Fingerprint Biometric Authentication Button. Digital Security Concept

Quick Hits

  • Illinois’s Privacy Act does not provide for per-scan damages, according to a bill that took effect immediately upon the governor’s signature on August 2, 2024.
  • The signing completes the reversal of the Illinois high court decision that the Privacy Act is violated on each and every unlawful scan or transmission of biometrics.
  • The law clarifies that multiple alleged scans or disclosures of an individual’s biometrics without prior consent constitute a single violation of the Privacy Act.
  • The law’s passage in response to the Cothron majority opinion’s request for clarification confirms the legislature never intended a per-scan damages remedy.

Senate Bill (SB) 2979, which was passed by the Illinois legislature in May 2024, clarifies that when a private entity allegedly collects or disseminates the same biometric identifier or biometric information multiple times in violation of the Privacy Act Section 15(b)’s “notice and consent” and Section 15(d)’s “unauthorized disclosure” requirements, the entity has committed only a single violation.

SB2979 comes in response to the state supreme court’s decision Cothron v. White Castle System, Inc., which construed the plain language of the Privacy Act to mean the act is violated with each unlawful scan or transmission and allowed recovery for per-scan damages. That interpretation had opened the door for potentially catastrophic damages awards. Section 20 of the Privacy Act provides for statutory damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations.

Clarifying the Privacy Act

In the Cothron majority opinion, the court raised concerns over whether it was accurately construing the plain language of BIPA to provide for per-scan damages.  It asked the “legislature [to] review these policy concerns and make clear its intent regarding the assessment of damages.”

The legislature passed SB 2979, which expressly prohibits per-scan damages, in answer to the court’s question as to whether the legislature originally intended the Privacy Act to provide for per-scan damages. Specifically, SB 2979 clarifies that the Privacy Act limits plaintiffs to “at most, one recovery.”

Illinois Rep. Ann Williams, the lead sponsor of SB 2979 in the Illinois House of Representatives, told the Chicago Tribune: “This bill addresses the invitation by the court to address damages, and that’s exactly what we’re doing here.”

Thus, SB 2979’s amendments in response to the Cothron majority opinion’s invitation to clarify the Privacy Act, combined with the Privacy Act’s legislative history, indicate that the legislature never intended the Privacy Act to provide for per-scan damages.

E-Signatures

SB 2979 further explicitly recognizes that written consents signed electronically are valid. The law defines “electronic signatures” as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.”

Key Takeaways

SB 2979, which took effect immediately upon signing, is a lifeline for employers as they faced potentially excessive damages awards for mere technical violations of the Privacy Act’s requirements on the collection or dissemination of biometric information.

Ogletree Deakins will continue to monitor developments and will provide updates on the Class Action, Cybersecurity and Privacy, Illinois, and Technology blogs as more information becomes available.

Follow and Subscribe

LinkedIn | Instagram | Webinars | Podcasts

Authors


Browse More Insights

Fingerprint Biometric Authentication Button. Digital Security Concept
Practice Group

Technology

Ogletree Deakins is uniquely situated to provide tech employers and users (the “TECHPLACE™”) with labor and employment advice, compliance counseling, and litigation services that embrace innovation and mitigate legal risk. Through our Technology Practice Group, we support clients in the exploration, invention, and/or implementation of new and evolving technologies to navigate the unique and emerging labor and employment issues present in the workplace.

Learn more
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now