Governor J.B. Pritzker has signed Senate Bill 2979 into law, significantly amending the Biometric Information Privacy Act (BIPA), yet retaining the availability of statutory damages that have been so problematic for current and prospective BIPA defendants. This landmark legislation reduces potential liability for companies that collect or share biometric data, such as fingerprints, without informed consent. The amendment specifies that private entities collecting or disclosing the same biometric identifier from the same person using the same method commit only one violation, entitling the individual to a single recovery of statutory damages. Additionally, the definition of “written release” has expanded to incorporate electronic signatures, broadening consent methods and streamlining compliance.
This reform follows and limits the Illinois Supreme Court’s recent interpretation of BIPA in a case against White Castle. The Court ruled that each unlawful biometric scan or disclosure constituted a new BIPA claim, although statutory damages for each violation arguably were – and remain – discretionary. White Castle, after a prolonged legal battle, settled for $9.39 million. The new law aligns with White Castle’s stance on per-violation damages, alleviating the risk of excessive damages for multiple claims by the same plaintiff, and providing a more balanced approach to biometric privacy. This change is a significant step towards protecting businesses from potentially crippling legal consequences, yet statutory damages remain draconian and potentially debilitating for companies that possess or collect biometric information from numerous individuals. That said, our Tech and Cyber team is experienced in defending against BIPA claims, and there are multiple substantive defenses under the statutory language and case law.
View PDF