An amendment to Illinois’ biometric privacy law, the Illinois Biometric Information Privacy Act (“BIPA”) has finally become law. And, this amendment implements major changes to how damages accrue under BIPA.
Background
Passed in 2008, BIPA has gained national recognition over recent years as one of the most stringent (and earliest) biometric laws in the United States. BIPA governs the collection, use, disclosure, and storage of individuals’ unique biometric information, such as fingerprints, hand scans, facial recognition data, and retinal or iris scans. Dozens of court opinions have been inked over its interpretation across various jurisdictions (including the Illinois Supreme Court opinion Cothron v. White Castle Sys. that precipitated the amendment). BIPA has garnered billions of dollars in settlements collectively, and even an initial $228-million jury verdict, which was later vacated and settled for $75 million.
The Act and Prior Litigation
Notably, dozens of attempts to amend BIPA over the last decade have failed. Some have doubted an amendment would ever pass but the day is finally here. On August 2, 2024, Governor J.B. Pritzker signed into law an amendment to BIPA, SB2979 (now Public Act 103-0769) (the “Act”).
The Act amends certain provisions of BIPA, including Sections 15(b) (collection) and 15(d) (sharing) of biometric identifiers or biometric information, collectively “biometrics.” The Act clarifies that multiple collections of a person’s biometrics using the same method of collection is considered a single violation of BIPA entitling an individual to, at most, one recovery under that section. Likewise, the sharing of the same biometrics to the same third party using the same method is considered only one violation. For example, many plaintiffs allege that it is a separate violation each time an employer shares the scan of a fingerprint with a third-party payroll processor, or vice versa depending on the theory of who initially “collected” the data. The Act further provides that BIPA’s “written release” requirement may be met by an electronic signature.
This Act effectively overturns an aspect of the Illinois Supreme Court’s decision last year in Cothron v. White Castle Sys., Inc., 2023 IL 128004. Some plaintiffs have asserted that the Court opened the door to seek per-scan damages when it held that a separate BIPA claim accrued with each scan or transmission. The Court recognized its decision could lead to astronomical damages like the potential class-wide damages exceeding $17 billion based on the plaintiff’s complaint, but the Court concluded its opinion by “respectfully suggest[ing] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” Cothron, 2023 IL 128004, ¶ 43. The legislature answered the Supreme Court’s call by passing Senate Bill 2979 in both houses, and the Governor endorsed it with his signature.
Where BIPA Goes from Here
The new Act is considered a win for Illinois businesses, but the next anticipated battleground will be whether the amendment applies retroactively to purported violations that occurred prior to the passage of the amendment. The language of the Act stated it became effective immediately upon the Governor’s signature which occurred August 2, 2024. However, hundreds of BIPA cases are already pending on court dockets throughout the country in state and federal courts. To the extent the plaintiffs in those cases are seeking per-scan damages, the retroactive application of the Act will need to be addressed. In the wake of Cothron, dozens of cases on behalf of one or a few plaintiffs seeking per-scan damages have been filed. Additionally, many plaintiffs in class actions have taken the position that they are entitled to per-scan damages. Therefore, the Act may be subject to judicial interpretation including whether it applies retroactively and potentially the meaning of what constitutes the same method of collection.
Will the statute apply retroactively?
It depends! The language in the Act does not prohibit it applying retroactively, nor does it expressly state that it applies retroactively. That would be too easy. Rather, courts will need to analyze retroactivity under case precedent.
In Illinois, an amendment to a statute generally applies prospectively, but it can be apply retroactively where the legislature intended and the amendment relates to changes in procedure or remedies rather than substantive rights. Additionally, Illinois courts have found it appropriate to apply an amended statute retroactively if a law is amended to “clarify” an existing law. Companies may argue the Act is procedural in nature because it relates to the statutory recovery available, i.e., remedies. Notably, the amendment was a direct a response to the Illinois Supreme Court’s call in Cothron to clarify the damages provisions under BIPA.
Will BIPA lawsuits substantially diminish?
Likely, no, for several reasons. First and foremost, so long as BIPA contains a private right of action and companies continue to use or implement new technologies, BIPA is not going away. BIPA is still the only state law in the United States that allows for a general private right of action wherein any individual can sue a private entity to recover statutory damages. Washington and New York have biometric laws that include a private right of action but on a much more limited basis. And BIPA has been heavily litigated, but most of the litigation has addressed the same few provisions. Previously untested provisions of BIPA are continually challenged, such as when the financial exemption applies and the interpretation of collection and possession under the BIPA. The question of what exactly BIPA covers is a source of significant litigation. For example, Zellmer v. Meta Platforms, Inc., 2024 WL 3016946 (9th Cir. June 17, 2024)is a recent opinion expected to impact BIPA litigation because it confirmed that information must be used to identify, or at the very least be capable of identifying, a specific individual to fall within the scope of BIPA. This holding rejected a broader reading put forward by the plaintiffs’ bar and undercuts the viability of BIPA lawsuits arising out of technology that does not operate to identify individuals.
Second, prior to Cothron and the rise of per-scan damages theories, settlements were already staggering. For example, Facebook previously agreed to a $650-million class settlement, Snap Inc. agreed to a $35‑million class action settlement, and TikTok agreed to a $92‑million class action settlement involving BIPA claims. White Castle also just recently to a $9.39-million class settlement related to the Cothron case which involved employment-related claims. Notably, the one jury verdict for $228 million was not based on a per-scan theory for fingerprint scans but rather a calculation of the 45,600 class members and $5,000 in statutory damages per individual for a single violation. The verdict was vacated by the judge, who later found the jury had discretion to award less than the $5,000 based on language from the Illinois Supreme Court in Cothron, 2023 IL 128004.
Lastly, since the rise of BIPA class actions lawsuits began around 2019, a surge of data protection statutes have been enacted throughout the United States and around the world. This developing legal area will only continue to grow. Not only the initial enactment, but various jurisdictions have amended their privacy and security laws or enacted new ones requiring even greater protections. The way businesses collect and use personal data is experiencing extreme growth due in part to new laws, as well as enforcement by several regulatory authorities that have imposed stiff penalties on businesses, such as the Federal Trade Commission, state attorney generals, and even the U.S. Department of Justice. Like other areas of privacy, the regulation of biometric information remains a focus. Outside of Illinois, the Attorney General just announced a historic $1.4-billion settlement with Meta related to the collection of biometric information under Texas law. Needless to say, for reasons locally and beyond, BIPA should remain on companies’ radar as they use technology to assist with various business models and employment matters.