Illinois recently passed SB2979, amending the state's Biometric Information Privacy Act (BIPA). This amendment narrows the scope of liability for businesses that collect biometric data, addressing concerns raised by the Illinois Supreme Court in Cothron v. White Castle System, Inc., 2023 IL 128004. In its opinion, the court had suggested legislative review of BIPA's potential for excessive damages, and SB2979 now aims to provide that clarity.
Key Changes Introduced by SB2979
Limitation of Liability for Multiple Violations
Before the passage of SB 2979, the consequences for employers failing to comply with BIPA were substantial. Violations could result in penalties of $1,000 for negligent breaches, $5,000 for intentional or reckless violations, or the amount of actual damages, whichever was higher. However, SB2979 has considerably reduced the potential liability by stipulating that a private entity is responsible for only one violation, regardless of how many times it collects, discloses, or disseminates an individual's biometric data when using the same collection method. The amendment further clarifies that an individual can only recover damages once for such violations, provided the same method of collection was used. Notably, individuals may still seek separate recoveries if the private entity employed more than one method of collecting biometric data.
Electronic Signature
One significant change is the amendment's definition of "electronic signature." The new definition clarifies that an electronic signature can include "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." This ensures that a written release, which is required before the collection of biometric data, can be obtained electronically.
Repeated Violations
Moreover, SB 2979 addresses the issue of repeated violations, a true point of continued contention in BIPA litigation. According to the amendment, when a private entity collects, captures, or otherwise obtains biometric data from the same person using the same method more than once, it constitutes a single violation. This means that, no matter how many times the same biometric identifier is collected or disclosed, the plaintiff is only entitled to recover damages for the initial violation.
The amendment also clarifies that the number of times the biometric information is disclosed, redisclosed, or disseminated does not increase the number of violations. Therefore, damages are limited to the first unauthorized collection, significantly reducing the potential financial exposure for businesses.
Legislative Response to Cothron v. White Castle
The Illinois Supreme Court in the Cothron case, highlighted the risk of excessive damage awards under BIPA, which could arise from multiple violations of the same biometric data. The court invited the legislature to address this issue, and SB2979 is a direct response to that invitation. By restricting damages to a single violation per method of collection, the amendment curtails the possibility of punitive financial penalties from repetitive claims for the same data.
Effective Immediately
This amendment took effect immediately upon Governor Pritzker's signing on August 2, 2024, prompting a sigh of relief from businesses concerned about the financial risks associated with BIPA litigation. By defining violations more narrowly, SB 2979 strikes a balance between protecting individual privacy and preventing excessive penalties for businesses.
Moving Forward
This legislative action marks a shift in Illinois' approach to biometric privacy, signaling a more business-friendly stance while maintaining protections for biometric data collection and use. Businesses operating in Illinois will need to review their compliance policies to ensure they meet the updated requirements of the amended Biometric Information Privacy Act.
Entities collecting biometric data should also remain vigilant about compliance with BIPA's requirements, including obtaining proper consent, maintaining secure storage of biometric data, and limiting disclosures. Though SB 2979 limits liability for repetitive violations, the underlying protections for biometric privacy remain critical, and violations can still result in significant financial penalties.
To view the full text of the amended bill please visit: https://legiscan.com/IL/text/SB2979/id/2908858.