On August 2, 2024, Illinois Governor Pritzker signed P.A. 103-0769 which amended the Biometric Information Privacy Act (BIPA) that regulates the collection, use, and disclosure of biometric identifiers and information by private entities in Illinois. It The amendments clarify some definitions and limit the scope of potential violations and damages under the law.
The amendments modify the definition of biometric identifier to exclude certain types of biological and medical data, such as genetic testing information, donated organs, and health care records. They also exclude electronic signatures from the definition of biometric information. These exclusions aim to address some of the concerns raised by the certain industries about the applicability and compliance of BIPA to their activities.
The amendments also limit the number of violations and damages that a person aggrieved by a breach of BIPA can claim in a lawsuit. They provide that a private entity that collects or obtains the same biometric identifier or information from the same person using the same method more than once has committed a single violation of BIPA, regardless of the number of times the collection or obtaining occurred. Similarly, a private entity that discloses or disseminates the same biometric identifier or information from the same person to the same recipient using the same method more than once has committed a single violation of BIPA, regardless of the number of times the disclosure or dissemination occurred. This is in contrast with (and likely in response to) the Illinois Supreme Court's decision in Cothron v. White Castle Sys., Inc., 216 N.E.3d 918 (Ill. 2023), in which the Court found that a violator could be held liable under BIPA for each scan or collection of a plaintiff's biometric information, allowing for ballooning damages for companies which utilize the biometric information of their customers. These limitations aim to reduce the potential liability and litigation costs for private entities that may face multiple claims for the same conduct under BIPA.
The amendments do not change the existing requirements for private entities to obtain written consent, provide notice, and implement security measures for biometric data, nor the existing statutory damages of $1,000 or $5,000 per violation, depending on the degree of negligence or intent. The amendments also do not affect the standing of plaintiffs to sue under BIPA and so ultimately do not eliminate the risk of BIPA litigation for private entities, but rather clarify and narrow some of the grounds and remedies for such litigation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.