Illinois lawmakers are considering a bill which has the potential to dramatically rein in the state’s strict Biometric Information Privacy Act (“BIPA”). On March 9, 2021, the Illinois House judiciary committee advanced House Bill 559 (the “Bill”) which would amend BIPA. The Bill has a couple of key amendments that may impact your business.
First, the Bill changes BIPA’s “written release” requirement to instead simply require “written consent”. Thus, under the Bill, businesses would no longer be required obtain written release, but instead could rely on electronic consent.
Second, whereas BIPA currently requires that a business in possession of biometric identifiers draft and provide a written policy regarding its handling of biometric data to the general public, under the Bill, businesses would only be required to provide this written policy to affected data subjects.
Third, the Bill creates a one-year statute of limitations for BIPA claims. Moreover, the Bill provides that prior to initiating a claim, a data subject must provide a business with 30 days' written notice identifying the alleged violations. If the business cures these violations within the 30 day window, and provides the data subject an express written statement indicating the issues have been corrected and that no further violations shall occur, then no action for individual statutory damages or class-wide statutory damages can be taken against the business. If the business continues to violate BIPA in breach of the express written statement, then the data subject can initiate an action against the business to enforce the written statement and may pursue statutory damages. Therefore, not only does the Bill finally create a statute of limitations, but also provides a mechanism by which businesses can respond to alleged violations of BIPA prior to engaging in costly litigation.
Fourth, the Bill modifies BIPA’s damages provisions. Currently BIPA provides that prevailing plaintiff is entitled liquidated damages of $1,000 or actual damages, whichever is greater, when a business is found to have negligently violated BIPA. The Bill would limit a prevailing plaintiff’s recovery to only actual damages. Similarly, in its current form, BIPA provides that a prevailing plaintiff is entitled to liquidated damages of $5,000 or actual damages, whichever is greater, when a business is found to have willfully violated BIPA. The Bill would limit a prevailing plaintiff’s recovery to actual damages plus liquidated damages up to the amount of actual damages. Therefore, the Bill would limit a businesses exposure in BIPA claims to what a prevailing Plaintiff can demonstrate as actual damages.
Finally, the Bill provides that BIPA would not apply to a business’ employees if the those employees were covered by a collective bargaining agreement. Something which has been at issue in recent BIPA litigation as discussed here.
BIPA litigation has increased dramatically and resulted in a number of recent high-profile settlements, including TikTok’s $92 million dollar settlement and Facebook’s $650 million dollar settlement. This Bill has the potential to greatly curtail this spiral of litigation and high settlement figures. Octillo will continue to monitor any developments regarding the Bill and will update its guidance accordingly. Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also handle any resulting litigation.
*Attorney Advertising. Prior results do not guarantee future outcomes.