Skip to main content
main content, press tab to continue
Article | FINEX Observer

Illinois amends BIPA: A new limit on damages for biometric privacy violations

By Jason D. Krauss and Talene M. Carter | October 1, 2024

Illinois revises BIPA, introducing caps on damages for biometric privacy breaches, impacting legal and business landscapes.
|Financial, Executive and Professional Risks (FINEX)
N/A

Last month, Illinois Governor J.B. Pritzker signed SB 2979 into law, which provides that an entity who violates the Illinois Biometric Information Privacy Act (BIPA) does so only at the first unlawful scan or first transmission. This significantly limits the potential damages available to an aggrieved individual.

BIPA, enacted in 2008, requires private entities that collect, capture or obtain an individual’s biometric information to first obtain written consent and provide notice of its purpose for collecting, storing and using the information. BIPA provides a private right of action to any individuals whose rights have been violated and provides for the “greater of $1,000 for each negligent violation, $5,000 for each intentional or reckless violation, or actual damages. A prevailing party may also recover reasonable attorneys’ fees and litigation costs.”

Prior to the amendments to BIPA, aggrieved plaintiffs were able to obtain astronomical awards for alleged violations of BIPA because courts were awarding damages on a per individual, per instance basis. For example, in Rogers v. BNSF Railway Company, plaintiff Richard Rogers filed a class action lawsuit seeking relief on behalf of a class of more than 45,000 truck drivers who used fingerprint-scanning technology on an automated gate system to enter and exit rail yards. A federal jury found in favor of the plaintiffs, finding that BNSF was liable for violating BIPA 45,600 times, an amount equal to the number of truck drivers in the class who had their fingers scanned during he relevant time period. The court calculated and awarded damages in the amount of $228 million. Both parties filed post-trial motions and ultimately settled for $75 million.

Simultaneously to the Rogers case, the Illinois Supreme Court in Cothron v. White Castle Sys., Inc. found that a separate claim for damages can arise each time a business fails to seek permission to gather biometric data from workers or consumers or fails to disclose retention plans for that information. The majority rejected the defendant’s argument that claims should accrue only at the first unlawful scan or first transmission.

Largely in response to the above decisions, SB2979 limits the potential damages available and in turn, protects organizations against financial demise. In addition to the limitation on damages, the amendment also clarifies that an “electronic signature” constitutes “written release” under the statute.

While this is welcome news to businesses, there is still the question as to whether this amendment will apply retroactively. It is expected that this issue will also be litigated. Nonetheless, businesses should continue to ensure compliance with BIPA and other similar statutes across the country.

Coverage implications

Cyber insurance

When it comes to potential coverage for BIPA claims under your cyber insurance policy, it is important to recognize that markets are far from uniform in addressing this exposure. While some markets have explicit BIPA exclusions on their policies, others have broad unlawful collection exclusions which would similarly preclude coverage for BIPA claims when there is no actual breach associated with the claim.

While rare, there are some markets who will offer sublimited defense coverage for BIPA claims or sublimited coverage for BIPA claims where the collection of biometrics is required by law.

Employment practices liability

At this time, most employment practices liability policies have a specific exclusion (by endorsement) for BIPA claims. Some markets may remove the exclusion based on a review of the insured’s exposure to potential BIPA claims. And finally, there are also some markets that will provide a sublimit for defense costs only.

Given the varying positions on coverage for these claims, it is important to consult with your insurance broker to review the available coverage options. In the event that you are on the receiving end of a BIPA claim, it is important to consult with your claims advocate to determine which policy, if any, may potentially provide some coverage for the claim.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).

Authors

FINEX NA Cyber Thought & Product Coverage Leader

National Employment Practices Liability Product Leader, FINEX North America

Contact us