It is a busy time for employment-related legal updates in Illinois, with Governor J.B. Pritzker recently approving various laws that expand employee protections and add new obligations for employers.
This Client Alert is part of a seven-part series discussing laws Illinois employers need to consider as we move toward 2025. Those laws include:
- amendments to the Illinois Day and Temporary Labor Services Act, which modify and build on 2023 amendments regarding equal pay and benefits for temporary workers (effective 8/9/24) (Client Alert here);
- amendments to the Illinois Human Rights Act expanding the statute of limitations to 2 years and adding new protected classes (effective 1/1/25) (Client Alert here);
- amendments to the Illinois Human Rights Act, which prohibit the discriminatory use of artificial intelligence and require employer notice of AI use in the workplace (effective 1/1/26) (Client Alert here);
- amendments to the Illinois Equal Pay Act governing pay transparency in job postings (effective 1/1/25) (Client Alert here);
- amendments to the Illinois Wage Payment and Collection Act, which expand pay stub requirements (effective 1/1/25);
- expanded scope of documents and protections under the Illinois Personnel Records Review Act (effective 1/1/25);
- a new Illinois Worker Freedom of Speech Act, which protects employees who decline to participate in certain employer-sponsored meetings on religious or political matters (effective 1/1/25) (Client Alert here);
- amendments to the Illinois Biometric Information Privacy Act, which limit damages for BIPA violations, among other things (effective 8/2/24) (the following alert); and
- amendments to the Illinois Right to Privacy in the Workplace Act, which regulate employer use of E-Verify and similar systems (effective 1/1/25).
Stay tuned as other alerts are released in the coming weeks regarding the above updates.
Illinois Biometric Information Privacy Act
On August 2, 2024, Illinois Governor J.B. Pritzker signed Public Act 103-0769 into law, providing much needed amendments to the Illinois Biometric Information Privacy Act (“BIPA”), which limit damages for BIPA violations, among other things.
Background on BIPA
In 2008, BIPA was enacted with the goal of putting guardrails around the use of biometric identifiers and biometric information, such as retina scans and fingerprints. BIPA requires that entities using biometric identifiers or information establish a clear written policy establishing the procedures for collecting, obtaining, retaining, and destroying biometric data, and distribute that policy to the public. BIPA established guidelines for providing notice to the entity’s users about the collection of biometric data. BIPA also prohibits the distribution of a user’s biometric identifier or information without the user’s consent.
After several years without significant enforcement, BIPA became a hot-button litigation subject for class action plaintiffs’ attorneys, often involving employers using systems and software requiring biometric information of employees.
Any entity that obtains, stores, or distributes biometric identifiers or information without the user’s informed consent has violated BIPA. A user harmed by an intentional or reckless violation of BIPA is entitled to $5,000 in damages, while a user harmed by a negligent violation is entitled to $1,000 in damages, unless the user can show that their actual damages were more substantial. When BIPA was passed, it afforded damages for each “violation.”
In 2023, the Court of Appeals for the Seventh Circuit certified the following question to the Illinois Supreme Court: “Do [BIPA] section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” The Illinois Supreme Court determined that a claim accrues each time a business scans or transmits an individual’s biometric identifier or information in violation of BIPA.
This holding meant that an employee would be entitled to recover the statutory damage amount for each time the employee’s biometric data was transmitted – i.e., every time their fingerprint was scanned. The Court acknowledged that its decision could result in excessive damage awards, and suggested that the Illinois legislature “review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
BIPA has spawned a landslide of class action lawsuits, with damages and settlements frequently costing employers millions of dollars.
BIPA Amendment
Following the Court’s suggestion, the Illinois legislature took quick action to revisit BIPA and passed SB2979 (“the Amendment”), which was signed into law and became effective August 2, 2024. Under the Amendment, any violation involving the collection, use, or distribution of biometric data via the same method will constitute one violation with respect to each user, and users harmed by violations of BIPA will only be able to recover a single time for each type of violation, instead of recovering for every instance in which their rights were violated. Accordingly, each user will be able to recover only $1,000 for negligent violations and $5,000 for intentional or reckless violations of the same type.
If an entity collects biometric identifiers or information in multiple ways, users will be able to recover damages once for each type of biometric data collection used. To illustrate, if an entity negligently fails to collect informed consent prior to using facial recognition technology, a user may collect only $1,000 in damages, regardless of how many times the user used the facial recognition technology. However, if an entity negligently fails to collect informed consent prior to using facial recognition technology and fingerprinting technology, a user may collect $2,000 in damages.
The Amendment also clarifies that users may give informed consent via an electronic signature.
While the law takes effect immediately, we expect there will be ongoing court battles over whether the Amendments can apply retroactively to pending BIPA litigation. Although Illinois generally disfavors retroactivity of statutory amendments, because the Amendment applies to remedies it could be seen as a procedural rather than substantive amendment. Furthermore, because the Amendment was passed in direct response to the Illinois Supreme Court’s suggestion that the Legislature “make clear its intent” on BIPA damages, one could argue that the Amendment simply clarifies the initial intent of BIPA and, thus, should apply retroactively.
Takeaways
While employers can likely expect a reduction in potential damages exposure in BIPA lawsuits, businesses that currently collect or are considering collecting biometric information still should carefully review their procedures and policies to confirm that they align with BIPA. Depending on the number of users providing biometric information, violations still could lead to exorbitant damages for technical BIPA violations. Businesses also should carefully review all contracts with vendors providing biometric devices and/or storing biometric data to confirm compliance and attempt to work in appropriate vendor warranties and indemnification to protect your business.
Please reach out to our Michael Best team to help provide guidance on BIPA compliance.