Illinois Revises Biometrics Law To Reduce the Prospect of "Ruinous" Damage Awards

In a major change to a law that produced extraordinarily high damages claims and settlements, the Illinois General Assembly amended the Biometric Information Privacy Act (BIPA) to substantially reduce potential liability for defendants. SB 2979, which was signed into law by Governor J.B. Pritzker on August 2, 2024, and is effective immediately, provides that a private entity that collects or discloses "the same biometric identifier or biometric information from the same person using the same method of collection" in violation of BIPA has only committed a single violation for which the aggrieved person is entitled to, at most, a single damage recovery.

Until now, courts awarded BIPA damages on a per individual, per instance basis for every violation, which led to astronomical damage calculations for businesses that violate the law over time. For example, a business using a biometric timekeeping system that collected and used fingerprint scans to clock employees in and out of work each day for years might be faced with damages for tens of thousands of "violations."

The new amendment reverses course from awards of potentially "ruinous" damages that were initially recoverable for violations of BIPA.[1] The amendment also clarifies that consent may be captured via an electronic signature, which is now a defined term under BIPA. Our previous posts on BIPA provide additional context and background.

BIPA Structure and Private Right of Action

Under BIPA, no private entity may "collect, capture, purchase, receive through trade, or otherwise obtain" a person's or a customer's biometric identifier[2] or biometric information,[3] unless it (1) provides notice that that a biometric identifier or biometric information is being collected or stored; (2) states the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) obtains a written release (i.e., "consent") from the data subject.[4] Similarly, no private entity in possession of biometrics may "disclose, redisclose, or otherwise disseminate" biometric data unless similar conditions are met. Finally, any entity in possession of biometric data must "develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information" under specified conditions.

The main source of risk under BIPA is that it provides a private right of action to any person aggrieved by a violation. Prior to the amendment, the failure to develop a compliant policy, each and every collection of biometrics (perhaps even multiple collections in one day), and each and every disclosure (also possibly multiple disclosures in one day) could subject an entity to an award of actual or liquidated damages, whichever is greater, of up to $1,000 for each violation, or up to $5,000 for each intentional or reckless violation, as well as attorney's fees or other relief (such as an injunction). Illinois is the only state that that authorizes a private right of action with statutory damages for collection or disclosure of biometric information without valid written consent, which attracted substantial litigation to the state. 

Adding to the peril, an Illinois Supreme Court ruling in 2019 held that individuals were "aggrieved" and had standing to sue for damages under BIPA without any "actual injury or adverse effect, beyond violation of his or her rights under the Act."[5]

Concerns Over Undue Financial Burden on Businesses

Two noteworthy cases, Rogers v. BNSF Railway Co. and Cothron v. White Castle Sys. Inc., demonstrate the risks of multipliers to these damage awards that businesses previously faced under BIPA in class actions.

In Rogers, BNSF engaged a vendor to install and manage gate control systems that allowed automated entry after scanning a drivers' fingerprints and comparing them to the registered drivers' fingerprints in the database maintained by BNSF's security vendor. However, the system registration process did not provide notice of the purpose for which the fingerprint data was being kept, require written consent from the drivers, or inform the drivers where and for how long their fingerprint data would be stored.

The jury found that BNSF violated BIPA 45,600 times and that it did so intentionally or recklessly. Based on this jury finding, the judge multiplied the number of violations by $5,000 for each intentional or reckless violation and entered a $228 million judgment against BNSF. Both parties filed post-trial motions to alter or amend the judgment or for a new trial.

While the post-trial motions were pending, the Illinois Supreme Court rendered its decision in Cothron v. White Castle Systems, which resolved a certified question from the 7th Circuit specifically asking the Illinois Supreme Court to determine whether claims under BIPA "accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission[.]" The court resolved the certified question finding that a party violates Section 15(b) of BIPA each time it collects, captures, or otherwise obtains a person's biometric information without prior informed consent.

In dicta to the opinion, the court also stated that the plain language in BIPA's Section 20 that a party "may recover" damages for each violation meant that damages are not mandatory, did not require a calculation of the total number of violations times the amount of liquidated damages in all cases, but that damage calculations are instead left to the discretion of the jury.

Three justices (including the chief justice) dissented and noted that potentially "punitive, crippling … ruinous liability" was being imposed on businesses under BIPA and that the decision "will lead to consequences that the legislature could not have intended." The dissenters agreed with White Castle that a violation of the prohibition on collecting biometrics "occurred, if at all, the first time that her biometrics were collected by White Castle without her consent, not each subsequent time that her finger was rescanned," and that "subsequent scans did not collect any new information from plaintiff, and she suffered no additional loss of control over her biometric information."

White Castle argued potential damages may be as high as $17 billion if left unchecked, but the court dismissed those arguments as a matter best addressed by the Legislature. The dissenters opined that "for businesses facing this draconian exposure, it is cold comfort that this job destroying liability only 'may' be imposed—if the actual amount depends on the decisions of individual trial judges applying their own standards, formulated without any guidance from this court or the legislature."

Citing Cothron, the Rogers court then partially reversed course by granting a new trial because it found that BNSF was entitled to have a jury determine the appropriate amount of damages. After that ruling, BNSF ultimately agreed to pay $75 million to settle the case. The parties in Cothron also reached a settlement of $968 per class member, or roughly $10 million overall, a far cry from $17 billion in damages White Castle could have faced, but still substantial.

Impact of the Amendment and Next Steps for Business Subject to BIPA

Under the new SB 2979 amendment, BIPA now limits damage calculations to one violation per individual for the repeated collections or disclosures involving the same individuals or entities, no matter how many times a person's biometric data was collected or disclosed to the same entity. This change validates the dissenting justices' opinion that the Legislature intended BIPA damage awards to be discretionary and based on a single violation per person (rather than per instance of data collection) and did not want to impose punitive liability on businesses, which may have stymied innovation and technology investment within the state if left unchecked.

The amendment is not expressly retroactive, so it remains to be seen how the plaintiffs' bar will litigate BIPA claims that involve collection or disclosure of biometrics that occurred before the amendment. The Cothron[6] decision after remand suggests that the discretionary aspect of damage awards could lessen the specter of ruinous liability regardless of when the BIPA violations may have occurred. Going forward, while the amendments limit violations to one per individual, the potential for damages of $1,000-$5,000 per individual may still prove costly.

Businesses seeking to implement biometric technologies should continue to review their practices to ensure that they provide adequate notice to subjects of biometric information collection and that they collect written consent that complies with requirements of the law.

We will continue to monitor BIPA-related cases and amendments. If you have questions or need additional assistance, please contact the authors or the DWT attorney with whom you normally work.