Illinois employers will no longer face astronomical damages — into the millions or even hundreds of millions of dollars at issue in recent class action lawsuits — for violations of the Biometric Information Protection Act (BIPA) under reforms signed into law on August 2, 2024. Still, there are significant consequences for even technical violations for BIPA, and employers should review their policies and practices in light of these recent changes.
The landscape of biometric privacy in Illinois is poised for a significant shift following the recent amendment to the Illinois Biometric Information Privacy Act (BIPA). On August 4, 2024, Governor JB Pritzker signed S.B. 2979 into law introducing a crucial modification that could have far-reaching implications for businesses and the ongoing wave of biometric privacy litigation.
Understanding BIPA: A Background
BIPA, enacted in 2008, is one of the most stringent biometric privacy laws in the United States. It requires private entities to obtain informed consent before collecting biometric identifiers, such as fingerprints, facial recognition data, or retinal scans. The law also mandates that companies inform individuals about the specific purpose and duration for which their biometric data will be used and stored.
A Defining Feature of BIPA
A defining feature of BIPA is its private right of action, allowing individuals to sue companies directly if they believe their biometric data has been mishandled. This provision has led to a surge in class-action lawsuits, with businesses across various sectors facing multimillion-dollar claims. Unlike many other privacy laws, BIPA does not require proof of actual harm, making it easier for plaintiffs to bring forward claims based on procedural violations. The key point is that the Act makes each use of the data a separate claim. This means that if a fingerprint identifying was used under the original law – for example – to sign in and out of work, each use of the fingerprint is a separate offense and results in a separate penalty of up to $1,000 for each use. The damages could be catastrophic for employers.
The Amendment: A Game-Changer
The newly signed amendment to BIPA redefines how violations related to the repeated collection of biometric data are counted. Previously, each instance of unauthorized collection of biometric data could be treated as a separate violation, leading to potentially astronomical damages. Under the new amendment, the repeated collection of the same biometric data without proper consent is now considered a single, collective violation of the Act.
This change is significant for several reasons. First, it addresses one of the most contentious issues in BIPA litigation: the interpretation of what constitutes a “violation.” By clarifying that multiple instances of collecting the same biometric data count as a single violation, The amendment may reduce the financial exposure of businesses facing BIPA lawsuits. This could potentially slow the flood of litigation that has overwhelmed Illinois courts in recent years.
Potential Impacts on Litigation Trends
The amendment to BIPA is likely to have a ripple effect on litigation trends in Illinois and beyond. Businesses that were previously hesitant to settle BIPA claims due to the risk of massive penalties may now feel more confident in negotiating settlements or defending themselves in court. The possibility of reduced damages could also encourage more companies to implement robust biometric data compliance programs, knowing that their risk of facing multiple violations has been mitigated.
On the flip side, plaintiffs’ attorneys may adjust their strategies in response to the amendment. They might focus on pursuing cases where multiple types of biometric data were collected or where different violations of BIPA occurred, thereby increasing the likelihood of securing higher damages. Additionally, the amendment could prompt a shift in focus from class-action lawsuits to individual claims, where the impact of the collective violation rule may be less significant.
What Businesses Should Do Next
In light of this amendment, businesses operating in Illinois or handling biometric data of Illinois residents should revisit their compliance strategies. While the amendment may reduce the number of potential violations, it does not eliminate the need for strict adherence to BIPA’s requirements. Companies should ensure they have robust procedures for obtaining informed consent, securely storing biometric data, and regularly reviewing their compliance practices.
Furthermore, businesses should stay informed about ongoing legal developments related to BIPA, as the amendment is likely to trigger new legal challenges and interpretations. Consulting with experienced legal counsel specializing in privacy law is crucial to navigating this evolving landscape and mitigating potential risks.
Conclusion: The Future of BIPA
The amendment to the Illinois Biometric Information Privacy Act marks a pivotal moment in the realm of biometric privacy litigation. By redefining what constitutes a violation, the amendment has the potential to reshape litigation trends, reduce financial exposure for businesses, and influence biometric privacy legislation in other states. However, it also introduces new challenges and uncertainties that will require careful navigation by businesses and their legal advisors. As the legal landscape continues to evolve, staying proactive in compliance efforts will be key to managing the risks and opportunities presented by this significant change in the law.
At the law firm of Bellas & Wachowski, our team of business lawyers has been advising business owners on the intricacies of employment law and we have represented business owners in lawsuits involving BIPA.