Skip to Main Content
ニュース&イベント: クライアント・アドバイザリー



Executive Summary

  • On May 16, 2024, the Illinois House of Representatives approved Senate Bill 2979 (the “Bill”), which amends the Illinois Biometric Information Privacy Act (“BIPA”) to limit damages to one violation per individual, rather than each instance their biometric information is captured, collected, disclosed, redisclosed, or otherwise disseminated.
  • The Bill is intended to be prospective, and not retroactive, and therefore, would not apply to pending BIPA cases.
  • The amendment is to take effect immediately upon becoming law.

BIPA Overview

  • Enacted in 2008, BIPA governs commercial use of biometric data, such as fingerprints, handprints, voiceprints, retina or iris scans, and facial geometry characteristics captured by facial recognition systems.
  • “Biometrics” is the measurement and statistical analysis of an individual’s physiological characteristics. The technology associated with biometrics is frequently used to verify personal identity, such as for timekeeping, building security, point-of-sale systems, and  commercial applications.
  • Before collecting biometric data, companies must provide notice and obtain written consent from the individual subject to the biometrics collection. BIPA requires a “written release,” which means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment. This written release must be signed and include (i) the individual’s acknowledgement that they have read the company's biometric data policy and (ii) the individual’s express consent to the collection and use of their biometrics.

BIPA Amendment: Damages Limits

On May 16, 2024, the Illinois House passed Senate Bill 2979 by a vote of 81-30-0. The Bill was previously passed by the Illinois Senate on April 11, 2024, and now goes to Governor J.B. Pritzker for signature.

Notably, the Bill amends damages as it pertains to two subsections under BIPA concerning: (i) the collection or capture of biometrics identifiers or information, and (ii) prohibiting their disclosure, without consent. Under the proposed amendment, an entity would potentially commit a single violation under each subsection, but relief would be limited to “at most, one recovery[.]”

Significantly, the Bill addresses the troubling trend of plaintiffs seeking monumental damages under BIPA. This legislative action is a direct response to the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle. The Cothron Court ruled that a separate claim for damages accrues under Sections 15(b) and 15(d) every time a private entity collects or discloses an individual’s biometric identifier or information. In its original form, BIPA stated that an individual may be entitled to $1,000 or actual damages for each negligent violation, or $5,000 or actual damages for each reckless or intentional violation. Thus, the Court’s decision in Cothron to apply a “per-scan” statutory damages interpretation exposed companies to catastrophic damages awards for BIPA violations, as highlighted by White Castle’s argument that class-wide damages could total more than $17 billion. Recognizing the potential for such devastating liability, the Court called on the Illinois Legislature to review these policy concerns and make clear its intent regarding the assessment of damages under the Act.

Accordingly, the proposed amendment limits plaintiffs’ recovery of damages under BIPA. Specifically, the Bill amends Sections 15(b) and 15(d) to state that an “aggrieved person is entitled to, at most, one recovery” under each sub-section of the Act. In other words, instead of constituting each scan or collection of an individual’s biometric identifier as a separate claim under BIPA, the proposed amendment limits the available damages to one violation per aggrieved person (provided the collection occurs via “the same method”).

BIPA Amendment: Written Release

As noted above, a written release is a key requirement under BIPA, and the Bill amends BIPA to insert the term “electronic signature” into the definition of “written release.” The Bill defines “electronic signature”  to include “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.” By confirming that a written release can include an electronic signature, the Bill furnishes greater flexibility and efficiency for how employers can obtain an employee’s permission to collect and use their biometric information.

Takeaway for Employers

It is too soon to determine how the Bill will impact the BIPA litigation landscape, particularly for the hundreds of BIPA cases currently pending throughout Illinois to which the amendment will not apply. At a minimum, this amendment significantly curtails the liability exposure and is welcome news for private entities subject to BIPA. By limiting damages to one violation per individual, companies doing business in Illinois will no longer be driven to bankruptcy by the astronomical damages awards seemingly authorized by the per-scan theory of claim accrual adopted by the court majority in Cothron. Indeed, the Bill aligns with the remedial purpose of BIPA, which was intended to promote adoption of commonsense data privacy practices so as to minimize the risk of biometric data being improperly accessed or used. Nonetheless, although the Bill helps protect businesses from potentially devastating penalties, employers should still continue to evaluate their liability under and compliance with all aspects of BIPA.

If you have any questions about how this BIPA amendment may impact your business operations or regarding any active and/or potential BIPA class actions, please contact Kevin Borozan or any other member of Masuda Funai’s Employment, Labor and Benefits Group.

© 2024 Masuda, Funai, Eifert & Mitchell, Ltd. All rights reserved. 本書は、特定の事実や状況に関する法務アドバイスまたは法的見解に代わるものではありません。本書に含まれる内容は、情報の提供を目的としたものです。かかる情報を利用なさる場合は、弁護士にご相談の上、アドバイスに従ってください。本書は、広告物とみなされることもあります。