BIPA damage limitation applies retroactively to pending class actions: court

Illinois’ infamous biometric data privacy law has lost some of its sting. A ruling from the U.S. Court of Appeals for the Seventh Circuit says the 2024 amendment to Illinois’ Biometric Information Privacy Act (BIPA) limiting damages applies retroactively to pending cases.

BIPA requires organizations to acquire consent prior to collecting a person’s biometric data for commercial purposes. A post on Hunton’s Privacy & Cybersecurity Law Blog explains the amendment, which clarifies that “repeated collection of the same person’s biometric data using the same method counts as a single violation, rather than one violation per scan.” In doing so, it reverses a 2023 decision by the Illinois Supreme Court confirming that damages should be awarded on a “per-scan” basis.

In other words, a face scanned a hundred times by the same retailer has only been scanned once in the eyes of the law. Or, an employee whose fingerprint has been scanned thousands of times without obtaining proper consent can only seek damages for one violation.

After a period of uncertainty, that rule limiting damages now applies retroactively to cases that were already pending when the law took effect. The court “reasoned that the 2024 amendment was remedial, not substantive, because it limited recoverable damages without changing the underlying right to sue, and, therefore, applied retroactively. As a result, plaintiffs can no longer seek per‑scan damages for repeated biometric collections involving the same person and method.”

The crux is that BIPA will no longer be a cash cow for class actions, since potential damages are awarded per person, rather than per scan.

Human Resources Director Magazine offers a view from the perspective of Illinois employers. “Employers who collect biometric data through time clocks and access systems still need to comply with BIPA’s consent and notice requirements – those obligations have not changed at all. But the financial exposure for past noncompliance has shrunk dramatically. Instead of facing damages multiplied by every scan across every employee, companies now face per-person liability.” Upper limits on the amount of damages available to plaintiffs are set at $5,000 for violations of BIPA sections (b) or (d).

Which is to say, bucking BIPA will now do much less damage to the pocketbook.

Article Topics

biometric data  |  Biometric Information Privacy Act (BIPA)  |  data privacy  |  data protection  |  regulation  |  United States