A bill (SB2979) amending Illinois’ Biometric Information and Privacy Act (“BIPA”), passed by both houses of the legislature on May 16 and now on Governor Pritzker’s desk, effectively overturns a recent Illinois Supreme Court ruling that could have had a catastrophic effect on many companies operating in Illinois.
Reacting to implicit direction from the Illinois high court in its decision in Cothron v. White Castle Systems, Inc., 2023 IL 128004, SB2979 clarified what many previously had viewed as ambiguous statutory language concerning the number of occurrences each BIPA violation constituted. SB2979 specifies that unlawful collection or disclosure of an individual’s biometric identifier or biometric information constitutes a single BIPA violation regardless of how many times it is repeated. Cothron, in contrast, held that a private entity violates BIPA “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Governor Pritzker has up to 60 days to sign or veto SB2979; he is expected to sign the bill into law.
Taken alone, Cothron could have dealt significant damages to Illinois companies collecting biometric information. Considering that the Cothron decision came on the heels of Tims v. Black Horse Carriers, Inc., 2023 IL 127801 – which set the statute of limitations for claims under BIPA at five years – Illinois companies were faced with potentially devastating damages. The newly enacted amendment to BIPA has offered entities collecting biometric information some relief.
In Tims, the Illinois Supreme Court held that a five-year statute of limitations applied to claims under BIPA. The court reasoned that “[i]n light of the extensive consideration the General Assembly gave to the fears of and risks to the public surrounding the disclosure of highly sensitive biometric information, it would thwart legislative intent to (1) shorten the amount of time an aggrieved party would have to seek redress for a private entity’s noncompliance with the Act and (2) shorten the amount of time a private entity would be held liable for noncompliance with the Act.” Accordingly, the many companies operating in Illinois while also collecting biometric information were suddenly faced with a five-year look-back period of liability for claims under BIPA.
Barely two weeks later, Cothron presented the Illinois Supreme Court with the question of whether BIPA claims accrue each time a private entity collects an individual’s biometric identifier, or only upon the first scan and transmission. As noted above, the court, agreeing with the federal district court, held that a private entity violates BIPA “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” The court based its holding on what it perceived to be the intent of the legislature, but included in its analysis with an implicit suggestion to the legislature both to review the public policy concerns presented by White Castle and to clarify its intent regarding the assessment of damages under the Act.
The Illinois Legislature heeded the Supreme Court’s implicit suggestion, and on May 16, 2024, passed SB2979, which amended BIPA and statutorily overrules Cothron. Primarily, SB2979 states that “a private entity that more than once collects or discloses a person’s biometric identifier or biometric information from the same person in violation of the Act has committed a single violation for which the aggrieved person is entitled to, at most, one recovery.”
Once signed by Governor Pritzker, it will be effective immediately. And fortunately so, for Illinois companies. The combination of the Tims and White Castle decisions created a grim reality for private entities in Illinois. Effectively, corporations could be held liable for five years of alleged violations of BIPA, the number of which violations would have increased exponentially after White Castle. Indeed, the White Castle defendants argued that the damages could have exceeded $17 billion. With the passage and imminent enactment of SB2979, the legislature has provided much-needed relief for White Castle and other companies doing business in Illinois.
The amendment to BIPA aims to accomplish two primary goals. First, it recognizes the point made by critics – including the dissent in White Castle – who argued that biometric information can only be lost once. Once a company has unlawfully collected biometric information such as a fingerprint, the damage, including the damage envisioned by the statute itself, has been done. Thus, these instances encompass only one loss per claimant.
Indeed, it is hard to rationalize the idea that every additional scan is a further loss to one’s privacy. Second, a running theme in the Supreme Court’s decisions is their reliance on the intent of the Legislature. It is much more likely that BIPA was intended to secure the safe use of biometric information, rather than to cripple and destroy corporations who fail to comply with BIPA. In nudging the legislature to clarify the statute, the Supreme Court wisely recognized potentially unintended consequences stemming from the apparent original intent of the statute, and that only the legislature was empowered to amend it.
Some issues remain, most evidently the amendment’s lack of retroactivity. This is especially worrisome for policyholders because after Cothron, BIPA lawsuits reportedly rose by 65%.[1] Thus, these lawsuits likely will not be covered by the amendment. Additionally, other proposed amendments, such as HB4686, would have shortened the statute of limitations from five years to one year. The Legislature also debated providing a 30-day cure period for BIPA violations. While that bill failed to make it out of committee, it does suggest possible amendment in the future.
For now, policyholders facing liability for alleged BIPA violations should continue to look to their insurance program, including policies such as Comprehensive General Liability and Employment Practices Liability (among others) to provide coverage. Policyholders also should be aware of insurance companies’ continued attempts to add biometric or BIPA-specific exclusions to their policies. Similarly, if offered endorsed coverage specifically for biometric privacy violations, companies should be wary of inadequate sublimits. To avoid such coverage pitfalls, companies should consult with brokers and experienced coverage counsel to review both existing policies and new or renewal policies.
While the passage of SB2979 may have arrived too late to save White Castle, it should offer a lifeline to companies found to have violated BIPA in the future. Companies and policyholders alike would be wise to monitor additional developments in the Illinois Legislature affecting this dynamic area of law.
John M. Leonard is a shareholder in Anderson Kill’s New York office and co-chair of the firm’s Biometric Liability Group. John has recovered millions of dollars for policyholders in a full spectrum of insurance coverage matters, including disputes over business interruption losses, D&O and E&O defense and indemnity, general liability losses, and environmental liability.
James A. Goodridge is an attorney in Anderson Kill’s New York office and a member of the firm’s Insurance Recovery and Corporate and Commercial Litigation groups. James regularly counsels corporate and individual policyholders in coverage disputes in state and federal court.
Seán McCabe is an attorney in the New York office of Anderson Kill and a member of the firm’s White Collar Defense and Insurance Recovery groups.
[1] See, Stephen Joyce and Skye Witley, “Illinois Biometric Privacy Cases Jump 65% After Seminal Ruling”, Bloomberg law.com, May 2, 2023.
Was this article valuable?
Here are more articles you may enjoy.
USAA Renter’s Insurance Policyholder Charged with Multiple Counts of Fraud 
Personal Auto Driving P/C Insurers to 2024 Underwriting Profit 
How California’s Homeowners Insurance Crisis Is Affecting Brokers 
Fortune 500’s Insured Losses for CrowdStrike Could Reach $1 Billion: Parametrix 
