On Aug. 2, 2024, Illinois Governor J.B. Pritzker signed SB 2979 into law, bringing significant reform to the state’s Biometric Information Privacy Act (BIPA). The much-anticipated BIPA amendment took effect immediately and will provide welcome relief to businesses. The amendment allows written releases to be executed by electronic signature and drastically limits the damages an “aggrieved person” accrues in BIPA litigation. By ending the per-scan violation, the amendment directly responds to the Illinois Supreme Court’s ruling in Cothron v. White Castle Systems, Inc.

What is BIPA?

In 2008, Illinois became the first state to enact a biometric data privacy law aimed at regulating how private entities handle biometric data, including collection, use, and storage. BIPA provides robust protections against the misuse and unauthorized access to individuals’ biometric information. The Illinois General Assembly designed BIPA to safeguard individuals’ unique biometric data such as fingerprints, hand scans, facial recognition data, and retinal or iris scans. This measure was taken because biometric data is inherently unique to each individual and cannot be changed, unlike other forms of identification. Once biometric data is compromised, an individual is at heightened risk for identity theft, and thus, people may be reluctant to engage in biometric-based transactions.

Noncompliance with BIPA results in substantial fines to businesses. The act provides individuals with a private right of action if they have been “aggrieved” by a BIPA violation. Successful plaintiffs may recover $1,000 for each negligent BIPA violation and $5,000 for each intentional or reckless BIPA violation.

Cothron v. White Castle System, Inc.

In February 2023, the Illinois Supreme Court issued a pivotal ruling in Cothron v. White Castle System, Inc. The court held that a separate claim accrues under BIPA each and every time a private entity captures or collects a person’s biometric identifier or information without consent. This interpretation significantly increased potential liabilities for businesses, as each unauthorized scan or transmission constituted a new violation. Fingerprint time clocks, prevalent in hourly workplaces, drive a substantial number of BIPA lawsuits.

Consider that each employee at a fast-food restaurant may have six time-tracking scans per day — scanning in, lunch and other breaks, and scanning out — totaling 30 scans per week (given a five-day work week). Per employee, potential damages could reach $30,000 for unintentional violations and $150,000 for intentional violations in a single week. If the time clock transmits the biometric data to a payroll vendor, a second violation occurs upon each scan. Over the five-year statute of limitations period, these damages can accumulate significantly; a single employee could claim more than $70 million in liquidated damages for intentional biometric time clock violations. In White Castle’s case, the sliders purveyor faced roughly $17 billion in damages. On Aug. 1, 2024, the court granted the fast-food chain a reprieve by giving preliminary approval to a $9.39 million class settlement, likely ending the litigation.

August 2024 Reform

Governor Pritzker’s signing of SB 2979 essentially overrules the Illinois Supreme Court’s interpretation in White Castle. The new legislation aims to balance individual privacy protection with the practical needs of businesses.

The amendment limits the number of violations and damages an “aggrieved person” can claim in a lawsuit. It specifies that a private entity collecting or obtaining the same biometric identifier from an individual using the same method is considered to have committed a single BIPA violation, regardless of how many times the collection occurred. Similarly, disclosing or disseminating the same biometric data from the same person to the same recipient using the same method also constitutes a single violation. These limitations aim to reduce businesses’ liability and litigation costs associated with multiple claims for the same actions under BIPA. Thus, a single fingerprint time clock will typically create two violations per employee — one for the collection of biometric data and one for transmitting it to the payroll vendor — instead of 60 times per week per employee.

The new legislation retains the existing requirements for obtaining written consent, providing notice, and implementing security measures for biometric data. However, the amendment expressly permits the use of an “electronic signature” as a valid method of “written release” as defined by the statute. Previously, the statute did not clarify whether an electronic signature was an appropriate method for affixing a signature.

Will the Amendment Impact Ongoing BIPA Litigation?

The amendment remains silent on its applicability to existing BIPA litigation, a point of contention since its proposal. Indeed, several influential business groups, including the Illinois Chamber of Commerce, refused to support the amendment because it was not expressly retroactive. However, strong arguments exist for its retroactive application. Although Illinois law generally presumes against retroactivity of substantive statutory amendments, the BIPA amendment affects remedies — specifically, liquidated damages — and could be considered procedural rather than substantive in nature. Thus, the courts’ decision on the amendment’s retroactive application remains to be seen. Importantly, the mere existence of the amendment may provide leverage for employers facing existing lawsuits when the amendment became law.

The Bottom Line

The amendment represents a crucial move towards shielding businesses from existential legal consequences. The amendment appears to safeguard BIPA’s original intent — protecting individuals’ rights to keep their biometric data private — while removing the likely unintended consequence of harming businesses and innovation. Going forward, BIPA restricts employees to a single claim per section of the BIPA statute, effectively lowering litigation risks and controlling costs for businesses. However, the statutory damages remain harsh and still pose significant challenges for companies handling unauthorized biometric data. As a result, businesses collecting and using biometric information must take proactive measures to ensure full compliance with the law and avoid substantial legal consequences.

New legislation may bring about new challenges for businesses. For questions regarding how these changes may affect business practices,  reach out to a Taft attorney.