The Illinois General Assembly recently passed Senate Bill 2979 (SB 2979), an important piece of legislation that makes several much-needed amendments to the Illinois Biometric Information Privacy Act (BIPA). SB 2979 is now at Illinois Governor J.B. Pritzker's desk, where it is expected to be signed into law.
SB 2979 is a notable development for all companies that use biometric technologies, as it alters the accrual of BIPA statutory damages from its current per-scan method of calculation to the much more conservative per-person method – tangibly reducing the scope of liability exposure faced by businesses for mere technical or procedural BIPA non-compliance. SB 2979 also clarifies that BIPA-valid consent can be obtained through electronic means, including an "electronic sound, symbol, or process." SB 2979 will go into effect immediately upon becoming law.
Background
In January 2019, the Illinois Supreme Court issued its seminal BIPA opinion in Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, holding that actual injury or harm is not required for recovery under the Illinois biometrics statute. Instead, mere technical or procedural non-compliance is sufficient to obtain BIPA's statutory damages awards of $1,000 to $5,000 per violation of the law. Since Rosenbach, companies have faced an unrelenting torrent of BIPA class action lawsuits, which have speedily continued for over five years now.
In February 2023, the Illinois Supreme Court further altered the legal landscape with its decision in Cothron v. White Castle Sys., Inc., 2023 IL 128004, holding that separate BIPA claims accrue each time biometric data is collected or disclosed in violation of the law, as opposed to only the first instance of non-compliance. Cothron expanded the scope of potential BIPA liability exposure exponentially, as the opinion paved the way for the recovery of statutory damages for each instance of BIPA non-compliance – not just the first violation. After Cothron, companies faced the real threat of millions, if not billions, in BIPA liability exposure, even in the absence of any tangible injury or harm.
The Cothron court recognized this issue, noting that BIPA, in its original form, exposed private entities to potentially "ruinous" damages. Ultimately, however, the Illinois Supreme Court found these policy-based concerns about potentially excessive statutory damages awards were best addressed by the Illinois legislature, and not the Court. While Cothron deferred to the legislature, it also voiced the need for the Illinois General Assembly to review these policy concerns and "make clear its intent regarding the assessment of damages" under BIPA.
Key Aspects of SB 2979
Per-Person Cap on BIPA Statutory Damages Awards
SB 2979 is a direct response to Cothron, as it legislatively overrules the continuing violation theory of claim accrual (i.e., that a BIPA violation occurs for each and every unlawful collection or transmission of biometric data) adopted by the Illinois Supreme Court in its 2023 Cothron decision. SB 2979 does so by providing that "an aggrieved person is entitled to, at the most, one recovery . . . regardless of the number of times" a violation of BIPA's collection- and disclosure-related obligations occurs – significantly limiting the recovery of statutory damages under Illinois's biometrics statute.
Thus, where a private entity repeatedly collects an individual's biometric data using the same method of collection in violation of Section 15(b), 740 ILCS 14/15(b), the aggrieved party is limited to a single recovery of statutory damages. Similarly, where a private entity repeatedly discloses an individual's biometric data to the same recipient in violation of Section 15(d), 740 ILCS 14/15(d), the aggrieved party is likewise limited to a single recovery of statutory damages.
Obtaining Consent Through Electronic Means
SB 2979 also provides clarity on how companies can obtain valid consent from data subjects for purposes of satisfying the law's informed consent mandate. SB 2979 does so by adding the defined term "electronic signature," which means "an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." The amendments also add electronic signature to BIPA's definition of "written release," i.e., defining written release as "informed written consent, electronic signature, or, in the context of employment, a release executed by an employee as a condition of employment."
Analysis and Takeaways
Much-Needed Limits on Runaway BIPA Statutory Damages Awards
SB 2979 provides welcome relief for companies that face liability exposure under BIPA, as moving forward, recoverable statutory damages for violations of BIPA Section 15(b) and 15(d), in most instances, will be limited to a single recovery (i.e., at the most $1,000 for negligent violations and $5,000 for intentional or reckless violations).
