BlogLine

Illinois governor signs BIPA amendment into law 

8/8/24

By: Glenn A. Klinger and Jonathan Schwartz

It’s official! The Illinois’ Biometric Information Privacy Act (“BIPA”) now explicitly provides that a private entity who is alleged to have collected or disclosed a covered person’s biometrics more than one time in violation of BIPA has committed only a single violation of BIPA. In other words, after the first scan or disclosure of a covered person’s biometrics, subsequent scans or disclosures do not constitute separate and distinct violations for purposes of calculating damages. With the Illinois Governor, J.B. Pritzker’s signature, the amendment takes immediate effect (as of August 2, 2024) and changes BIPA in two important ways. 

Accrual of Claims Limited 

The first change to BIPA is that under the right of action provision (740 ILCS 14/20), a person aggrieved under Subsection 15(b) (which regulates the collection of biometric data) and under Subsection 15(d) (which regulates the disclosure of biometric data) will only be entitled to, at most, one recovery under either Subsection. This is important because the right of action clause first provides for damages of $1,000 per negligent violation of BIPA or $5,000 per reckless violation of BIPA. This risked huge damage awards and generated onerous settlements because, theoretically, a private entity could be hit for $1,000 or $5,000 per scan and/or per disclosure. And, given how many times in a week, month, or year an employee, for instance, would scan in and out of work using his/her biometrics, the potential exposure from BIPA class action lawsuits was massive and potentially annihilative to Illinois businesses. 

More Flexible Written Release Requirement  

Since BIPA took effect in 2008, there have been changes in how written releases are obtained. As amended, BIPA now permits consent forms to be signed electronically. Class action attorneys had argued that consent forms electronically signed do not satisfy BIPA’s requirement that private entities obtain a “written release” from the person/customer before collecting or disclosing biometrics. 

Retroactivity? 

Together with the recent state and federal court decisions finding that insurance policy exclusions in CGL policies preclude coverage for BIPA claims, this legislative amendment should reduce the incentive for class action attorneys to file class actions going forward. Notably, though, the BIPA amendment does not explicitly provide that the amendment is retroactive. It is expected that claimants allegedly aggrieved prior to August 2, 2024 and BIPA defendants will battle over whether the amendment is retroactive.  

Retroactivity aside, the amendment was and is a welcome sight to private businesses in Illinois after they couldn’t catch a break from the Illinois Supreme Court in 2023. First, in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 37, the court found that a five-year limitations period applies to all BIPA claims. A couple weeks later, in Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 30, the Supreme Court found that, for purposes of Subsection 15(b), a cause of action accrues each time a private entity allegedly scans a person’s biometric identifier, and, under Subsection 15(d), a cause of action accrues each time a private entity allegedly transmits such a scan to a third party. The Cothron court, however, “respectfully suggest[ed] that the legislature review” policy concerns and clarify BIPA’s intent concerning the assessment of damages. Thankfully the Illinois legislature accepted the Court’s invitation and began to thaw the Illinois business climate that has been unduly chilled by BIPA for years. 

For more information, please contact Glenn A. Klinger at glenn.klinger@fmglaw.com, Jonathan Schwartz at Jonathan.Schwartz@fmglaw.com, or your local FMG attorney.