BIPA Amended to Limit Damages


Lawmakers Amend BIPA

When a class action lawsuit against the fast food chain White Castle teed up what could have been a $17 billion dollar verdict the Illinois Supreme Court decided to “respectfully suggest” that the state legislature revisit and clarify certain provisions of the Biometric Information Privacy Act (BIPA) of 2008.

That act, as originally written, held that employers who did not obtain employees’ permission when using their fingerprints or other biometric information like face scans in the course of their jobs—or who overlooked the same step if collecting similar information from customers—would be on the hook for $1,000 per “negligent” violation or $5,000 per “reckless” or “intentional” violation.  For example, if a fingerprint ID system was used to sign in/out at work, each sign-in and each sign-in was a separate violation which could cost the employer $1,000 each time an employee signed in or signed out.

More than 2,000 lawsuits were filed since about 2018 under BIPA—the only state legislation of its kind—and among the fattest payouts has been the $650 million coughed up by Facebook in 2020, resulting in roughly $400 payments to more than 1 million residents of Illinois.

While White Castle settled its case (Cothron v. White Castle) for $9.4 million, the legislature nonetheless took the Illinois Supreme Court up on its suggestion and passed an amendment to the act that limits damages to one fine per initial collection of biometric data, as opposed to one fine per usage of said data.

This could reduce exposure by orders of magnitude, given that employees of an organization like White Castle could potentially scan their fingerprints dozens of times in a given shift. However, as under the original act, Illinois businesses still remain liable if they fail to get consent from employees (or customers) before collecting data, and/or if they either don’t have a storage policy in place for that data or don’t properly protect the data.

The amendment to BIPA, known as SB 2979, makes a second significant change, specifying that businesses can get employee or customer consent based on an “electronic signature,” further clarifying the original law, which referred only to a “written release.” Electronic signature is defined as an electronic “sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with an intent to sign the record.”

The amendment does not make two other changes that business groups would have liked to see: it applies only prospectively, not retroactively, which means that lawsuits currently in the pipeline will proceed based on the original BIPA. And the amendment does not protect data centers from lawsuits alleging that they stored biometric information that violated the law.

While perhaps breathing a sigh of relief at the reduced exposure, Illinois businesses nonetheless should keep their eyes on the BIPA burger and make sure they are in compliance to avoid future lawsuits—even though they are likely to be closer to slider-sized.