A invoice (SB2979) amending Illinois’ Biometric Data and Privateness Act (“BIPA”), handed by each homes of the legislature on Might 16 and now on Governor Pritzker’s desk, successfully overturns a latest Illinois Supreme Courtroom ruling that would have had a catastrophic impact on many corporations working in Illinois.
Reacting to implicit course from the Illinois excessive court docket in its resolution in Cothron v. White Citadel Techniques, Inc., 2023 IL 128004, SB2979 clarified what many beforehand had considered as ambiguous statutory language regarding the variety of occurrences every BIPA violation constituted. SB2979 specifies that illegal assortment or disclosure of a person’s biometric identifier or biometric info constitutes a single BIPA violation no matter what number of occasions it’s repeated. Cothron, in distinction, held {that a} non-public entity violates BIPA “with each scan or transmission of biometric identifiers or biometric info with out prior knowledgeable consent.” Governor Pritzker has as much as 60 days to signal or veto SB2979; he’s anticipated to signal the invoice into regulation.
Taken alone, Cothron might have dealt vital damages to Illinois corporations gathering biometric info. Contemplating that the Cothron resolution got here on the heels of Tims v. Black Horse Carriers, Inc., 2023 IL 127801 – which set the statute of limitations for claims beneath BIPA at 5 years – Illinois corporations have been confronted with probably devastating damages. The newly enacted modification to BIPA has provided entities gathering biometric info some aid.
In Tims, the Illinois Supreme Courtroom held {that a} five-year statute of limitations utilized to claims beneath BIPA. The court docket reasoned that “[i]n mild of the in depth consideration the Basic Meeting gave to the fears of and dangers to the general public surrounding the disclosure of extremely delicate biometric info, it will thwart legislative intent to (1) shorten the period of time an aggrieved social gathering must search redress for a personal entity’s noncompliance with the Act and (2) shorten the period of time a personal entity can be held accountable for noncompliance with the Act.” Accordingly, the various corporations working in Illinois whereas additionally gathering biometric info have been all of the sudden confronted with a five-year look-back interval of legal responsibility for claims beneath BIPA.
Barely two weeks later, Cothron introduced the Illinois Supreme Courtroom with the query of whether or not BIPA claims accrue every time a personal entity collects a person’s biometric identifier, or solely upon the primary scan and transmission. As famous above, the court docket, agreeing with the federal district court docket, held {that a} non-public entity violates BIPA “with each scan or transmission of biometric identifiers or biometric info with out prior knowledgeable consent.” The court docket primarily based its holding on what it perceived to be the intent of the legislature, however included in its evaluation with an implicit suggestion to the legislature each to overview the general public coverage considerations introduced by White Citadel and to make clear its intent concerning the evaluation of damages beneath the Act.
The Illinois Legislature heeded the Supreme Courtroom’s implicit suggestion, and on Might 16, 2024, handed SB2979, which amended BIPA and statutorily overrules Cothron. Primarily, SB2979 states that “a personal entity that greater than as soon as collects or discloses an individual’s biometric identifier or biometric info from the identical individual in violation of the Act has dedicated a single violation for which the aggrieved individual is entitled to, at most, one restoration.”
As soon as signed by Governor Pritzker, will probably be efficient instantly. And thankfully so, for Illinois corporations. The mixture of the Tims and White Citadel choices created a grim actuality for personal entities in Illinois. Successfully, firms may very well be held accountable for 5 years of alleged violations of BIPA, the variety of which violations would have elevated exponentially after White Citadel. Certainly, the White Citadel defendants argued that the damages might have exceeded $17 billion. With the passage and imminent enactment of SB2979, the legislature has offered much-needed aid for White Citadel and different corporations doing enterprise in Illinois.
The modification to BIPA goals to perform two main targets. First, it acknowledges the purpose made by critics – together with the dissent in White Citadel – who argued that biometric info can solely be misplaced as soon as. As soon as an organization has unlawfully collected biometric info akin to a fingerprint, the injury, together with the injury envisioned by the statute itself, has been completed. Thus, these situations embody just one loss per claimant.
Certainly, it’s arduous to rationalize the concept that each further scan is an additional loss to 1’s privateness. Second, a working theme within the Supreme Courtroom’s choices is their reliance on the intent of the Legislature. It’s more likely that BIPA was meant to safe the protected use of biometric info, quite than to cripple and destroy firms who fail to adjust to BIPA. In nudging the legislature to make clear the statute, the Supreme Courtroom properly acknowledged probably unintended penalties stemming from the obvious authentic intent of the statute, and that solely the legislature was empowered to amend it.
Some points stay, most evidently the modification’s lack of retroactivity. That is particularly worrisome for policyholders as a result of after Cothron, BIPA lawsuits reportedly rose by 65%.[1] Thus, these lawsuits probably is not going to be coated by the modification. Moreover, different proposed amendments, akin to HB4686, would have shortened the statute of limitations from 5 years to 1 12 months. The Legislature additionally debated offering a 30-day remedy interval for BIPA violations. Whereas that invoice didn’t make it out of committee, it does recommend doable modification sooner or later.
For now, policyholders dealing with legal responsibility for alleged BIPA violations ought to proceed to look to their insurance coverage program, together with insurance policies akin to Complete Basic Legal responsibility and Employment Practices Legal responsibility (amongst others) to supply protection. Policyholders additionally ought to concentrate on insurance coverage corporations’ continued makes an attempt so as to add biometric or BIPA-specific exclusions to their insurance policies. Equally, if provided endorsed protection particularly for biometric privateness violations, corporations ought to be cautious of insufficient sublimits. To keep away from such protection pitfalls, corporations ought to seek the advice of with brokers and skilled protection counsel to overview each present insurance policies and new or renewal insurance policies.
Whereas the passage of SB2979 might have arrived too late to save lots of White Citadel, it ought to supply a lifeline to corporations discovered to have violated BIPA sooner or later. Corporations and policyholders alike can be sensible to watch further developments within the Illinois Legislature affecting this dynamic space of regulation.
John M. Leonard is a shareholder in Anderson Kill’s New York workplace and co-chair of the agency’s Biometric Legal responsibility Group. John has recovered thousands and thousands of {dollars} for policyholders in a full spectrum of insurance coverage protection issues, together with disputes over enterprise interruption losses, D&O and E&O protection and indemnity, normal legal responsibility losses, and environmental legal responsibility.
James A. Goodridge is an legal professional in Anderson Kill’s New York workplace and a member of the agency’s Insurance coverage Restoration and Company and Business Litigation teams. James recurrently counsels company and particular person policyholders in protection disputes in state and federal court docket.
Seán McCabe is an legal professional within the New York workplace of Anderson Kill and a member of the agency’s White Collar Protection and Insurance coverage Restoration teams.
[1] See, Stephen Joyce and Skye Witley, “Illinois Biometric Privateness Instances Leap 65% After Seminal Ruling”, Bloomberg regulation.com, Might 2, 2023.
