Laws & Regulations

2024 Amendments to Illinois’ Biometric Information Privacy Act (BIPA)

In August 2024, Illinois made significant amendments to its Biometric Information Privacy Act (BIPA), a law that has been the cornerstone of biometric privacy regulation in the state since its inception in 2008. These amendments have brought about much-needed relief to organizations by reducing the potential for crippling financial penalties. However, while the changes alleviate some of the legal pressures, they also underscore the continued importance of compliance for companies that collect biometric data. 

The amendments to BIPA were signed into law by Governor J.B. Pritzker on August 2, 2024, and they represent a response to growing concerns from businesses about the astronomical damages they could face under the original law. The most notable changes include the modification of damage calculations, the recognition of electronic signatures for consent, and the potential limitations on retroactive application. This blog will explore these key changes, their implications for employers, and what steps businesses should take to ensure ongoing compliance with BIPA. 

Key Changes in BIPA: Reduced Damages and Modernized Consent
Reduced Damages Exposure

One of the most significant changes brought about by the 2024 amendments is the reduction in potential damages that employers can face under BIPA. Previously, each individual instance of biometric data collection without proper consent was treated as a separate violation. This led to a situation where businesses could be held liable for thousands or even millions of dollars, as each biometric scan or use could accrue penalties of $1,000 or $5,000 depending on the nature of the violation. 

  • Pre-Amendment Liability: Employers were at risk of massive damages due to the “per scan” violation rule. For example, a company that used finger scans for employee timekeeping could be penalized for every single scan made without the proper consent, resulting in potential class action settlements in the hundreds of millions of dollars. 
  • Post-Amendment Liability: The new amendments limit liability to a single violation per individual, regardless of the number of scans collected in the same manner. This change effectively caps the potential damages, making it less likely that companies will face ruinous financial penalties.
Recognition of Electronic Consent

Another important update is the formal recognition of electronic signatures as valid written consent for the collection and use of biometric data. This change aligns BIPA with modern business practices, where electronic agreements are commonplace. 

  • Simplified Compliance: The amendment simplifies the process for obtaining consent, allowing businesses to use digital methods such as clickwrap agreements, emails, or text messages to secure written consent from employees or consumers. 
  • Practical Implications: For companies already using or planning to implement biometric technologies, this change provides a more streamlined and efficient way to meet compliance requirements, reducing the administrative burden associated with collecting and storing physical signatures. 
Potential Challenges and Considerations for Employers 
Retroactive Application Uncertainty

While the amendments to BIPA are a significant step forward, they do not explicitly apply retroactively. This lack of clarity leaves open the possibility that courts may still apply the old “per scan” rule to violations that occurred before the law was amended. 

  • Ongoing Litigation Risks: Companies facing lawsuits for biometric data collection that occurred prior to August 2024 may still be at risk of substantial damages, depending on how courts interpret the applicability of the new rules. Employers should closely monitor ongoing litigation to understand how these cases are resolved. 
  • Discretionary Damages: The Illinois Supreme Court’s ruling in *Cothron v. White Castle System, Inc.* emphasized that while damages under BIPA are discretionary, courts have the authority to modify them. This means that even under the new amendments, there is still a risk of significant financial exposure if a court chooses to exercise its discretion unfavorably. 
Implications for Employers Outside Illinois

Although the recent BIPA amendments apply only to Illinois, the changes signal a broader trend that could impact businesses across the United States. Several other states, including Texas, Washington State, and New York City, have enacted or are considering similar biometric privacy laws.  

  • Proactive Compliance: Employers operating in multiple states or considering the adoption of biometric technologies should review their compliance strategies not just in Illinois, but in all jurisdictions where they do business. 
  • Future Legislation: As biometric technologies become more prevalent, it is likely that more states will introduce or tighten their own biometric privacy laws. Staying ahead of these changes by implementing robust compliance frameworks will be crucial for avoiding legal pitfalls. 
Navigating the New BIPA Landscape  

The 2024 amendments to Illinois’ Biometric Information Privacy Act provide significant relief to employers by curbing the potential for devastating financial penalties and modernizing the law to reflect current digital practices. However, these changes do not eliminate the need for diligent compliance. Employers must remain vigilant, particularly with the uncertainties surrounding the retroactive application of the new rules and the potential for similar legislation in other states. 

To navigate this evolving legal landscape, businesses should: 

  • Review and Update Policies: Ensure that all biometric data collection and storage practices are in full compliance with BIPA and other relevant laws. 
  • Obtain Proper Consent: Utilize the new electronic signature provisions to simplify the consent process while ensuring that all consent is clearly documented and stored. 
  • Monitor Legal Developments: Stay informed about ongoing litigation and potential changes in biometric privacy laws across other states. 

By taking these steps, employers can mitigate risks, protect themselves from costly litigation, and maintain the trust of their employees and customers in the responsible handling of biometric information. For information on how Truyo helps organizations comply from consent management to policy updates, reach out to hello@truyo.com 


Author

Dan Clarke
Dan Clarke
President, Truyo
August 21, 2024