In recent years, a heavy question mark has weighed on companies that process biometric information as part of their standard operating procedures: What is our risk exposure?
In a previous Alert, we discussed the impact and cost of biometric data laws on online gaming and sports betting. With statutory damages of up to $5,000 per violation, the Illinois Biometric Information Privacy Act (BIPA) has presented significant potential for risk in an industry where biometric information is often collected as a matter of course to verify user identities. This risk was compounded by the Illinois Supreme Court in 2023, when it held that a claim under BIPA accrues "with every scan or transmission of biometric identifiers or biometric information without prior informed consent." Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 45, 216 N.E.3d 918, 929.
Courts have recognized that counting each scan as a separate violation of BIPA might give rise to "annihilative" liability, but have nevertheless found that it was required by the text of BIPA. (See, e.g., Rogers v. BNSF Ry. Co., 680 F. Supp. 3d 1027, 1041 (N.D. Ill. 2023)).
However, on August 2, 2024, Illinois Governor J.B. Pritzker signed into law a bill passed by the Illinois Legislature in May to amend BIPA in a way that is expected to limit the risk exposure associated with violations. The amended text of BIPA now indicates that violations essentially occur on a per-person basis, not a per-scan basis. This is expected to yield a marked decrease in the number of violations for which a company may be liable, though penalties of up to $5,000 may still add up quickly where thousands of individuals or more are implicated.
Specifically, the amended text states that if a company violates Section 15(b) of BIPA (which covers collecting or otherwise obtaining biometric data) where a company uses the same method to collect biometric data from the same individual, there would be a maximum of one violation, no matter how many scans occurred. Likewise, under the amended text, if a company violates Section 15(d) of BIPA (which covers disclosing biometric data) and repeatedly discloses the same biometric information of the same individual to the same recipient, there would be a maximum of one violation, no matter how many disclosures occurred.
The amended text of BIPA also now includes "electronic signature" in the definition of "written release." This update helps bring BIPA up to speed with present-day realities of electronic signatures being used as consent mechanisms. But of note, despite the addition of "electronic signatures," the amendment does not elaborate on what constitutes "informed consent" for BIPA purposes.
While the enactment of these amendments represents a positive trend in legislative action, it is critical for companies to maintain due diligence with respect to compliance with BIPA and other state privacy laws that continue to be developed.
For More Information
If you have any questions about this Alert, please contact Adam Berger, Michelle Hon Donovan, Ariel Seidner, any of the attorneys in the Privacy and Data Protection Group, any of the attorneys in our Gaming Industry Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.