On August 2, 2024, Illinois Governor J. B. Pritzker signed legislation reforming Illinois’ Biometric Information Privacy Act (BIPA). Senate Bill 2979 immediately amends BIPA to limit a private entities’ potential liability for collecting or sharing biometric data without consent.
The BIPA amendment followed a call for action directed at the legislature from the Illinois courts. Previously, the question of damages liability had wound its way through appellate review in Illinois courts. This amendment changes the course of the Illinois Supreme Court interpretation of BIPA claim accrual, which had held that each unlawful collection or disclosure constituted a new BIPA claim but that damages were discretionary.
Now, with the passage of SB 2979, a private entity that collects or otherwise acquires biometric data in more than one instance for the same person commits only one violation of the Act. Additionally, a private entity that discloses biometric data from the same person to the same recipient commits only one violation of the Act, regardless of the number of times that data is disclosed. As a result, individuals are only entitled to a single recovery of statutory damages.
This reform has potential to reduce the top end liability private entities may face when it comes to BIPA claims. However, many BIPA litigators are of the opinion that a single instance of harm was already “built in” to settlement valuations in prior cases, and that this new legislation will not do much to alter the approximate average valuation of $ 1500 per person that most plaintiff lawyers are putting on class settlement demands in BIPA lawsuits. Additionally, even a single instance of alleged harm involving tens of thousands of employees or customers can still amount to significant damage claims. Businesses are still well-advised to be wary before deploying any biometric collection device or mechanism in Illinois without legal advice about appropriate consent and legal compliance obligations.