The Illinois General Assembly has passed a bill prohibiting claims for per-scan damages under the Biometric Information Privacy Act (Privacy Act or BIPA), legislatively overruling the Supreme Court of Illinois’s interpretation of the act in Cothron v. White Castle Sys. Inc.
Quick Hits
- The Illinois legislature passed SR2979 to clarify that multiple alleged collections or disseminations of an individual’s biometrics constitute only a single violation of the Privacy Act and the individual is limited to only one recovery of statutory damages.
- Once signed, the bill will reverse a holding by the Illinois’s high court that had opened the door to potentially excessive damages awards against employers.
- The bill confirms that BIPA consents may be signed electronically, potentially ending efforts by BIPA class action attorneys to invalidate timely -signed consents merely because they were signed electronically.
On May 16, 2024, the Illinois House of Representatives voted to pass Senate Bill (SB) 2979, a week after the state Senate approved the bill. The General Assembly has thirty days to send the bill to Governor J.B. Pritzker, who has sixty days to sign it. It is anticipated that the bill will be sent quickly and signed immediately. The legislation will become effective when signed.
SB2979 legislatively overrules the Supreme Court of Illinois’s interpretation of what constitutes a violation of Section 15(b)’s “notice and consent” and 15(d)’s “unauthorized disclosure” requirements in Cothron v. White Castle Systems Inc., and it would significantly limit recovery under the Privacy Act. Specifically, the law would reverse the court’s interpretation in Cothron that the Privacy Act is violated on each and every unlawful scan or transmission of biometric information.
Per-Scan Damages
SB2979 amends the Privacy Act’s right of action and damages provisions to clarify that when a private entity allegedly collects or disseminates the same biometric identifier or biometric information multiple times in violation of Section 15(b) of the Privacy Act’s notice and consent requirements, the entity has committed only a single violation. For instance, if an employer requires an employee to scan his or her finger to clock in and out each day without first signing a consent, that would constitute a single violation of the act no matter how many times the employee scanned his or her finger.
The amendments further limit an individual to “at most, one recovery” of $1,000 or $5,000 in statutory damages under Section 20. Statutory damages are $1,000 for negligent violations or $5,000 for intentional or reckless violations.
The amendments would be a lifeline for employers, as per-scan damages of $1,000 or $5,000 per scan can quickly accrue, often for mere technical violations, and lead to excessive or potentially catastrophic damages awards. The Illinois high court in Cothron recognized the possibility of excessive damages, but it left it to the state’s lawmakers to clarify—which they have done with SB2979.
Electronic Signatures
SB2979 explicitly recognizes that written consents may be signed electronically. The bill defines the term “electronic signature” as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.”
The amendments appear intended to end attempts by BIPA class action attorneys to invalidate timely signed consents simply because they were signed electronically. It may also simplify compliance as electronically signed consents are easier to track, store, and audit. By contrast, paper consent forms may be inadvertently discarded or misplaced, leaving an employer with no evidence of its prior timely compliance.
Retroactive? Or Is This What the Legislature Always Meant?
The legislation will become effective upon signing by the governor, and it does not contain any specific language on retroactivity. However, the amendments are a direct response to the Cothron majority opinion’s call to the Illinois General Assembly to “make clear its intent regarding the assessment of damages,” should it disagree with the Supreme Court of Illinois’s construction of BIPA. If enacted, the prohibition on per-scan damages should apply to pending Privacy Act claims, because the amendments are evidence of legislative intent that a court should consider when construing a statute the state supreme court previously held was unclear.