On August 2, 2024, Illinois amended its Biometric Information Privacy Act (BIPA), curbing the potential for massive damages and modernizing the law’s written consent provisions. On their face, the amendments are not retroactive. It remains unclear, however, whether this change in Illinois law will nonetheless be applied retroactively by the courts.
Reduced Damages Exposure
In February 2023, the Illinois Supreme Court held in Cothron v. White Castle System, Inc., that a separate claim for damages accrues each time an entity collects an individual’s biometric data without obtaining BIPA-compliant consent. The ruling meant that each individual biometric scan could be considered a separate violation of BIPA, leading to potentially ruinous damages because BIPA provides for liquidated damages of $1,000 or $5,000 per violation. The court also held, however, that damages under BIPA are discretionary and could be modified by the court. The Cothron ruling had businesses on edge, with each biometric scan potentially counting as a separate violation.
The new amendments to BIPA make clear that liability is expressly limited to a single violation per individual, regardless of the number of scans, as long as the scans are collected in the same manner.
Electronic Consent
The recent amendments to BIPA also now expressly recognize electronic signatures as valid written consent for collecting or sharing biometric data. This update simplifies compliance and aligns with current digital practices.
No Express Retroactive Application
The amendments to BIPA are not expressly retroactive, so it remains to be seen how the courts will handle BIPA claims that involve collection of biometric data that occurred before the amendment. The Cothron decision suggests that the discretionary aspect of damage awards could lessen the possibility of ruinous damages awards regardless of when the BIPA violations may have occurred, but the risk of substantial damages awards remains real until the issue is further litigated and precedent is developed.