On Aug. 2, 2024, Illinois Gov. J.B. Pritzker signed Senate Bill 2979 into law, amending state’s Biometric Information Privacy Act (BIPA) to limit the number of violations that would equate to a claim under a private right of action. Among other things, BIPA requires businesses that collect biometric information, such as fingerprint or retina scans, to disclose to the individuals from whom the biometric information is collected the purpose of the collection and the duration that such information will be kept, and obtain consent for such collection. 

The amendments became effective immediately, meaning that any liability imposed after Aug. 2 will be significantly less for businesses found in violation.

While the law has been in existence since 2008, it did not become a prominent vehicle for class action litigation until nearly a decade after passage. Since 2019, when the Illinois Supreme Court held that a plaintiff need not have suffered any actual injury or damages to state a claim under BIPA, litigation under this unique law has exploded, resulting in countless multimillion dollar settlements.

More recently, the Illinois Supreme Court held in Cothron v. White Castle System, Inc. that a violation of BIPA occurs each time a person’s biometric identifier or information is scanned or transmitted. Prior to Cothron, the prevailing view in resolving BIPA litigation (which had largely otherwise gone untested) was that an individual was able to recover for only one violation, regardless of the number of times their biometric information had been collected in violation of BIPA.

Cothron has changed the analysis and created the potential for “annihilative liability,” as noted in the case. In response to the resulting “extraordinary damages on businesses” and the likelihood that BIPA would be used as “a vehicle for litigants to [] to extract massive settlements,” the court’s majority “respectfully suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages” under BIPA.

With the amendments, Illinois’ legislature seems to have heeded the court’s suggestion, attempting to address the policy concerns raised in Cothron. The amendments clarify the damages individuals are entitled to when private entities violate Section 15(b) and Section 15(d) of BIPA. The additional language states: “a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15.” Section 15 (d) regulates the disclosure, re-disclosures, and dissemination of biometric identifiers or information, limiting multiple instances of disclosure to one single violation. As such, a plaintiff may only recover for one violation – a penalty of $1,000 for negligent violations and $5,000 for willful violations – rather than recover for a violation each time their biometric information is collected or disclosed.

The amendments also now define “electronic signature” as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.” This updated definition has modernized BIPA to reflect the manner in which many private entities receive informed consent, i.e., through electronic acknowledgments that do not capture an individual’s signature.

While their application remains to be seen, it is likely that these amendments will be much appreciated by Illinois businesses presently defending against BIPA claims. Liability for BIPA violations likely will continue to be steep, but the new law provides a welcome ceiling to potential excess liability. Illinois businesses should consider reviewing their biometric policies and procedures to ensure they are compliant with the law.