On August 2, Illinois formally amended its Biometric Information Privacy Act (BIPA) to limit the financial penalties assessed against companies operating in the state, specifically when these entities illegally obtain or sell biometric identifiers. In the wake of ballooning penalties inflicted on companies operating in the state, SIIA supports the amendment as a first step toward limiting the runaway “sue and settle” strategies employed by the plaintiff’s bar under BIPA. We are particularly encouraged to see Illinois take this important step because BIPA’s pre-amendment language not only mandated a statutory damages multiplier, but did so without requiring injury to consumers – leading to sizable and frequent suits. Like other states, which accordingly avoided this language when drafting their own biometrics bills, we are pleased to see Illinois walking away from this unworkable framework.
The amendment, which was approved by the Illinois Legislature in May and signed by Governor Pritzker, provides “that a private entity that more than once collects or discloses a person’s biometric identifier or biometric information from the same person in violation of the Act has committed a single violation for which the aggrieved person is entitled to, at most, one recovery.” Going forward, multiple violations related to an individual’s biometric data will then be counted as a single violation.
Prior to the change, BIPA required entities operating in the states to obtain express written consent for the collection or use of biometric data. The law permitted alleged victims of companies illegally obtaining and selling their identifiers to sue for damages up to $1000 for each negligent violation, and $5000 for each intentional or reckless violation.
The amendment effectively overturns the 2023 Illinois Supreme Court Ruling holding that companies could be held liable for each time they misused a person’s private information – not only the first time. The change is almost certain to significantly reduce potential damages and settlement values associated with BIPA claims.
Notably, BIPA is unique among biometrics laws on the books in that it permits individuals to sue for damages in the first place. Although other states, such as Colorado, have passed laws substantively similar to BIPA, none include BIPA’s private right of action (PRA). The PRA has received widespread criticism for its uncapped penalties associated with foot fault violations – and even “white hat” efforts associated with the collection of biometrics, such as anti-fraud and consumer identification technologies.
In addition to lowering damages, the amendment and recognition of the excesses of BIPA’s PRA is likely to limit BIPA copycats in other states – particularly those that contain rights of action with similar language.