New Illinois BIPA Amendment Eases ‘Annihilative Liability’ Fears

Illinois’ Biometric Information Privacy Act (“BIPA”) has been in effect since 2008 and has long been regarded as the strongest biometric information privacy law in the country. This designation was due in part to BIPA’s private right of action and availability of statutory damages, which attracted significant class action activity and resulted in notoriously large verdicts and settlements. To reduce these crippling damages,  Illinois recently amended BIPA to limit the penalties companies can face for improperly collecting biometric data, such as fingerprints or facial scans from security cameras, from employees or other individuals. The amendment – S.B. 2979 – passed the Illinois legislature in May 2024 and was signed into law by Illinois Governor J.B. Pritzker on August 2.

BIPA limits how businesses can use and store individuals’ biometric information, such as fingerprints, retina scans, and face scans. The law requires companies to meet various requirements, including obtaining written consent and posting their policies regarding biometric data before they can use or store biometric information.

Prior to the amendment, each instance of improperly collecting biometric information was a separate violation of BIPA. For employers using biometric timeclocks, for example, this meant that each time an employee clocked in and out was considered a separate claim. With statutory damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations, liability for companies could be astronomical. As violations compound, even small businesses could face seven-figure damages awards if they had collected biometric information for several years.

The BIPA amendment seeks to avoid these consequences. Effective immediately, the amendment confirms that repeated collection of the same biometric data without consent is deemed a single, collective violation.

This change is a significant departure from the judicial precedent set by the Illinois Supreme Court in its 2023 decision in Cothran v. White Castle Sys. Inc. In that case, the Court found that the company had repeatedly scanned fingerprints of nearly 9,500 employees. With each instance deemed a separate violation, the company estimated the penalties could be as much as $17 billion. The Illinois Supreme Court rejected the dissent’s argument that assessment of penalties for each scan would be “annihilative liability” for companies, noting that damages are not mandatory under the statute’s language and that lower courts will still have the discretion to fashion remedies that do not bankrupt defendants. The Court also suggested that the Illinois legislature review and reform the statute if it intended a different outcome – which is precisely what the Illinois legislature did with this amendment by deeming repeated collection of the same biometric data a single violation. However, the amendment did not explicitly state whether it applies retroactively, leaving uncertainty about the exposure for past BIPA violations.

Industry insiders hope that not only will the new law create clarity and ease the fears of shockingly large damages awards, but it will also make insurers more comfortable covering BIPA and other privacy claims in their cyber policies. Companies should continue to review their biometric data practices and ensure their policies are compliant with BIPA and other biometric information privacy laws across the country.

Attorneys from our Employment & Executive Compensation Group and Data Privacy and Cybersecurity Team are available to help you ensure that your business is compliant with BIPA and help mitigate any exposure.