Last week, Illinois Governor JB Pritzker signed S.B. 2979 to amend the Biometric Information Privacy Act (BIPA) immediately to define the repeated collection of the same biometric data without consent as a SINGLE, COLLECTIVE violation of the Act–this is a significant change. The precedent set by the Illinois Supreme Court in February 2023 in Cothron v. White Castle Sys. Inc., which permitted the plaintiffs to seek damages for “every scan or transmission” of biometric information without consent, is altered by this amendment. It will, in fact, reduce the amounts of damages sought by plaintiffs in BIPA class actions. Perhaps this amendment will even reduce the volume of litigation of BIPA claims. With this change, companies will likely see lower sums sought in BIPA suits and more likelihood that their insurers will cover these claims. Of course, insurers may still be hesitant to pay BIPA claims after years of disagreement with businesses over the Illinois law.

What does BIPA require? The Act requires businesses to collect and store biometric data from employees and consumers only with prior written consent. The big difference between BIPA and other state privacy laws is that BIPA provides a private right of action, allowing consumers to seek $1,000 for each negligent violation and $5,000 for each intentional or reckless violation. The first defendant in a BIPA case paid $75 million to settle the case after the jury determined that the defendant had violated the privacy rights of thousands of its employees. The amendment addresses how violations are counted for damages calculations but doesn’t change the fact that consumers still can seek upwards of $5,000 per violation. Further, the amendment doesn’t state whether the change applies retroactively, so the courts are left to decide on that question.

As far as the insurers go, there will still be questions about whether insurance policies cover BIPA claims. Many policies exclude coverage for federal or state law violations, which some insurers argue bars coverage of BIPA claims. On the other hand, some cyber and employment liability policies are clearer on coverage for BIPA claims. So, while this amendment may not have the answers for insurers, it could at least give insurers more clarity around expected damages in BIPA litigation, which will, in turn, provide more clarity in the ability to underwrite these claims, too. Of course, similar to the cyber insurance arena, the underwriting and application process will likely include more specific questions about compliance with BIPA and how the business obtains consent from employees and consumers. We’ll see how this amendment changes the trends.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.