ABSTRACT: Illinois’ biometric privacy reform will significantly reduce a company’s potential liability for collecting or sharing an individual’s fingerprint and other biometric data without informed consent. Effective immediately, private entities that collect or disclose the same biometric identifier from the same person with the same collection methods commits only one violation and the individual is entitled to just one recovery of statutory damages.

With the Illinois Governor’s signature on Senate Bill 2979, amendments to the Biometric Information Privacy Act, known as “BIPA” (740 ILCS 14/1, et seq.), offer companies protections which will significantly reduce a company’s potential liability for collecting and sharing an individual’s biometric data without informed consent. BIPA is amended to say that private entities that collect or disclose the same biometric identifier from the same person using the same collection method commits only one violation of the law, entitling the individual to just one recovery of statutory damages, regardless of the number of times that biometric information is shared. 740 ILCS 14/20. The amendment presents what can be considered “guard rails” on what might otherwise be significant liability for a business.

The amendment also redefines and significantly expands “written release” to include electronic signatures, which is now defined to include “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.” 740 ILCS 14/10.

The amendment is largely a response to the Illinois Supreme Court’s interpretation of a pre-amendment BIPA claim against White Castle. In Cothron v. White Castle Sys., 2023 IL 128004, the court found each unlawful fingerprint scan or disclosure constituted a new BIPA claim but that damages awards for each violation remained discretionary, noting that “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” Cothron at ¶ 42. White Castle had argued that only the first illegal biometric scan or disclosure was actionable under the Act because the alternative would expose even the smallest of companies to potentially disastrous statutory damages even when the claimants were unable to point to any actual damages from each alleged violation.

Illinois enacted BIPA in 2008, and it was considered a pioneering law for the protection of consumers and employees from misuse of biometric data, including face recognition, fingerprints, voice recognition, retinal scans, and other types of personal identifying information. BIPA, however, had come under fire by companies hit with large (and sometimes disastrous) fines due to its previous provisions allowing for fines for each violation of the act, even when the violation involved the same biometric data from the same person using the same collection method.

The area of BIPA litigation in Illinois remains dynamic, and Baker Sterchi remains committed to following and reporting upon this important and developing area of the law.