On May 16, 2024, the Illinois Legislature passed a landmark bill, SB 2979, which amends the Illinois Biometric Information Privacy Act (BIPA) for the first time since its inception. The new legislation seeks to clarify aspects of the Act that some claim place undue hardships on businesses. The bill awaits the signature of Governor Pritzker and does not go into effect until signed.
What is BIPA?
Under the Illinois Biometric Information Privacy Act (BIPA), companies doing business in Illinois are required to comply with a number of requirements regarding the collection, storage, and security of certain biometric information. BIPA provides, among other things, that companies must obtain written consent from the individuals if the company intends to collect or disclose personal biometric identifiers, disclose the length of time those biometric identifiers will be used, and provide a timeline for the destruction of stored biometric identifiers.
Last year, the Illinois Supreme Court, in Cothron v. White Castle System, Inc., ruled that each scan or instance of collection constituted a separate violation of § 15(b) of BIPA, which meant that a plaintiff could recover statutory damages for each separate instance that their biometric data was collected. For example, if an entity scanned a plaintiff’s fingerprints 10 times without the plaintiff’s informed written consent, the plaintiff could recover up to $50,000 (10 times the maximum statutory damages of $5,000 per violation of BIPA).
How SB 2979 Amends BIPA
Under SB 2979, two primary amendments have been made to BIPA:
- Single Violation for Multiple Scans: If a private entity collects, captures, purchases, receives, or otherwise obtains the same biometric identifier or information from the same person more than once using the same method of collection, it is considered a single violation. This means that, in the above example, the person whose fingerprints were scanned 10 times in violation of BIPA would be entitled to recover a maximum of $5,000 because the 10 scans are counted as a single violation of the statute.
- Single Violation for Multiple Disclosures: Similarly, if a private entity discloses, rediscloses, or disseminates the same biometric identifier or information from the same person to the same recipient more than once using the same method, it is also deemed a single violation.
In addition to these two provisions, the language in the bill was updated to allow an electronic signature to be an acceptable form of written release for obtaining consent.
What This Means for Biometric Privacy in Illinois
The passage of SB 2979 follows several unsuccessful attempts to more heavily amend BIPA, including HB 3811 proposed last year. Both the Illinois legislature and Chamber of Commerce have called for BIPA reform to protect businesses from “undue financial burdens” in the wake of the Illinois Supreme Court’s decision in Cothron.
While it is too soon to say how SB 2979 will impact the future of biometric litigation in Illinois, the law as amended retains a private right of action and leaves intact the requirements that companies must adhere to when obtaining or storing the biometric data of Illinois residents.
WBE is a leader in biometric privacy litigation in Illinois. To learn more about our work, click here.
0 Comments