Biometric Litigation Risks Endure Even Post BIPA Amendment

Enacted in 2008, the Illinois Biometric Information Privacy Act (“BIPA”) regulates the collection and possession of biometric data by private entities operating in Illinois. Biometric data includes, for example, fingerprints, voiceprints, eye scans, and face/hand scans. Notably, BIPA establishes a private right of action, allowing any person to seek damages, attorneys’ fees, and injunctive relief if the person has been aggrieved by a BIPA violation. The statutory damages for BIPA violations are steep, including $1,000 to $5,000 per violation, attorneys’ fees and costs, and the possibility of injunctive relief.

Over the last decade, BIPA litigation surged and a key question emerged relating to the statutory penalties—namely whether a BIPA claim accrues each time a private entity collects or transmits an individual’s biometric data, or only upon the first scan and first transmission. In February 2023, the Illinois Supreme Court held that it is the former. In Cothron v. White Castle System, the Court concluded that claims under Sections 15(b) and 15(d) of the statute “accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively.” The Court further concluded that any “policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature.”

After the Cothron decision, the Illinois General Assembly passed SB2979, which Governor J.B. Pritzker signed into law in August 2024. The bill abrogated Cothron by stating expressly that if a private entity collects the same biometric data from the same person using the same method of collection, the entity commits only a single violation of Section 15(b), and the plaintiff is entitled to at most one recovery under BIPA. Likewise, if a private entity disseminates the same biometric data from the same person to the same recipient using the same method of collection, the entity commits only a single violation of Section 15(d), and the plaintiff is entitled to at most one recovery under BIPA.

The amendment did not address whether it should be applied to pending lawsuits, and the courts thus far to have considered this question are split. On the one hand, at least two federal courts have held that the amendment does apply to pending lawsuits, reasoning that the amendment merely “‘clarif[ied]’ the issue of damages,” and that “clarified intent … must be applied as if it were clear from the date of the BIPA’s enactment.” Gregg v. Central Transport, LLC, No. 24 C 1925, 2024 WL 4766297, at *3 (N.D. Ill. Nov. 13, 2024); see also Amigon v. Old Dominion Freight Line, Inc., No. 24-cv-01934 (N.D. Ill. Nov. 15, 2024). On the other hand, several state courts have held that the amendment does not apply to pending lawsuits because it does not apply retroactively. See Rojo v. Homer Tree Care, Inc., No. 23-L-8588 (Ill. Cir. Ct. Oct. 30, 2024); Gagen v. Mandell Menkes, No. 2023-L-008294 (Ill. Cir. Ct. Oct. 21, 2024); Wallace v. Vee Park, LLC, No. 24-L-4560 (Ill. Cir. Ct. Oct. 10, 2024). This question will continue to be litigated and addressed by additional courts over the coming months.

Looking ahead, the amendment limits BIPA plaintiffs’ maximum recovery, which puts BIPA defendants in a better position than they were in before the amendment, and could give BIPA defendants more settlement leverage. But companies should not interpret this to mean that BIPA litigation risk is going away. Over 60 BIPA complaints have been filed since the Governor signed the amendment into law in August 2024. And there is still the potential of substantial damages, given the significant statutory damages for a single violation. The amendment may also lead BIPA plaintiffs to target cases with larger class sizes—i.e., companies that allegedly collect or possess biometric data from a greater number of people. Companies should thus continue to carefully consider biometric data processing and compliance with BIPA’s requirements. For additional information regarding steps that companies can consider taking to help address BIPA risks, see our prior 2019 and 2023 alerts.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.