Quick Hits

  • Illinois’s Privacy Act does not provide for per-scan damages, according to a bill that took effect immediately upon the governor’s signature on August 2, 2024.
  • The signing completes the reversal of the Illinois high court decision that the Privacy Act is violated on each and every unlawful scan or transmission of biometrics.
  • The law clarifies that multiple alleged scans or disclosures of an individual’s biometrics without prior consent constitute a single violation of the Privacy Act.
  • The law’s passage in response to the Cothron majority opinion’s request for clarification confirms the legislature never intended a per-scan damages remedy.

Senate Bill (SB) 2979, which was passed by the Illinois legislature in May 2024, clarifies that when a private entity allegedly collects or disseminates the same biometric identifier or biometric information multiple times in violation of the Privacy Act Section 15(b)’s “notice and consent” and Section 15(d)’s “unauthorized disclosure” requirements, the entity has committed only a single violation.

SB2979 comes in response to the state supreme court’s decision Cothron v. White Castle System, Inc., which construed the plain language of the Privacy Act to mean the act is violated with each unlawful scan or transmission and allowed recovery for per-scan damages. That interpretation had opened the door for potentially catastrophic damages awards. Section 20 of the Privacy Act provides for statutory damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations.

Clarifying the Privacy Act

In the Cothron majority opinion, the court raised concerns over whether it was accurately construing the plain language of BIPA to provide for per-scan damages.  It asked the “legislature [to] review these policy concerns and make clear its intent regarding the assessment of damages.”

The legislature passed SB 2979, which expressly prohibits per-scan damages, in answer to the court’s question as to whether the legislature originally intended the Privacy Act to provide for per-scan damages. Specifically, SB 2979 clarifies that the Privacy Act limits plaintiffs to “at most, one recovery.”

Illinois Rep. Ann Williams, the lead sponsor of SB 2979 in the Illinois House of Representatives, told the Chicago Tribune: “This bill addresses the invitation by the court to address damages, and that’s exactly what we’re doing here.”

Thus, SB 2979’s amendments in response to the Cothron majority opinion’s invitation to clarify the Privacy Act, combined with the Privacy Act’s legislative history, indicate that the legislature never intended the Privacy Act to provide for per-scan damages.

E-Signatures

SB 2979 further explicitly recognizes that written consents signed electronically are valid. The law defines “electronic signatures” as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.”

Key Takeaway

SB 2979, which took effect immediately upon signing, is a lifeline for employers as they faced potentially excessive damages awards for mere technical violations of the Privacy Act’s requirements on the collection or dissemination of biometric information.

Ogletree Deakins will continue to monitor developments and will provide updates on the Class Action, Cybersecurity and Privacy, Illinois, and Technology blogs as more information becomes available.

Follow and Subscribe

LinkedIn | Instagram | Webinars | Podcasts