Skip to Content
Subscribe Cybersecurity and Data Privacy Blog

Illinois Legislature Passes Bill Limiting BIPA Recovery, but Significant Risk Remains

On May 16, the Illinois legislature passed an amendment to the Biometric Information Privacy Act (“BIPA”) limiting recovery for violations of the law. Under the amendment, a business that collects a biometric identifier (e.g., a fingerprint) multiple times from the same person in violation of BIPA is liable only for a single violation. Under existing law, businesses that violate BIPA are liable for $1,000 in damages per violation and $5,000 in damages per “intentional or reckless” violation [1]. The legislation, SB2979 [2], now goes to Governor J.B. Pritzker for his signature.

The bill would overrule the Illinois Supreme Court’s decision in Cothron v. White Castle Sys. [3], which held that a BIPA violation accrued each time a business improperly collected a biometric identifier from an individual. Under Cothron, a business using a fingerprint time clock could be liable for hundreds of violations per individual per year. For example, a business that employs 1,000 hourly workers that each work an average of 245 days a year and use a fingerprint time clock to clock in and out of work could be liable for $490 million in BIPA damages for just a single year of violations (1,000 workers x 490 fingerprint collections x $1,000 damages per violation). If the jury were to find that the BIPA violations were “intentional or reckless”, damages could reach as high as $1.2 billion (at $5,000 in damages per violation). If SB2979 were to become law, that same business would be liable for a maximum of $1 million in damages (or $5 million if the violations were “intentional or reckless”).

Regardless of this potential change, BIPA remains a significant risk to businesses that do not comply with the law. Any entity doing business in Illinois should regularly review its compliance with the law.

[1] 740 ILCS 14.

[2] SB2979 (103rd Illinois General Assembly) (2024).

[3] 2023 IL 128004 (July 18, 2023).

Share This Blog Post

Related Services

Data, Privacy, and Cybersecurity

Related Attorneys

See All Attorneys