Guidance on Permissible Methods for Collecting Consent
In addition, prior to SB 2979, it was unclear whether BIPA-compliant consent (referred to as a written release in BIPA's statutory text) could be obtained through clickwraps and similar electronic means. SB 2979 resolves that uncertainty with its addition of the defined term "electronic signature."
This aspect of SB 2979 will likely serve as a critical aid to a broad range of companies in their efforts to obtain BIPA-compliant consent. This is particularly so with respect to companies that develop, supply, or use voice biometric systems, such as call centers that feature voice authentication/verification technology, for which "written" consent presents a very thorny challenge in many instances. SB 2979 arguably makes a variety of non-traditional methods of obtaining consent valid for purposes of BIPA compliance, including, for example, the following:
- sending customers emails or text messages providing BIPA-compliant notice and consent language, with instructions for the customer to submit a response to the message as prompted, such as replying "Yes" – with the response constituting an electronic "process" that meets the definition of electronic signature; and
- requesting verbal consent for the collection and use of customers' biometric data – with the customer's verbal response constituting an electronic "sound" that meets the definition of electronic signature.
In addition, this aspect of SB 2979 will also likely end attempts by the plaintiff's class action bar to invalidate timely executed written consents merely because they were obtained via an electronic method.
Retroactive Application
SB 2979 does not expressly state that these BIPA amendments are to apply retroactively to currently pending class action litigation. With that said, under Illinois's retroactivity test, fairly strong arguments exist for the retroactive application of SB 2979 to cap statutory damages on a per-person basis for active BIPA class action litigation pending at the time SB 2979 goes into law.
What Companies Should Do Now
SB 2979 significantly curtails the scope of liability exposure faced by companies for purported BIPA compliance missteps. By limiting statutory damages to a single recovery per individual in connection with violations of Section 15(b) or 15(d), companies in most instances will no longer face the prospect of potentially "annihilative" damages awards that greatly outpace any privacy harms associated with technical or procedural non-compliance.
With that said, SB 2979 leaves in place the law's private right of action and does not alter BIPA's core legal requirements or restrictions. Further, SB 2979 does not amend the calculation of statutory damages for violations of BIPA Sections 15(a), 15(c), or 15(e). Assuming SB 2979 is signed into law by the Illinois governor, the enterprising plaintiff's class action bar may turn their attention to these other aspects of BIPA as the basis for future BIPA class action lawsuits.
Taken together, it is unlikely that this round of BIPA reform will significantly curtail the high volume of BIPA class action filings altogether. At the same time, it is also unlikely that SB 2979 will have any meaningful impact on BIPA settlement value, as the vast majority of BIPA settlements do not factor in, or otherwise take into consideration, the potential recovery of per-scan statutory damages awards.
BIPA will remain a significant source of legal risk and liability exposure for companies that develop, supply, or use biometric technologies. As such, companies should review their current biometrics compliance practices to evaluate their level of alignment with BIPA and similar biometrics statutes and regulations. In particular, companies should review their current mechanisms for obtaining consent from data subjects to ascertain whether such practices are compliant based on SB 2979's new definition of "electronic signature."
Baker Donelson's Biometrics Team Can Help
As many companies know, assessing whether organizational biometrics practices are compliant with BIPA is an extensive, complex, and time-consuming endeavor. To manage this task and limit associated costs, companies should seek the involvement of experienced outside biometrics counsel, who can provide key guidance and insight to streamline the compliance program evaluation and modification process.
Baker Donelson's Biometrics attorneys regularly counsel clients on the use of biometric technologies in their businesses, and provide guidance on the current and anticipated legal and regulatory landscape that must be addressed when using this cutting-edge technology.
More importantly, our dedicated Biometrics Team is well-versed and experienced in working closely with clients to complete gap analyses and formulate practical remediation action plans to facilitate compliance with the full range of current and proposed biometrics regulations across the globe, including BIPA.
For more information or assistance with BIPA compliance, or if you have any questions about how SB 2979 may impact your organization's biometrics practices, please contact David Oberly or another member of Baker Donelson's Biometrics, Artificial Intelligence, or Data Protection, Privacy, and Cybersecurity Team.