The Illinois Senate recently passed legislation by a 46-13 vote that would significantly amend the Illinois Biometric Information Privacy Act (“BIPA”).[1] Senate Bill 2979 (“SB2979’), which Senate President Pro Tempore William Cunningham introduced, includes a significant benefit to corporations, employers, and other private entities in Illinois by clarifying that, in a case where the same violation occurs more than once, it would constitute only one violation for purposes of statutory damages.[2] Currently, courts have interpreted BIPA to permit for an accrual of claims for the same violation, which can lead to catastrophic-like damages. The bill now advances to the State’s House of Representatives for possible hearings and a vote.
SB2979 addresses an issue highlighted in Cothron v. White Castle System, Inc. , 216 N.E.3d 918 (Ill. 2023). There, the Illinois Supreme Court noted that BIPA’s liquidated damages scheme exposed private entities to ‘ruinous’ damages which could result in the financial destruction of businesses operating in Illinois. Currently, a business that allegedly violates BIPA faces potential liquidated damages of $1,000 to $5,000 per biometric scan regardless of actual damages. The weight of risk has negatively impacted employers—big and small—operating in Illinois. For instance, employers using timekeeping systems incorporating scanning technology often face massive potential liability as under the Cothron ruling violations occurred each time an employee clocked in and out, or interacted with the system for security authentication purposes.[3] Those timekeeping systems often advertised themselves as not collecting biometrics at all, but, based on BIPA’s wording, even information “based on” biometrics could trigger liability. While the Court upheld BIPA as-drafted, it suggested that legislators review the damages provision.
Whether SB2979, if enacted, will be applied retroactively remains to be seen.
We will continue to monitor legislative and judicial actions around BIPA and will keep you updated. For assistance with questions related to BIPA, compliance strategies or potential risks, please contact a Thompson Coburn BIPA attorney.
[1] See our previous reporting on the amendment’s proposal at BIPA Update: Another Amendment Attempt for Illinois Privacy Law (thompsoncoburn.com).
[2] The proposed amendment can be read in full at Illinois-2023-SB2979-Introduced (legiscan.com).
[3]The defendant in Cothron faced over $17 billion in damages based on a 9,500 class size. See BIPA litigation update: Cothron’s impact and employer BIPA defense affirmed (thompsoncoburn.com).
About Cybersecurity Bits and Bytes
This blog covers the latest trends and events in cybersecurity law. We’ll provide tips, tricks, and tactics for handling cybersecurity situations, and analysis of recent cybersecurity case law, statutes, and regulations.