Businesses Collecting (or Considering Collecting) Biometric Data Client Alert: Illinois Legislature Passes Bill to Amend Biometric Information Privacy Act

07.18.24

If your business collects, or is considering collecting, biometric data, you should be aware of a proposed change in the Illinois Biometric Privacy Act (“BIPA”). BIPA became effective in 2008. Alleged violations under BIPA have resulted in numerous lawsuits and defendants’ (businesses’) liability for substantial damages.¹ On May 16, 2024, the Illinois State Legislature passed a bill, Senate Bill 2979, to amend BIPA. Assuming Illinois Governor J.B. Pritzker signs it, the BIPA amendments will take effect immediately. SB 2979 would limit BIPA damages and provide for electronic consent.

The BIPA proposed amendments in SB 2979 include:

• A private entity that collects or discloses a person’s biometric data without consent can only be found liable for one BIPA violation per person regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient. Proposed 740 ILCS 14/20(b) and (c)) modifies the 740 ILCS 14/20(a) text “A prevailing party may recover for each violation….” interpreted by the courts as a “per scan” damages calculation.²

• Written consent for collection of biometric information will now include electronic signatures. 740 ILCS 14/10 (Definitions) as amended added a new definition: “electronic signature” and included it as part of a “written release.” This amendment highlights businesses’ need to review their contracts with vendors providing biometric devices. The review should include clarity of functional specifications, plus vendor warranties and indemnifications concerning the biometric device’s abilities to capture, record, and preserve, electronic signatures.

It is important to note that SB 2979 does not eliminate all liabilities for violations under BIPA. Hypothetically, a business with a large number of employees or customers could still be liable for substantial damages. For example, if a business with 1,000 employees or customers for whom they collected biometric data was found to have intentionally or recklessly violated BIPA and is subject to liquidated damages of $5,000 or actual damages, then damages could be $5,000,000 (=$5,000 x 1,000) plus reasonable attorneys’ fees and costs. The legal analysis would be subject to the facts and the applicable law, but even with the SB 2979 BIPA amendments, BIPA violations can still result in substantial damages.

The bottom line is that the courts and the legislature will continue to have to address the tension between the 2008 Illinois legislative findings underlying BIPA and potentially excessive BIPA damages awards. This analysis should consider evolving artificial intelligence (“AI”) software’s potential to provide humanity with many benefits, but also risks, and AI’s use of biometric data (and ability to copy that biometric data). Legislators and the courts will need to consider the opportunities and risks these, and other, technologies present to society, and strive to achieve a judicial and legislative balance that will maximize the beneficial opportunities of these technologies, and contain, mitigate, or remove the risks.

If you have any questions about this alert or require assistance in dealing with the legal implications of your business using biometric data, please contact Alan S. Wernick or the Aronberg Goldgehn attorney with whom you regularly work.

For more information, please see Business Law Today’s full-length article by Alan S. Wernick on this topic.
__________________________________________
¹Many BIPA defendants paid these damages pursuant to a settlement agreement.
²740 ILCS 14/20 effective in 2008 did not have subparts (b) and (c) proposed in SB 2979.