ANALYSIS: Biometric Damages Proposal Would Weaken Illinois Law

A new bill expected to be passed by the Illinois legislature would likely defang the contentious Illinois Biometric Information Privacy Act (BIPA) by drastically changing the risk associated with litigating an alleged violation for both parties.

The proposed amendments (S.B. 2979) would lower the potential damages per privacy violation and possibly dissuade individuals from bringing suits altogether.

The law’s intent is to protect the public from misuse of their sensitive personal information. It imposes harsh fines on entities who fail to safeguard the biometrics they collect. By including a private right of action, BIPA gives the public the right to hold an entity that was careless with their biometric information directly responsible.

The bill would, among other things, limit damages to one recovery per plaintiff of $1,000 or $5,000 for a finding of negligence—no matter how many violations occurred. Previously, plaintiffs could recover this amount for each violation.

If passed, employee plaintiffs may consider these damages too small to outweigh the cost, time, and potential workplace fallout of litigation. And employers might simply find it cheaper to break the law than to change their operations or technologies.

The Cothron Effect

BIPA as originally drafted in 2008 includes several holes that courts have had to fill in. For example, the law lacked a statute of limitations and an accrual rate for claims, leading to calls to amend the law.

Last year’s Illinois Supreme Court ruling in Cothron v. White Castle System Inc. provided two essential interpretations of the law: (1) claims accrue for every collection of an individual’s biometrics in violation of BIPA; and (2) judges may use discretion when setting monetary damages for violations.

This holding set a $0-$17 billion range for potential damages in Cothron—a range the court itself seemed uncomfortable with. In its opinion, the court “respectfully suggested” that the legislature clarify its intentions regarding how damages should be assessed under the act.

State Bill 2979 appears to be the legislature’s response. The bill would amend BIPA for the first time, capping damages and making compliance with the law more seamless for companies by allowing a written release to include an electronic signature, which could be as simple as clicking a check box on an online form. The bill was passed on a 46-13 vote by the state senate on April 11, and was then sent to the house for a vote.

If passed, the changes to the law would go into effect immediately but wouldn’t apply retroactively to pending suits.

A Bite-less BIPA?

The majority of BIPA plaintiffs in federal court are employees, largely from blue collar and service industry jobs. By severely reducing what these plaintiffs could receive from potential millions—as seen in Cothron —to as little as $1,000 in damages, the amendments would discourage most, if not all, aggrieved employees from filing suit.

Currently, nearly all BIPA cases are dismissed or settled out of court. Even Rogers v. BNSF Railway Co., which was the first BIPA case to see a jury trial through to a judgment, eventually settled following several appeals. After Cothron, BNSF successfully petitioned the court to have the judge-awarded amount of $228 million set aside so that a jury could determine damages, taking into account the state high court’s new interpretation of the law. But before that could happen, the parties agreed on a $75 million out-of-court settlement in September 2023.

Under the Rogers settlement agreement, each class member will receive an estimated $1,000. Under the proposed amendments to BIPA, this would be the same amount that BNSF would be required to pay per plaintiff if a court were to find them guilty of violating the amended law. But it wouldn’t have taken nearly four and a half years to reach, saving both parties and the court the rigors of a lengthy trial.

But how likely is it that the BNSF truck drivers would have bothered to sue to enforce their rights if damages were limited to the amount allowed under the proposed amendment?

For most, it would likely be financially unfeasible to sustain a lengthy court case for such a small payout—especially considering that they’d likely lose their jobs and have to pay court costs if they lost the case.

Cheaper to Break the Law Than to Comply

The cost of not complying with BIPA would become much more calculable for defendants if the amendments pass. This would likely lead some companies to determine that the potential cost of non-compliance is less of a headache than implementing the compliance measures required by the law.

Defendants in BIPA cases may be more willing to take their cases to trial than to settle because their damages are much more calculable and potentially much lower than what they would have settled for in the past. Further, defendants will likely benefit from the public’s generally limited understanding of biometric and AI technologies and individual privacy rights. These factors together drastically decrease the potential risks in a jury trial.

Privacy litigation requires the judge and the jury to possess some level of technological literacy to understand both the technology at issue and the risks posed to an individual’s safety if a security breach were to expose the biometrics collected—a knowledge gap that plaintiffs have to bridge in order to make a compelling case.

Since Illinois and California are currently the only states with personal privacy laws containing private rights of action, and only one of those cases alleging a violation of those laws has made it to a jury, plaintiffs don’t have a clear idea of how high that burden will be—but we can guess it will be fairly high.

More than a third of US adults have “little to no understanding about what companies do with the data they collect about them,” according to a 2023 Pew Research study. And only 23% of US adults were aware that there isn’t a national privacy law addressing how companies can use the data they collect, another Pew Research study found.

Defendants can use these deficits to their advantage, crafting sympathetic stories to downplay the severity of their alleged violations—if plaintiffs bother making allegations at all if the bill gets passed.

And if companies stop getting sued, they’re likely to become less diligent about their BIPA compliance efforts—that is, how they protect highly valuable sensitive, personal information belonging to consumers and employees.

Bloomberg Law subscribers can find related content on our Privacy & Data Security practice page and our In Focus: Biometrics page.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content, or click here to view the web version of this article.