By: Michael J. Morrison & Madeline F. Kelleher
On August 2nd, 2024, Governor Pritzker signed into law Senate Bill (SB) 2979, amending the Illinois Biometric Information Privacy Act (BIPA) by curbing the potential for massive damages and modernizing the law’s written consent provisions.
Background
The BIPA was enacted in Illinois in 2008, becoming the first major biometric privacy law in the United States. The BIPA has been a landmark piece of legislation in protecting individuals’ biometric data, such as fingerprints, facial recognition data, and other unique biological identifiers. Generally, it (1) requires private companies to publicly post a general notice about the company’s biometric data retention periods; (2) requires private companies to specifically notify and obtain written consent releases from persons before collecting their biometric identifiers and biometric information; and (3) bans private companies from selling or trading personal biometric data for profit.
Prior to SB 2979’s enactment, the BIPA allowed anyone aggrieved by a violation of the BIPA to bring suit seeking damages of either $1,000 per violation for negligent violations or $5,000 per violation for intentional or reckless violations, with each scan, fingerprint, or voiceprint being a separate actionable violation. As you can imagine, this has posed significant challenges for some businesses, leading to a wave of litigation over alleged non-compliance and payments of thousands in damages per plaintiff.
Understanding SB 2979’s Impact
SB 2979 addresses some of the challenges posed by the BIPA by amending specific provisions, including:
- Limited Aggregation of Violations. Most significantly, SB 2979 reduces an individual’s right of recovery to one single violation of the BIPA regardless of the number of times a company collects, discloses, or otherwise obtains or distributes an individual’s biometric identifier or biometric information using the same method of calculation. Further, an individual aggrieved by a violation of the BIPA may now only recover one time for such violations if the private company used the same method of collection for each violation.
- Clarified Consent Requirements. SB 2979 adds a formal definition for the term “electronic signature,” and specifies that a “written release” now includes an employee’s electronic signature.
How Kelleher + Holland, LLC Can Help You
Private businesses that collect individuals’ biometric identifiers or biometric information need to be proactive in understanding and complying with the BIPA. Kelleher + Holland, LLC is well-positioned to assist you in navigating the rules and requirements. Our team of experienced attorneys can provide comprehensive support in the following areas:
- Compliance Audits: We can help you conduct thorough audits of your current practices to ensure they meet the BIPA standards, minimizing the risk of litigation.
- Policy Development: Our professionals can assist in drafting or revising your biometric data policies to align with the new legal requirements, ensuring your business remains compliant.
- Employee Training: We offer training sessions for your employees, helping them understand the importance of biometric data privacy and the role they play in maintaining compliance.
- Litigation Defense: If your business faces litigation under BIPA, our skilled litigators are ready to defend your interests, leveraging the latest legal developments to build a robust defense strategy.
Preparing for the Future
With these important changes to the BIPA in place, now is the time for Illinois employers to take action. Being prepared is crucial. Kelleher + Holland, LLC is here to guide you through these changes, ensuring your business stays compliant and protected. If you have any questions about how SB 2979 could affect your business or need assistance with the BIPA compliance, contact Kelleher + Holland, LLC today. Our team is ready to help you navigate the complexities of biometric data privacy and safeguard your business’s future.