On May 16, the Illinois legislature passed an amendment to the Biometric Information Privacy Act (“BIPA”) limiting recovery for violations of the law. Under the amendment, a business that collects a biometric identifier (e.g., a fingerprint) multiple times from the same person in violation of BIPA is liable only for a single violation. Under existing law, businesses that violate BIPA are liable for $1,000 in damages per violation and $5,000 in damages per “intentional or reckless” violation [1]. The legislation, SB2979 [2], now goes to Governor J.B. Pritzker for his signature.
The bill would overrule the Illinois Supreme Court’s decision in Cothron v. White Castle Sys. [3], which held that a BIPA violation accrued each time a business improperly collected a biometric identifier from an individual. Under Cothron, a business using a fingerprint time clock could be liable for hundreds of violations per individual per year. For example, a business that employs 1,000 hourly workers that each work an average of 245 days a year and use a fingerprint time clock to clock in and out of work could be liable for $490 million in BIPA damages for just a single year of violations (1,000 workers x 490 fingerprint collections x $1,000 damages per violation). If the jury were to find that the BIPA violations were “intentional or reckless”, damages could reach as high as $1.2 billion (at $5,000 in damages per violation). If SB2979 were to become law, that same business would be liable for a maximum of $1 million in damages (or $5 million if the violations were “intentional or reckless”).
Regardless of this potential change, BIPA remains a significant risk to businesses that do not comply with the law. Any entity doing business in Illinois should regularly review its compliance with the law.
[1] 740 ILCS 14.