Illinois Lawmakers Moving Forward with Bill to Cap Penalties for “Per Scan” Violations under BIPA

Last April, the Supreme Court of Illinois found that a claim under the Biometric Information Privacy Act (“BIPA”) accrues each time a private entity collects or disseminates a biometric identifier or biometric information.[1]  The resulting damages awards could be astronomical.  The Illinois legislature is now stepping in to correct the court’s decision.

In the Illinois Supreme Court case, Cothron v. White Castle Systems, Inc., a White Castle employee brought a BIPA claim challenging the company’s system under which its employees had to allegedly scan their fingerprints to access computers and pay stubs.  The Supreme Court rejected White Castle’s interpretation that a BIPA claim in such a case could only accrue once, at the time when the biometric data (here, the initial fingerprint) was initially collected or disclosed.  Under the holding, instead, a separate BIPA claim accrues each time a private entity scans or transmits biometric identifiers or information. 

BIPA authorizes a statutory damage award of $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation.  Even an individual claimant could have a claim for hundreds of thousands of dollars. 

Cothron included one silver lining: the Illinois Supreme Court noted in dicta that it “appears the General Assembly chose to make damages discretionary rather than mandatory under the Act,” by noting that BIPA’s damages provision states only that a “prevailing party may recover.”[2]  Further, the court indicated “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.”[3] 

In response to the case, Illinois lawmakers have taken it upon themselves to correct the extreme consequences of Cothron’s per-scan damages holding. 

On April 11, 2024, the Illinois Senate passed Senate Bill (SB) 2979, which provides that a private entity that collects or discloses biometric information or identifiers from the same person, using the same manner of collection, in violation of BIPA commits a single violation.  SB2979 further limits the recovery of an aggrieved person to just one damages recovery from any given defendant.  Furthermore, the amendment preserves the discretionary nature of the damages award, maintaining a crucial argument for the business community that faces these cases.

If passed, SB2979 would strongly limit the penalties under BIPA.  The movement of SB2979 indicates that the Illinois Senate has paid attention to the business community’s concerns about severe—and sometimes company-threatening—penalties that would result from the Illinois Supreme Court’s commentary in Cothron.  Although the amendment itself does not include retroactivity language, given the timing of this legislation relative to the Cothron decision, a good argument can be made that this amendment is simply a clarification, in effect correcting the Illinois Supreme Court.  In that event, this legislation may be argued to carry retroactive effect.

SB2979 recently moved out of the House Judiciary Committee and was set for a second calendar reading, with hopes of passage before the end of the 2024 legislative session on May 24, 2024.

For more information please contact:

Laura Kogan at 216.363.4518 or https://www.beneschlaw.com.

Mark Eisen at 312.212.4956 or https://www.beneschlaw.com.

James von der Heydt at 216.363.4160 or https://www.beneschlaw.com.

Sarah Schneider at 216.363.4564 or https://www.beneschlaw.com.

[1] Cothron v. White Castle Sys., Inc., 2023 IL 128004, as modified on denial of reh’g (July 18, 2023). 

[2] At least one federal trial court followed this dicta from the Illinois Supreme Court.  See Rogers v. BNSF Ry. Co., 680 F. Supp. 3d 1027, 1040 (N.D. Ill. 2023). 

[3] Cothron, 2023 IL 128004 ¶ 42, at 929.