By: Jamie Filipovic, Partner & Ty Hughes, Law Clerk
After several prior futile attempts to amend the Illinois Biometric Information Privacy Act (“BIPA”), late on Friday August 2, 2024, Governor Pritzker signed Senate Bill (SB) 2979, amending the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA). This Amendment greatly reduces potential BIPA liability to Illinois Business owners. SB 2979 was brought in the Illinois Senate on January 31, 2024, at least in part, to address last year’s Illinois Supreme Court’s holding in Cothron v. White Castle System, Inc., 2023 IL 128004. Cothron established that Sections 15(b) and (d) of BIPA accrue “with every scan or transmission” of alleged biometric identifiers or biometric information without prior written consent. At $1,000 per violation ($5,000 if willful), the damages could rise exponentially, especially for those employees clocking in and out of biometric time clocks several times a day.
Due to the possibility of “damages awarded that would result in the financial destruction of a business financial” the Cothron Court suggested legislative involvement to address those matters when further stating that “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature” and “that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” Id.
Noting the Illinois Supreme Court’s concerns, SB 2979 clarifies language in Section 20 of the BIPA, which address damages a party may recover under the ACT:
(b) For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.
(c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.
SB 2979 also clarifies how a company can obtain consent through electronic means. The amendment adds the defined term “electronic signature,” which is “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.” Additionally, SB 2979 added “electronic signature” to BIPA’s definition of “written release,” defining it as “informed written consent, electronic signature, or, in the context of employment, a release executed by an employee as a condition of employment.”
SB 2979 took effect immediately when signed (Aug. 2, 2024). While future matters and decisions are mandated under the newly amended BIPA, there is nothing that explicitly states that the amendments are retroactive. However, there is legislative history and intent showing that SB 2979 was to limit damages to a single violation and prevent ruinous damages and concerns the Supreme Court spoke to in Cothron, and as such, those with pending BIPA cases should review and update their defenses accordingly. Although helpful to limit damages, this Amendment will be unlikely to do away with the ubiquitous filings of the BIPA lawsuits, and therefore, companies should continue to review their current policies and practices to ensure compliance.