BIPA one step closer to seeing its first major change since 2008 inception
On Thursday, a bipartisan majority in the Illinois Senate approved the first major change to Illinois Biometric Information Privacy Act since it first passed back in 2008. This is in response to companies being held liable for astronomical sums in penalties.
Over 2,000 BIPA lawsuits have been filed since 2018. In the largest settlement to date, Facebook paid $650 million in 2020 to over 1 million Illinoisans, amounting to $400 per each person.
The scale of penalties under BIPA changed with a precedent-setting decision last year. A White Castle employee sued after she was required to submit fingerprint biometrics to a third-party vendor in order to receive her pay stub since she began working for the company in 2004. She alleges her employer did not obtain consent to collect her biometric data until 2018, over 10 years after BIPA was set into motion.
The Illinois Supreme Court found that White Castle would be responsible for a penalty per each instance of violating BIPA – each time employees scanned their fingerprints. White Castle would therefore face up to $17 billion, as they would face $1,000 in damages accruing with each “negligent” violation or $5,000 per each “reckless” or “intentional” violation.
The court “respectfully suggest[ed]” lawmakers review BIPA “and make clear its intent regarding the assessment of damages under the Act.”
In response, lawmakers passed Sen. Bill Cunningham’s Senate Bill 2979 by a 46 to 13 vote, with bi-partisan support. The law would make it so only the initial collection of a piece of biometric data amounts to a violation, rather than one per each scan.
“The businesses that have failed to follow the law by getting consent to use biometric materials should be held accountable, but it is important that the punishment fits the crime,” said Cunningham, according to The Center Square. “Right now, I don’t think the law in this state accomplishes that.”
“We are a true outlier in this country,” said State Sen. John Curran, who wishes for further changes. “This is not a law that other states are saying Illinois got it right and we are going to follow suit and model the Illinois law.”
The bill also allows for consent to be granted through electronic signatures.
Implications of Senate Bill
“SB 2979 is a direct response to the Illinois Supreme Court’s February 2023 ruling in Cothron v. White Castle Sys., Inc., 2023 IL 128004, which adopted the continuing theory of claim accrual for BIPA violations,” writes Baker Donelson Of Counsel David J. Oberly in an email to Biometric Update on the Senate approval. “As a result, BIPA damages are now calculated on a per-violation, as opposed to per-plaintiff, basis. Thus, as the law is currently written, companies face the real threat of millions, if not billions, in BIPA liability exposure, even for mere technical violations of the law.
“The Cothron court recognized this issue, noting that BIPA, in its original form, exposed private entities to potentially ‘ruinous’ damages. Ultimately, however, the Illinois Supreme Court found that policy-based concerns about potentially excessive statutory damages awards were best addressed by the Illinois legislature, and not the court. While the Cothron court deferred to the legislature, it also voiced the need for the Illinois General Assembly to review these policy concerns and ‘make clear its intent regarding the assessment of damages’ under BIPA.
“SB 2979 seeks to address these issues highlighted in Cothron by making wholesale changes to BIPA’s damages provision, 740 ILCS 14/20. SB 2979 would do so by modifying the law’s statutory damages scheme such that ‘an aggrieved person is entitled to, at the most, one recovery . . . regardless of the number of times’ a violation occurred. The impact of this change to Illinois’s biometrics statute cannot be overstated, as recoverable statutory damages in most cases would be limited to a single recovery, i.e., at the most $5,000 per plaintiff for intentional/reckless non-compliance with the law. In short, SB 2979 would fundamentally alter the trajectory of BIPA class action litigation moving forward.
“However — if history is any indication — SB 2979 faces an uphill battle in making its way into law. A number of similar amendments seeking to revamp BIPA’s damages scheme have been introduced by Illinois lawmakers in previous years, but all have stalled out before gaining any significant traction. For SB 2979 to become law, it would need a majority vote from the Illinois House, as well as subsequent action from the Illinois governor (who would need to sign the bill or fail to take action within 60 days, either of which would allow the bill to become law). Of note, during the last legislative cycle (from 2021 to 2023), the Illinois House considered — and rejected — a similar BIPA amendment, HB 559.
“With that said, the legal and political environment has changed significantly over the last 18 months, particularly in light of the Cothron decision. This may alter the trajectory of SB 2979 as compared to similar legislative proposals that were previously considered and rejected.
“Ultimately, while it is yet to be seen whether SB 2979 will avoid the pitfalls of prior proposed BIPA amendments before it, all interested parties should make sure to monitor the progress of this bill as we move forward further into 2024.”
Article Topics
biometric data | Biometric Information Privacy Act (BIPA) | biometrics | data privacy | David Oberly | lawsuits | legislation
Comments