Illinois Legislature Reigns-In Biometric Law, Limits Separate Claim Accruals for Individuals
August 8, 2024On August 2, 2024, the Illinois Governor, J.B. Pritzker, signed an amendment to the Illinois Biometric Information Privacy Act (“BIPA”) that significantly reduces companies’ potential exposure to damages arising from certain BIPA violations. The amendment revises BIPA so that each time a company collects, obtains, or disseminates the same biometric data from the same individual using the same method multiple times in violation of BIPA, it only qualifies as a single violation of BIPA for which one recovery is available rather than separate violations for which multiple recoveries are available. The amendment also expands BIPA’s definition of “written release” to expressly include those signed electronically. Although many BIPA amendments have been proposed over the years, this is the first enacted amendment to BIPA since the law took effect in 2008.
Notably, the amendment curbs a company’s potential exposure to damages in wake of the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle. In that case, the Illinois Supreme Court held that a separate claim accrues under BIPA each time a company scans or transmits an individual’s biometric data in violation of BIPA (discussed in our prior alert here). Because BIPA allows for liquidated damages of $1,000 or actual damages, whichever is greater, for negligent violations, and liquidated damages of $5,000 or actual damages, whichever is greater, for intentional or reckless violations, the Court noted that its holding could lead to a potentially dramatic outcome, leaving the defendant potentially liable for class wide damages exceeding $17 billion.
However, the Court noted the limitations of its power, stating “we cannot rewrite a statute to create new elements or limitations not included by the legislature.” The Illinois legislature recognized this part of the Court’s ruling. This BIPA amendment partially overrules the holding in Cothron, significantly decreasing the likelihood of exponential damages from class actions in the future. For example, if the amendment had been in effect at the time of the Cothron case, the potential damages could have been as little as $9.5 million instead of the estimated $17 billion.
While the amendment makes significant strides to protect companies from potentially going bankrupt as a result of repeated BIPA violations, it is important to note that the amendment does not apply to all BIPA violations. Rather, it only applies to violations under Section 15(b) of BIPA, which requires a company to provide requisite disclosures to, and obtain a written release from, an individual prior to collecting or otherwise obtaining biometric information from the individual, and violations under Section 15(d) of BIPA, which requires certain criteria to be satisfied prior to the dissemination of an individual’s biometric information. Violations of other subsections of BIPA, such as the prohibition on selling biometric information or the requirement to safely store and protect biometric information, may still carry damages for each time a company violates that subsection. While violations of Sections 15(b) and (d) are the most common, companies should take note of the specific scope of reprieve.
While companies utilizing biometric data in Illinois today still face a five-year statute of limitations for BIPA violations (as discussed in our prior alert here), and the damages per violation remain unchanged, the amendment significantly decreases the potential ceiling for damages. If you need assistance complying with biometric information laws or other privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.
Thank you to Lawson Tyrone for his contributions to this alert.