In a welcome change for defendants, a recent amendment to the Biometric Information Privacy Act (“BIPA”) is expected to significantly curtail potential damages under the statute. SB 2979, which passed the General Assembly on May 16, 2024, clarifies that damages are per individual, rather than per violation, for violations of the collection provision under Section 15(b) and the disclosure provision under Section 15(d).
Specifically, SB 2979 establishes that scanning the same information on the same person using the same method constitutes one offense for damages purposes. Similarly, disclosure of the same information about the same person to the same recipient using the same method also constitutes one offense. For instance, damages for an individual who scans in to work with his or her employer daily could now be capped at $1,000 or $5,000 in total rather than accumulating $1,000 or $5,000 for each day that they scan. However, if the employer uses different methods or discloses to different entities, the language of the bill suggests that damages would be per method or per recipient.
SB 2979 also lightens the burden on employers by allowing for the statutorily required written release to be obtained electronically.
As regular readers of this space know, BIPA is among the strictest state laws on biometrics and it has resulted in a flood of very costly litigation in the state of Illinois. Since its inception, questions have loomed about the scope of BIPA liability for offenders, and there has been a strong appetite for reform. Until now, BIPA has been silent on whether damages are incurred only once per victim or once per “scan,” meaning each unlawful collection, use or distribution. The difference in damages between these two alternatives can be massive, particularly for companies which repeatedly scan their employees’ biometric information. Last year, the Illinois Supreme Court decided in Cothron v. White Castle System, Inc. that the plain language of BIPA allows damages for every scan. The liberal damages rule exemplified by Cothron has caused BIPA-related litigation to explode, with damages for the worst violators reaching the hundreds of millions of dollars. As the court said in Cothron, damage awards under BIPA are discretionary and the General Assembly did not intend damages so large that they would “result in the financial destruction” of companies. Based on the potential for crushing liability, the court “respectfully suggest[ed]” that the legislature intervene.
The immediate impact of the amendment remains to be seen — given the discretionary nature of damages and massive damages that a per-scan calculation would bring, many courts are reluctant to award such damages, even without SB 2979. But the bill could prove to be a game-changer in cases where per-scan damages might have been sought and allowed. Even if the governor does not sign (which is unlikely), the bill could provide powerful evidence of the legislative intent to limit BIPA damages.
We’ll see if this is all the General Assembly has in mind or if this is just the first step on the path to more fulsome BIPA reform. Some critics suggest that under SB 2979’s limited calculation, there is no incentive to stop bad actors once they have begun violating BIPA. But others fear that the bill will satisfy legislative hunger for reform, preventing further amendments which might exempt security-related uses of biometric information. It also does not explicitly provide for retroactivity, leaving current litigants potentially stuck with Cothron’s higher damages calculations. Defendants might consider characterizing the statutory amendments as procedural to generate retroactive effect under Illinois law where possible. It is hard to predict the future of BIPA reform, but one thing appears certain: for future defendants, the scope of potential liability will be much lower than it currently is.