The Illinois Biometric Information Privacy Act has become a hot topic within recent months, due largely in part to massive payouts in the courts and new proposed legislation to modify the law. Earlier this year, state Sen. Bill Cunningham (D-18th Dist.) introduced a BIPA amendment, titled Senate Bill 2979, which passed the House and Senate chambers in May. The bill is sitting on the desk of Gov. J.B. Pritzker (D), awaiting his signature. The Governor is expected to sign, but if he has taken no action by August 13, the amendment will take effect automatically.
Follow along below for a breakdown of the proposed amendments and what they may mean for your business!
What is the BIPA?
The Illinois Biometric Information Privacy Act, or “BIPA,” was enacted in 2008 and protects biometric information by prohibiting anyone from collecting such information without prior written consent. Due to ambiguity in the language of the BIPA, the damages provision has been interpreted to allow employees to collect damages for each and every time that their biometric information is collected without their consent. In cases involving biometric time clocks, this could amount to more than 1,000 times each year. With a statutory damages penalty of $1,000 per negligent violation and $5,000 per reckless or intentional violation, the enactment of BIPA has cost businesses millions of dollars in penalties.
The proposed Amendment
Due in part to a 2023 decision from the Illinois Supreme Court, state legislators decided than an amendment to the 2008 bill was long overdue. In Cothron v. White Castle System, Inc., the defendant argued that if each scan of an employee’s fingerprint on a timeclock constituted a separate violation, it could result in “annihilative” damages, but the Court held that reforming the law to decrease the potential for such damages was for the legislature, not the courts. On January 31, 2024, Sen. Cunningham introduced S.B. 2979. Within four months, the bill passed both the House and Senate chambers. The Act’s proposed amendments would limit accrual of damages for BIPA violations by providing that employers would be liable only for the initial violation rather than for every violation. This would amount to only one BIPA violation per employee, drastically reducing the amount of damages that a class would be eligible to receive.
(The Cothron case has provisionally been approved to settle for an astronomical $9.4 million.)
Another change under the amendment would add language allowing the required written releases to be offered through informed written consent, electronic signature, or, in the context of employment, a release executed by an employee as a condition of employment. The use of electronic signatures could make it easier and faster for employers to obtain employee consent.
Pending BIPA cases and retroactivity
The BIPA amendment states that it will take effect upon becoming law. What does that mean for BIPA cases that are pending in court? It is not clear. The amendment does not address retroactivity, which leaves room for interpretation and potential challenges in court. Under Illinois law, when an amended statute is silent on retroactivity, the courts must evaluate whether the relevant provision of the amendment is “substantive” or “procedural.” If the provision is “substantive,” then it does not apply retroactively. But if the provision is “procedural,” it does.
Damages provisions are usually seen as procedural, so there are strong arguments that the amendment should apply retroactively and therefore offer some relief to employers who are currently defending BIPA cases in court. However, because the amendment would reduce a plaintiff’s potential recovery so drastically, we would expect plaintiffs’ attorneys to contend that the damages change is substantive and therefore does not apply retroactively.
Employers with pending BIPA cases will have to wait to see how the courts rule on this issue.
Tips for employers
Although SB 2979 clears up some of the ambiguous language that has been the law since its passing more than 15 years ago, there is still plenty of room for a creative plaintiff attorney’s interpretation. Therefore, it is crucial to communicate with your attorney in order to fully understand the BIPA.
Before putting into place any new technology that collects and stores employees’ biometric information, it is important to thoroughly assess the type of information that would be collected and where it would be stored. Even if a third-party vendor is involved, that does not mean that your business will be protected from liability for violations. Thus, it is crucial to speak with your compliance team and your attorney before you give approval to any such technology in the workplace. A program that seems as though it will save time and money in the present may end up costing your company millions in the long run.