On April 11, 2024, the Illinois Senate passed Senate Bill (SB) 2979, which would stop statutory damages under the Privacy Act from accruing for each unlawful collection or dissemination of an individual’s biometric information.

Quick Hits

  • The Illinois legislature is considering a bill that would amend the Privacy Act to prohibit statutory damages per violation from accruing per scan.
  • The bill comes in response to an Illinois Supreme Court decision holding that the Privacy Act claims accrue per scan.

The Privacy Act provides for statutory damages of $1,000 or $5,000 per violation. SB2979 would amend the Privacy Act to clarify that when a private entity in multiple instances collects or disseminates the same biometric identifier from the same individual in a way that violates the act, it is considered a single violation.

The bill comes in response to the February 2023 Supreme Court of Illinois decision in Cothron v. White Castle System Inc. in which the court held that the plain language of the Privacy Act “demonstrates that … violations occur with every scan or transmission.” The Illinois Supreme Court later declined to reconsider the decision despite concerns raised by the business community.

The ruling allows for potential excessive damages awards because unlawful scans or transmissions may occur multiple times per day and quickly accrue. The majority in Cothron recognized the potential issue with per-scan damages, and called on the “legislature [to] review these policy concerns and make clear its intent regarding the assessment of damages.”

Next Steps

The traction SB2979 is gaining in the Illinois legislature suggests that lawmakers recognize the business community’s concerns with per-scan damages. The bill recently moved out of the House Judiciary-Civil Committee and hope remains that it will pass by the end of the 2024 legislative session, which is set to adjourn on May 24, 2024.

Ogletree Deakins will continue to monitor developments and will provide updates on the Class Action, Cybersecurity and Privacy, Illinois, and Technology blogs as more information becomes available.

Follow and Subscribe

LinkedIn | Instagram | Webinars | Podcasts


Browse More Insights

Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more
Practice Group

Class Action

Our class action lawyers are veterans. We have decades of experience handling numerous types of federal and state law class and collective actions, such as those arising under Title VII, the Age Discrimination in Employment Act, the Employee Retirement Income Security Act, and the Fair Labor Standards Act.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now