left-caret

PH Privacy

Illinois Legislature Passes Major BIPA Amendment

May 17, 2024

By Aaron Charfoos,Adam M. Reich,& Kimia Favagehi

On May 16, 2024, the Illinois Legislature passed SB 2979, which amends the Illinois Biometric Information Privacy Act (BIPA) to clarify that any person whose biometric identifier or biometric information is “scanned” by a private entity (regardless of its frequency) may only recover damages for one violation. This amendment significantly curtails the liability exposure for private entities subject to BIPA, though it is not clear yet what impact, if any, this amendment will have on future litigation filings or BIPA cases previously filed.

Specifically, under SB 2979—

  • A private entity that, in more than one instance, collects, captures, purchases, receives or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of BIPA only commits one single violation, for which the aggrieved party is entitled to, at most, one recovery.
  • A private entity, that in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of BIPA only commits one single violation, for which the aggrieved party is entitled to, at most, one recovery.

SB 2979 significantly changes BIPA’s current “per scan” violation framework, which the Illinois Supreme Court found last year, in Cothron v. White Castle System, Inc., 216 N.E.3d 918 (Ill. 2023), to provide for separate damages for each scan/instance of collection of biometric identifiers or biometric information per plaintiff. Notwithstanding the Cothron decision, as we noted in a previous blog post, the Illinois Supreme Court acknowledged that the correction of potentially excessive awards, which SB 2979 directly takes on, “are best addressed by the legislature.”

Notably, the Illinois Legislature has passed SB 2979 in the wake of failing to do so with several similar bills, including one proposed just last year, HB 3811. While it’s unclear why exactly SB 2979 succeeded over past attempts, there have been growing calls since Cothron from both the Illinois Legislature and the Illinois Chamber of Commerce for BIPA reform to protect businesses from undue financial burdens, as at least three other cases have cited Cothron as a basis for holding defendants potentially liable for significantly more damages.[1]

It is too soon to determine how SB 2979 will impact the BIPA litigation landscape, including for cases previously filed where courts adhered to the same logic ruled on by Cothron, but at minimum, SB 2979 is welcome news for all private entities subject to BIPA.

 

The Paul Hastings Privacy and Cybersecurity practice regularly advises companies on compliance with biometric laws, litigates biometric privacy issues, and monitors the changing landscape of biometric privacy legislation. If you have any questions concerning SB 2979 or biometric privacy legislation, please do not hesitate to contact a member of our team.

 

[1] See Rogers v. BNSF Ry. Co., 680 F. Supp. 3d 1027 (N.D. Ill. 2023); Tapia-Rendon v. United Tape & Finishing Co. Inc., No. 21 C 3400, 2024 WL 406513, at *1 (N.D. Ill. Feb. 2, 2024); Fleury v. Union Pac. R.R. Co., No. 20 C 390, 2023 WL 8621957, at *2 (N.D. Ill. Dec. 13, 2023).

Practice Areas

Data Privacy and Cybersecurity

Privacy and Cybersecurity Solutions Group


For More Information

Image: Aaron Charfoos
Aaron Charfoos

Partner, Litigation Department

Image: Adam M. Reich
Adam M. Reich

Of Counsel, Litigation Department

Image: Kimia Favagehi
Kimia Favagehi

Associate, Litigation Department