Liability reduced for companies facing biometric data privacy violations

Illinois employers facing big penalties for improperly collecting biometric data on employees and consumers can relax some now that aggressively sought changes to the state’s biometric privacy law have been enacted, reducing companies’ liability risk.

Governor J.B. Pritzker signed a bill on August 2 amending the state’s Biometric Information Privacy Act so companies will only be liable for a single violation per person rather than for each time biometric data is collected without permission.

This is a “significant change,” Joel Bruckman, a partner at Smith, Gambrell & Russell in Chicago, told Legal Dive. Under the original language, “every unauthorized collection, every unauthorized transmission, was a separate violation. [Now there are] “guard rails.”

The changes to the law address a 2023 court decision that said damages could be awarded for each unauthorized collection of biometric data — a ruling the Illinois business community said could end up bankrupting them.

Penalty risk

The Illinois biometric privacy statute, enacted in 2008, is considered a pioneering law for its effort to protect consumers and employees from company misuse of data taken from people’s faces, fingerprints, voiceprints, retina scans and other types of personally identifiable imaging.

The law came under fire after companies were hit with what critics said were disproportionately large fines. Meta, for example, had to pay $650 million in 2021 to settle a class action lawsuit alleging its Facebook app violated the law. In similar lawsuits around that time, Google agreed to pay $100 million, TikTok $92 million and Snapchat $35 million.

At the core of the fines was language calling for $1,000 per violation for each negligent violation and $5,000 for each reckless or intentional violation. That language became even more crucial following a 2023 court ruling in Cothron v. White Castle Systems that interpreted the statute in a way that drastically increased potential penalties.

The case involved claims that White Castle Systems, a hamburger chain, scanned fingerprints of nearly 9,500 employees without their consent. The company argued a finding against it would cost more than $17 billion. In White Castle’s view, if an employee used a time clock that scanned their fingerprint four times a day for a year, the employer could face a damage award of about $1 million for each employee. Since many companies use biometric devices to clock their employees in and out of the workplace, the liability risk was outside of reasonable bounds.

The court rejected the argument, stating that its job is to interpret the law and suggested that changes should be made by the legislature.

The company ended up settling the case for $9.4 million.

That case was the first time the state’s Supreme Court interpreted the law to permit an individual to claim a damages award for every time that a scanner collected their biometric data, David Morrison, a principal at Goldberg Kohn, said.

Concern v. reality

The legislative changes that critics sought, and won, should go a long way toward reducing company concerns but the liability risk was never as great as it was portrayed, Chicago-based employee-side attorney David Fish of the Fish Law Firm says.

“I don't think anybody was ever really seriously contemplating that a judge would award the kind of damages that some defense lawyers have suggested were happening on a class-wide basis,” Fish told Legal Dive. Settlements have always “been done on a per-person basis, and never have taken into consideration the number of collections.… There's never been a class action that settled on a per-scan basis.”

In the key change to BIPA enacted into law, new language makes clear that a private entity that more than once collects or discloses a person's biometric identifier or biometric information without consent isn’t liable for each incident. Rather, it’s liable for each person, so it’s considered a single violation and the aggrieved person is entitled to, at most, one recovery. That change is effective immediately.

In another change, BIPA’s definition of “written release” is amended to include electronic signatures. This is considered another consequential change because it reduces the chance a company will fail to get the consent it needs to collect the data lawfully.

“That’s important,” Bruckman said. Previously, consent by statute had to be written even though many employers use electronic onboarding systems and electronic time clockers in which consent is often embedded in the enrollment process on the device.

More change needed

Despite the improvements, more could be done to protect companies, Morrison said.

Since non-compliance with the statute imposes strict liability, it would be helpful to have a safe harbor enacted for companies that have collected biometric information but failed to get the proper release, Morrison said.

The safe harbor would protect those who haven’t experienced a breach and for which there has been no harm to consumers and employees.

Such a measure would be supportive of the business community and protect small businesses, he said. The measure would also protect businesses where the timing and capture of the permission is off by a day or so, he said.

Any changes the state make will be watched by other states that have a similar law. Illinois was the first, having enacted its law in 2008, but Texas and Washington have since enacted laws, too.

In Texas, under its law, earlier this summer, Meta paid $1.4 billion to settle claims of unauthorized use of biometric data using facial recognition technology. In the state’s lawsuit against the company, it alleged Meta owed $25,000 for each instance in which it obtained the biometric data of each Texas resident without their consent, $25,000 for each unlawful disclosure, $25,000 for each failure to destroy a person’s data it had collected, and $10,000 for injunction relief for each person.