On Friday, August 2, Governor J.B. Pritzker of Illinois signed into law SB2979, an amendment to the state’s landmark biometric privacy law. The amendment offers a welcome step forward to correcting the rapid overexpansion of potential damages associated with violations of the law without curbing any of its privacy protections. The measure amends the state’s Biometric Information Privacy Act (“BIPA”) in two significant ways. First, the law, as amended now expressly includes electronic signatures as a form of “written release.” Second, the amendment limits actions for recovery to a maximum of one violation per plaintiff, rather than one violation per instance of collection or transmission of biometric information. This post examines the amendment and its impacts on businesses collecting biometric information in the state. We also highlight notable biometric privacy developments in Texas.
Illinois Amends its Biometric Information Privacy Act
BIPA generally requires companies that collect biometric identifiers or information in Illinois to adhere to certain practices, including obtaining “written” consent before collection. In an era where electronic signatures have become ubiquitous, although there have been pathways to implement an electronic consent to collect biometric identifiers under the E-SIGN Act (and Illinois’s Uniform Electronic Transactions Act), this amendment clarifies any confusion as to whether electronic consent is sufficient under BIPA. Clarifying the term “written release” to include electronic signatures will make it easier for companies to obtain consent before collection and thus, will be less burdensome for companies to comply with BIPA. Importantly, the amendment also shows a willingness on the part of the Illinois legislature to update and modernize legislation as new standard technological practices, such as the now widespread use of e-signatures, take hold.
In the now (in)famous February 2023 decision Cothron v. White Castle System, Inc., which held that, under the plain language of the text, claims under sections 15(b) and 15(d) of BIPA accrue on a per-scan basis such that “a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information,” the Illinois Supreme Court invited the legislature to “make clear its intent regarding the assessment of damages under the Act.” Little over a year after that landmark ruling, Illinois lawmakers have done just that. With the passage of this amendment, lawmakers have clarified that BIPA was never meant to levy disproportionate penalties on companies, as would be the case, for example, if employees were able to recover for hundreds, potentially thousands, of “violations” for the same activity, such as clocking in each day. As we reported in the wake of the White Castle decision, an employer that collects fingerprints from its employees clocking in and out of work, for example, could face up to 1,040 BIPA violations per year for a single full-time employee who clocks in and/or out four times each day (e.g., at the beginning and end of the day, and then in/out for lunch). The amendment will rebalance and rein in potential damages awards, the ceiling for which skyrocketed after White Castle, and more fairly protect individuals’ biometric privacy without hobbling businesses operating in the state. The amendment also brings BIPA back into alignment with the harm it was initially intended to address – that of individuals’ loss of control over their biometric privacy, which happens only once, when the fingerprint is first obtained, and not with every subsequent fingerprint scan clocking-in, to return to our earlier example.
On the topic of that momentous White Castle decision, over five years after claims were initially filed, the parties have just received final approval for a $9.39 million settlement, marking the final milestone in bringing the action to a close. The settlement aligns not just with other recent BIPA settlements, but in shaking out to just under $1,000 ($968) per class member, the settlement brings the recovery in line with the amendment, essentially capping recovery at one negligent violation per plaintiff.
These amendments, coupled with the White Castle settlement and another recent settlement cutting the initial $228 million damages judgment entered against BNSF Railway in November 2022 by two-thirds, to $75 million, may start to stem the tide of BIPA litigation, and will certainly realign the “punishment” to more closely “fit the crime,” as the bill’s sponsor, state Senator Bill Cunningham, explained its intent. Even so, companies should not lessen their vigilance in complying with BIPA.
SB 2979 does not expressly state that the amendment applies retroactively, which leaves room for interpretation and potential challenges for pending litigation. However, under Illinois’s retroactivity test, there are compelling arguments for the retroactive application of SB 2979 to cap damages on a per-person basis for pending BIPA litigation. Under Illinois law, when an amendment is silent on retroactivity, a court must assess whether the amended provisions are procedural or substantive, with procedural provisions applying retroactively. While damages provisions are typically seen as procedural, we expect plaintiffs to argue that they are substantive in nature because they would reduce potential recovery. Either way, we expect courts to consider this new cap on damages heavily when construing BIPA’s statutory damages to any pending litigation, something the Supreme Court has ruled is within a presiding court’s discretion when determining a damages award under BIPA.
Don’t Mess with Texas!
While this amendment is welcome news to organizations processing biometric data in Illinois, organizations, beware of enforcement activity in other states. On July 30, Meta Platforms, Inc. (f/k/a Facebook, Inc.) and the Texas Attorney General settled the first enforcement action brought under Texas’s “Capture or Use of Biometric Identifier” Act (“CUBI”) for $1.4 billion. The Attorney General sued Meta in 2022 for allegedly capturing biometric data without obtaining users’ informed consent as required by CUBI. Like BIPA, CUBI prohibits a person from capturing a biometric identifier of an individual for a commercial purpose unless the person “(1) informs the individual before capturing the biometric identifier; and (2) receives the individual’s consent to capture the biometric identifier.” Although BIPA has historically captured the majority of attention as a result of its private right of action and statutory damages, CUBI was actually enacted years before BIPA – in 2001 and recodified in 2009. However, despite its rigorous requirements and steep penalties (up to $25,000 per violation), CUBI has largely been a sleeping giant because of the lack of AG enforcement and no private right of action. The Attorney General announced that this historic settlement “serves as a warning to any companies engaged in practices that violate Texans’ privacy rights.” This landmark settlement and the announcement of a planned data privacy and security law enforcement initiative in Texas, including a new unit focused on Texas’s various privacy laws housed within the OAG Consumer Protection Division, establishes the state as a formidable privacy enforcer, specifically with respect to biometric privacy.