Illinois’ first-in-the-nation law that allows residents to sue companies over the improper collection of their biometric information will be slightly less punitive after Gov. JB Pritzker signed a new law late last week.
Lawmakers this spring amended the Biometric Information Privacy Act in response to an Illinois Supreme Court ruling last year that suggested lawmakers clarify the law. That ruling found fast food chain White Castle violated BIPA each time employees scanned their fingerprints in the course of performing their jobs, as the company never obtained employees’ permission to collect their fingerprints.
But under Senate Bill 2979, employees or customers whose fingerprints, retinal scans, voice samples or other unique biometric information were collected by businesses without their permission can only claim one violation of BIPA instead of hundreds. In jobs with fingerprint-enabled time clocks and cash registers or other secure areas that require biometric data scans to access, employees might end up scanning their thumbs or eyes dozens of times per day.Using the old method of accrual, White Castle’s attorneys estimated the company would be on the hook for up to $17 billion in penalties, as the law provides for $1,000 in damages for each “negligent” violation or $5,000 for each “reckless” or “intentional” violation.
Though the eye-popping number made headlines, White Castle earlier this year settled the case for $9.4 million.
Business groups, however, argue that settlement and others like it represent the obvious outcome of the law unique to Illinois, which they argue has incentivized the creation of a cottage industry for ambitious attorneys.
Though technology took years to catch up with the law’s aims, thousands of lawsuits have been filed – especially since they began to take off around 2018 – including a few that have resulted in high-profile settlements, such as a $650 million class-action payout from Facebook in 2020.
While some business groups were supportive of the reforms, others claimed they did not go far enough.
Chicago-based attorney Danielle Kays of Fisher & Phillips LLP, who represents companies facing BIPA challenges, told Capitol News Illinois that the amendment “can be seen as a step in the right direction” but said it’s up to the courts to interpret the update to the law.
“This isn’t the full reform that most businesses probably want – or that is warranted, given that still no plaintiff has actually been harmed by BIPA violations,” she said.
Because there have been no data breaches that have led to anyone’s fingerprints or other biometric information being stolen, Kays and others say lawmakers should further amend BIPA to allow businesses to cure violations before facing a lawsuit. A business is in violation of BIPA if it doesn't have a storage policy in place, doesn't properly protect the data, or if it does not get consent from customers or employees for the data being collected.
The amendment also made it easier for companies to get consent from customers or employees.
While the old law required “informed written consent” for the collection of fingerprints and other biometric data, businesses can now obtain that consent via an electronic signature, which the bill defines as an “electronic sound, symbol, or process.”
Kays also noted that there was an uptick in BIPA cases filed between May – when lawmakers passed the amendment – and the end of July.
“We track the cases on a daily basis and BIPA filings have been fairly consistent but there, of course, have been ebbs and flows,” she said. “One could conclude that the plaintiffs were trying to file the lawsuits before the BIPA amendment went into effect.
