After 16 years, BIPA is amended to limit potential damages for violations

Laura Balson in our Chicago office recently discussed an amendment to the Illinois Biometric Information Privacy Act. At that time, the Illinois House and Senate had passed an amendment to Illinois Biometric Information Privacy Act, or “BIPA,” which was awaiting the signature of Gov, J.B. Pritzker (D). The amendment has now been signed and must be a consideration in BIPA litigation and in the use of biometric data.

Most significantly, the amendment specifies that an individual is limited to one recovery, even if there were multiple scans that violated the Act. This is good news for businesses.

Background

BIPA was enacted in 2008 and protects biometric information by prohibiting anyone from collecting such information without prior written consent. Due to ambiguity in the language of the statute, the damages provision was interpreted by courts to allow individuals to collect damages for every time their biometric information was collected without their consent. This ambiguity allowed litigants to claim damages for alleged violations taking place thousands of times each year. With a statutory penalty of $1,000 per negligent violation and $5,000 per reckless or intentional violation, BIPA violations cost businesses millions of dollars in penalties and made the stakes too high to effectively use biometric information in many instances.

In the 2023 decision in Cothron v. White Castle System, Inc. In Cothron, the defendant argued that if each scan of an employee’s fingerprint on a timeclock constituted a separate violation, it could result in “annihilative” damages. Rather than limit the amount of damages, the Cothron court held that reforming the law to decrease the potential for such damages was for the legislature, not the courts. 

Relief for businesses

The Illinois legislators took the cue to clear up this ambiguity. SB 2979 (now Public Act 103-0769) amends BIPA to limit violations to a single recovery for an individual even if there was multiple scans of that individual’s biometric data by an organization. 

The amendment clarifies that multiple collections of a person’s biometrics using the same method of collection is a single violation of BIPA. The amendment effectively bars litigants from claiming a separate violation each time a data collector shares the scan of a fingerprint with a third party.

The amendment to BIPA also clarifies that the definition of “written release” to collect biometric data should include an “electronic signature.” This amendment will allow organizations to obtain releases to collect and use biometric data via electronic confirmation by Illinois residents.

Discussion

There is no doubt that the questions related to damages -- referred to as “annihilative” damages --  chilled the use of biometric data. Organizations were not willing to run the risk of facing multiple BIPA violations from the same collection of data. There is no question that the new limitation on damages will have a dramatic impact on BIPA litigation. However, questions remain as to whether the Act applies to pending BIPA litigation.

At the very least, this amendment will provide clarity going forward for organizations looking to use biometric information.

The impact of this amendment will be felt outside of Illinois. BIPA was the first statute in any state to address the collection and use of biometric data, and so many states have been monitoring developments with this law. The amendment is expected to be a consideration for any state considering similar laws. 

The Constangy Cyber Team regularly counsels businesses of all sizes and industries on how to comply with the growing number of data privacy laws and regulations. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.

Cothron v. White Castle System, Inc. :: 2023 :: Supreme Court of Illinois Decisions :: Illinois Case Law :: Illinois Law :: US Law :: Justia

*Edwin Jones is a paralegal in the Cybersecurity practice group.

  • Todd  Rowe
    Partner

    As a member of the Constangy Cyber Team, Todd leads the investigation and evaluation of potential breaches of data security, such as those caused by ransomware, social engineering, or the compromise of business email accounts. He ...

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Subscribe

* indicates required
Back to Page