wyrick.com

Illinois Adopts Business-Favorable Amendment to Biometric Information Privacy Act

The Illinois Biometric Information Privacy Act (“BIPA”) has posed significant litigation risk to businesses collecting biometric information since its adoption in 2008. Last year, an Illinois Supreme Court decision magnified that risk by holding that a BIPA violation accrues each time biometric information is collected or disclosed without consent.  That holding, coupled with the law’s liquidated damages provision, created the prospect of ruinous damages awards in cases involving recurring biometric information collection or disclosure. The Illinois Supreme Court acknowledged that result, but left it to the Illinois General Assembly to “make clear its intent regarding the assessment of damages” if the General Assembly meant for the law to be interpreted differently.

Last month, the Illinois General Assembly responded to the Illinois Supreme Court’s prompt by amending BIPA to restrain the scope of potential damages in cases involving recurring biometric information collection or disclosure. The amendment also updates and clarifies BIPA’s written consent requirements to expressly allow entities to obtain consent electronically.

This post summarizes the amendment and key considerations for businesses with respect to BIPA compliance.

One Violation Per Person for Biometric Information Collected Through the “Same Method of Collection”

Last year, the Illinois Supreme Court held that a separate BIPA violation accrued every time an entity collects biometric information without consent, or discloses or disseminates biometric information without consent. Thus, for example, if an entity uses a biometric time clock system and required employees to clock in and clock out each day using their fingerprint without obtaining BIPA-compliant consent, each individual clock-in and clock-out on each day the system was used would constitute a separate violation of BIPA.

That holding, paired with BIPA provisions providing “liquidated damages” of $1,000 per negligent violation or $5,000 for intentional violations, created risk of excessive awards where biometric information was repeatedly collected, or repeatedly disclosed, without BIPA-compliant consent.

The amendment passed by the General Assembly effectively undoes that holding by providing that each “aggrieved person is entitled to, at most, one recovery under [BIPA]” in a scenario where an entity collects or discloses biometric information without consent “in more than one instance,” so long as the “same method of collection” is used in each instance. Thus, in the time clock example above, an employee whose fingerprint was repeatedly collected by a time clock system in violation of BIPA when the clocked in and out of work each day would only be entitled to recover for one violation of BIPA.

Electronic Signatures Expressly Permitted

The amendment also clarifies that the “written release” required by BIPA to collect biometric information can be obtained via an “electronic signature,” which is defined as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.” This clarification should short-circuit potential plaintiffs’ arguments that consent obtained by electronic means is invalid under the BIPA.

Unclear Whether Court Will Apply the Amendment Retroactively

The amendment does not specifically state whether it applies retroactively.  As a result, violation accrual and electronic signature issues will likely continue to be litigated for claims arising from conduct predating the amendment’s adoption.

Businesses can argue that the amendment should apply retroactively because it was adopted in response to the Illinois Supreme Court’s call for legislative clarification of the BIPA’s meaning, suggesting the amendment is what the legislature meant all along. But because retroactive application is not expressly established by the amendment, it will require a judicial ruling to solidify that interpretation.

Conclusion

While retroactive application of the amendment will likely be litigated, its passage is still a favorable development for businesses subject to BIPA. If you would like assistance with determining with BIPA compliance, please contact any member of the Wyrick Privacy and Data Security team.