What happened?

On May 16, 2024, SB 2979 was passed by the Illinois Legislature. This bill amended the Illinois Biometric Information Privacy Act (BIPA), to limit damages available to aggrieved parties and expand how organizations can obtain consent under the law.

What are the details?

SB 2979 amends BIPA’s “per scan” violation framework, as established by the Illinois Supreme Court in Cothron v. White Castle System, Inc. This change responds to calls from the Illinois Legislature and the Illinois Chamber of Commerce for BIPA reform to protect businesses from excessive financial liabilities following the Cothron case.

Key Bites

• Limitation of Damages: The amendment limits potential liability for employers by stating that repeated collection or disclosure of a person’s biometric data constitutes a single violation. This means aggrieved employees (or any person) can only recover damages for one violation.

• Consent Mechanism: The bill provides entities with more flexibility in how they obtain consent from people for the collection, storage, and use of biometric data, including through an electronic signature.

• Reduced Litigation Risk: By clarifying the terms of the BIPA, the bill may help reduce the risk of litigation for employers. Employers who comply with the clarified terms of the BIPA are less likely to face lawsuits from employees and customers.

• Increased Compliance Requirements: The bill underscores the importance of compliance with the BIPA, ensuring they have proper consent mechanisms in place and that they are not necessarily collecting or disclosing biometric data.

For a short breakdown of what is BIPA.

Business Considerations

• If the bill is signed into law, it is recommended that employers should:
  • Review their policies and practices related to biometric data to ensure they are in line with the amended law.
  • Establish clear consent mechanisms, including the use of digital consent forms due to the new law allowing electronic signatures.
  • Limit data collection, only collecting biometric data when necessary and avoiding repeated collection to minimize potential violations (also known as data minimization best practice).
  • Communicate clearly with employees, informing them about their rights and obligations under the amended BIPA, the changes and their implications, and the measures taken to protect their biometric data.

Source References

• SB 2979
• Illinois Legislature Amends BIPA To Limit Damages And Expand Consent Options (Thompson Hine LLP.)

Resources

• Cothron v. White Castle System, Inc

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.