On May 16, 2024, the Illinois General Assembly joined the Illinois Senate in approving S.B. 2979, a bill that amends the state's landmark Biometric Information Privacy Act (BIPA) by limiting plaintiffs' potential damages under the law. Under S.B. 2979, a defendant found to have violated BIPA by repeatedly collecting a plaintiff's same identifier will be liable for only a single violation under the law. The amendment also clarifies that entities subject to the law can obtain a plaintiff's written release (i.e., consent) through an electronic signature.
This bill seems to be a direct response to the Illinois Supreme Court's ruling in Cothron v. White Castle System, Inc., in which that court "respectfully suggest[ed]" that the legislature review policy concerns regarding the potential for excessive BIPA damage awards and "make clear its intent regarding the assessment of damages under the Act." Now the legislature has substantially curtailed the damages available to BIPA plaintiffs by clarifying that a violation occurs only on the initial unconsented collection of biometric data.
The rest of this post provides additional background on BIPA and the new damages rule under S.B. 2979, along with a few key takeaways for businesses subject to the law. To stay up to date on this topic and others, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.
BIPA Background
When it became law in 2008, BIPA represented a landmark in the landscape of state data privacy laws. The act imposed strict new rules about how entities can use biometric information such as fingerprints, eye scans, voiceprints and facial geometry scans. BIPA requires that entities that process such biometric data obtain an individual's consent before collecting, obtaining or disclosing that data.
Notably, the law created a private right of action for plaintiffs who have been aggrieved by a BIPA violation. It also includes a statutory damages provision, permitting the prevailing party to recover $1,000 for each negligent BIPA violation and $5,000 for each intentional or reckless violation. The prevailing party may also recover attorneys' fees and costs.
Unsurprisingly, the act set off a wave of privacy-related litigation. In 2023 alone, hundreds of BIPA cases were filed in state and federal courts. One significant case that was decided last year was Cothron. There, the plaintiffs were White Castle employees who were required to scan their fingerprint each time they accessed their pay stubs and computers. For each scan, White Castle shared their fingerprint with a third-party vendor for verification. Plaintiffs argued that each scan and share—which would total hundreds per year per employee—was a BIPA violation. The Illinois Supreme Court sided with them, ruling that a BIPA violation accrues each and every time an entity collects, captures or otherwise obtains a person's biometric information without consent. But, as noted above, the court also called on the legislature to clarify whether it intended to create the potential for such gargantuan damages awards.
Senate Bill 2979
Under S.B. 2979, the legislature announced a new BIPA damages rule, abrogating Cothron's holding: "[A] private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection . . . has committed a single violation" under BIPA and is therefore "entitled to, at most, one recovery." In other words, only the initial unconsented use of biometric data would give rise to liability under BIPA.
While S.B. 2979 passed both houses of the legislature, it awaits the signature of Illinois Governor J.B. Pritzker. He is expected to sign the bill into law, but his timing for doing so is unclear.
Key Takeaways
Assuming it does become law, S.B. 2979 has a few important implications. First, because the legislature has substantially limited plaintiffs' maximum recovery, BIPA defendants may be able to exercise more leverage during settlement negotiations. Second, the plaintiffs' bar may reconsider its strategy for BIPA lawsuits, focusing on cases with a large number of one-time violations rather than many repeated violations. But S.B. 2979 also has one major caveat for defendants: it does not apply retroactively. BIPA violations that occurred prior to passage of the law will still accrue according to the old rule. That means that the steady stream of BIPA cases with large potential damages awards may not slow down anytime soon.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.