liability of employers and private entities defending against BIPA claims. The Court's ruling acknowledged the potential for ruinous outcomes for defendants facing BIPA liability under this holding but called upon the legislature to implement necessary changes to the statutory language. In the meantime, courts had discretion to tailor damage awards to provide fair compensation to class members while preserving BIPA's deterrent effect without destroying defendants with heavy penalties.
Illinois Legislature Responds to Cothron with S.B. 2979
S.B. 2979 effectively overrules the Illinois Supreme Court's ruling in Cothron. The amendment specifies that BIPA damages accrue just once, regardless of how many scans were collected in a single case.
The amendment also permits entities to collect consent using digital technology rather than written releases, an issue not previously addressed under BIPA.
However, it is important to note that the amendment does not address retroactivity. S.B. 2979's prohibition on per-scan damages arguably shouldapply to pending BIPA claims since the amendment evidences legislative intent to curtail multiplicative damages on a per-scan basis. However, the issue is not yet settled. We will monitor how Illinois courts address this question in the amendment's aftermath.
Conclusion
The BIPA amendment is an important development in Illinois law protecting employers from extreme legal outcomes. It still remains, however, that the statutory damages imposed under BIPA are harsh and have the potential for significant impact on employers and other private entities that collect and use biometric data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.