By Gerald L. Maatman, Jr., Ryan T. Garippo, and George J. Schaller
Duane Morris Takeaways: On August 2, 2024, Illinois Governor J.B. Pritzker signed Senate Bill 2979, which amends the draconian penalties under Sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act (the “BIPA”). Senate Bill 2979 and its reformed language can be accessed here. For Companies caught in the BIPA’s crosshairs, this reform ushers in a welcome reprieve to the former statute’s harsh regime of penalties.
Background On The BIPA’s Former Construction
The BIPA statute codifies restrictions against companies that collect biometric information and identifiers. See 740 ILCS 14/1. The rationale for this legislation was that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information” and as such, “[t]he full ramifications of biometric technology are not fully known.” Id. § 14/5(c)-(f). Consequently, the BIPA prohibited companies from “collect[ing], captur[ing], purchas[ing], receiv[ing]” or “disclos[ing], redisclos[ing], or otherwise disseminat[ing]” an individual’s biometric data. Id. § 14/15(b)-(d). The BIPA further imposed statutory damages in the amount of $1,000 for each negligent violation of the statute, and $5,000 for each intentional violation. Id. § 14/20.
As a result, what constituted a single “violation” of the BIPA had significant consequences for companies. If violations occurred on a “per person” basis, the highest amount of damages that a company could owe an individual was $1,000 or $5,000 respectively. However, if violations occurred on a “per scan” or “per incident” basis, companies would owe damages for each time that they collected or disseminated that data. Under the latter, companies could be required to sometimes pay “class-wide damages [that] . . . exceed $17 billion” dollars. Cothron v. White Castle System, Inc., 2023 IL 128004, ¶ 76 (Feb 17, 2023) (Overstreet, J., dissenting). Despite the legislature’s concerns with collecting biometric information, many companies argued that this outcome cannot be what the Illinois General Assembly intended.
Regardless, on February 17, 2023, the Illinois Supreme Court issued a landmark decision on this statutory question. The Supreme Court held that “the plain language of section 15(b) and 15(d) demonstrates that such violations occur with every scan or transmission.” Id. at ¶ 31. However, the opinion was not unanimous. Justice Overstreet objected to this interpretation of the statute and criticized the majority for adopting an interpretation that caused “Illinois businesses to be subject to cataclysmic, jobs-killing damages, potentially up to billions of dollars, for violations of the Act.” Id. at ¶ 73 (Overstreet, J., dissenting). But Justice Overstreets’ dissents were only dissents, and his interpretation of the law was not adopted.
Legislative Revisions To The BIPA Under SB 2979
On August 2, 2024, and over a year later, Governor Pritzker and the Illinois General Assembly vindicated Justice Overstreet’s dissents. They explained that “it does not withstand reason to believe the legislature intended this absurd result.” Id. SB 2979 makes two major corrections to the BIPA’s draconian reach. First, the reform removes “per scan” violations from the statute. Now, damages under Sections 15(b) and 15(d) of the BIPA accrue on a “per person” basis. Specifically, the statute now states:
(b) For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.
(c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.
740 ILCS 14/20 (b)-(c) (emphasis added).
Second, the statute now also allows for companies to obtain a “electronic signature” in order to secure a release from BIPA liability. 740 ILCS 14/10.
Impact Of SB 2979 On Class Action Litigation Under The BIPA
The importance of this reform cannot be understated. For example, before SB 2979, at a company like the one in Cothron, where each employee “scans his finger (or hand, face, retina, etc.) on a timeclock four times per day — once at the beginning and end of each day and again to clock in and clock out for one meal break — over the course of a year,” that company would have collected a single employee’s “biometric identifiers or information more than 1000 times.” Cothron, 2023 IL 128004, ¶ 78 (Overstreet, J., dissenting). Over the course of five years, that same employee may have scanned over 5,000 times. Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 32 (Feb. 2, 2023) (holding 5-year statute of limitations applies for violations of the BIPA).
Under those circumstances, at a rate of $1,000 per violation, a company may owe $5,000,000 to that employee alone. And, at a rate of $5,000 per violation, a company may owe $25,000,000 to that employee. After SB 2979’s passing, this exact same company would only owe $1,000 or $5,000 to each employee respectively. A such, this reform ushers in a new era of damages limits surrounding BIPA litigation, and peace of mind to corporate counsel charged with defending their companies from such massive liability.
Implications for Employers
As to companies currently engaged in BIPA litigation, there is reason to believe that such legislation may not be viewed as retroactive. However, even if this legislation is not retroactive, damages under the BIPA are discretionary and are not required to be imposed. See, e.g., Rogers v. BNSF Railway Company, 680 F. Supp. 3d 1027, 1041-42 (N.D. Ill. 2023). Companies can expect the retroactive-effect of SB 2979, or lack thereof, to be the next battleground for BIPA litigation.
Consequently, SB 2979 now places companies in the best position possible to avoid “this job-destroying liability” until the remaining BIPA cases work themselves through the judicial system. Cothron, 2023 IL 128004, ¶ 86 (Overstreet, J., dissenting). As those cases progress, companies should revisit to ensure continued compliance with the BIPA and monitor SB 2979’s impact in on-going BIPA cases.