How Will Proposed Amendments to Illinois’s BIPA Affect the Use of Biometric Data?

The Illinois Biometric Information Privacy Act (“BIPA”) became effective in 2008. Alleged violations under BIPA have resulted in numerous lawsuits and defendants’ (businesses’) liability for substantial damages.^[1] On May 16, 2024, the Illinois State Legislature passed a bill to amend BIPA, Senate Bill 2979, and it has sent the bill to Illinois Governor J.B. Pritzker. Assuming the governor signs it, the BIPA amendments will take effect immediately. SB 2979’s amendments would limit BIPA damages and provide for electronic consent.

The BIPA proposed amendments in SB 2979 include:

• A private entity that collects or discloses a person’s biometric data without consent can only be found liable for one BIPA violation per person regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient. Proposed new 740 ILCS 14/20(b) and (c) would modify the 2008 740 ILCS 14/20 text^[2] “A prevailing party may recover for each violation . . . ,” interpreted by the courts as a “per scan” damages calculation.
• Written consent for collection of biometric information under BIPA will now include electronic signatures. 740 ILCS 14/10 (Definitions) as amended adds a new definition, “electronic signature,” and includes it as part of the definition of “written release.”

The SB 2979 amendments underscore the need for businesses to review their contracts with vendors providing biometric devices. In particular these contracts should consider requiring, among other things, detailed functional specifications, as well as vendor warranties and indemnifications, concerning the biometric device’s abilities to capture, record, and preserve electronic signatures of users whose biometric data is captured by the devices, consistent with the proposed written consent provisions in BIPA.

In Cothron v. White Castle System, Inc.,^[3] the Supreme Court of Illinois, citing to one of its earlier decisions,^[4] recognized the potential for significant damages awards under BIPA:

This court explained that the legislature intended to subject private entities who fail to follow the statute’s requirements to substantial potential liability. The purpose in doing so was to give private entities “the strongest possible incentive to conform to the law and prevent problems before they occur.” As the Seventh Circuit noted,^[5] private entities would have “little incentive to course correct and comply if subsequent violations carry no legal consequences.”^[6]

In the Cothron decision, the Court found that the BIPA statutory language clearly supported plaintiff’s position.^[7] Still, the Court stated:

Ultimately, however, we continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature. See McDonald^[8] . . . (observing that violations of the Act have the potential for “substantial consequences” and large damage awards but concluding that “whether a different balance should be struck *** is a question more appropriately addressed to the legislature”). We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.^[9] (emphasis added)

SB 2979 was the result of the Illinois legislature considering the Court’s invitation to amend BIPA.

It is important to note that SB 2979 does not eliminate all liabilities for violations under BIPA. Hypothetically, a business with a large number of employees or customers could still potentially be liable for substantial damages. For example, if a business was found to have intentionally or recklessly violated BIPA and was subject to liquidated damages of $5,000 or actual damages, and it has 1,000 employees or customers for whom it collected biometric data, then damages could be $5,000,000 (=$5,000 x 1,000) plus reasonable attorneys’ fees and costs. Of course, this is hypothetical and would be subject to the facts and the applicable law, but you can do the math and see that even with the SB 2979 BIPA amendments, BIPA violations can result in substantial damages.

The Supreme Court noted in Cothron: “It also appears that the General Assembly chose to make damages discretionary rather than mandatory under the Act.”^[10] However, the Supreme Court held “that the plain language of section 15(b) and 15(d) shows that a claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent.”^[11]

In a separate opinion upon denial of rehearing in Cothron, Justice David K. Overstreet^[12] in a dissent stated:

Although the majority recognized that it “appear[ed]” that these awards would be discretionary, such that lower courts may award damages lower than the astronomical amounts permitted by its construction of the Act, the court did not provide lower courts with any standards to apply in making this determination. This court should clarify, under both Illinois and federal constitutional principles, that statutory damages awards must be no larger than necessary to serve the Act’s remedial purposes and should explain how lower courts should make that determination. Without any guidance regarding the standard for setting damages, defendants, in class actions especially, remain unable to assess their realistic potential exposure.^[13]

The bottom line is that the courts and the legislature will continue to have to address the tension between the 2008 Illinois legislative findings^[14] underlying BIPA and potentially excessive BIPA damages awards. This analysis should consider evolving artificial intelligence (“AI”) software’s potential to provide humanity with many benefits, but also risks, and AI’s use of biometric data (and ability to copy that biometric data). Hypothetically, consider an AI software provided with an individual’s compromised biometric data obtained in a cybersecurity event coupled with a BIPA violation; the individual could potentially suffer financial damages (e.g., where the biometric data allows unauthorized access to an individual’s financial accounts) or health damages (e.g., where the biometric data allows unauthorized access to an individual’s medical records and where the unauthorized access allows for changing the individual’s medical history concerning allergies or medications which, in an emergency, could be life threatening). The full ramifications of biometric technology and AI are not fully known. Legislators and the courts will need to consider the opportunities and risks these, and other, technologies present to society, and strive to achieve a judicial and legislative balance that will maximize the beneficial opportunities of these technologies, and contain, mitigate, or remove the risks.

1. Many BIPA defendants paid these damages pursuant to a settlement agreement. ↑

2. SB 2979 relabeled 740 ILCS 14/20 to make the original text subpart (a) and add new subparts (b) and (c). ↑

3. Cothron v. White Castle System, Inc., 2023 IL 128004, 216 N.E.3d 918 (Ill. 2023), reh’g denied (July 18, 2023). ↑

4. Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, ¶¶ 36–37, 129 N.E.3d 1197 (Ill. 2019). ↑

5. Cothron v. White Castle System, Inc., 20 F.4^th 1156 at 1165 (7^th Cir. 2021). ↑

6. Cothron, 216 N.E.3d at 928–929. ↑

7. Cothron, 216 N.E.3d at 928. ↑

8. McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, ¶¶ 48–49, 193 N.E.3d 1253. ↑

9. Cothron, 216 N.E.3d at 929. ↑

10. Cothron, 216 N.E.3d at 929 (citations omitted). 740 ILCS 14/20 as adopted in 2008 actually concludes with text supportive of the discretion afforded courts regarding damages: “A prevailing party may recover for each violation: . . . (4) other relief, including an injunction, as the State or federal court may deem appropriate” (emphasis added). ↑

11. Cothron, 216 N.E.3d at 929. ↑

12. Justice Overstreet’s dissent upon denial of rehearing was joined by Chief Justice Mary Jane Theis and Justice Lisa Holder White. ↑

13. Cothron, 216 N.E.3d at 940, reh’g denied (July 18, 2023) (Overstreet, J., dissenting). ↑

14. 740 ILCS 14/5 (Legislative findings; intent) includes, without limitation: “(c) Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions. . . . (f) The full ramifications of biometric technology are not fully known.” ↑

© 2024 Alan S. Wernick and Aronberg Goldgehn.