Illinois Courts Consider Retroactivity of Amendment to Biometric Information Privacy Act

Introduction

The Biometric Information Privacy Act (BIPA) in Illinois remains one of the strictest data privacy laws in the United States, regulating the collection, storage, and use of biometric data such as fingerprints, facial recognition scans, and iris patterns. Its impact has been felt across industries, particularly among employers and organisations utilising biometric technologies for workforce or customer management.

In recent months, a significant legal question has emerged: should amendments to BIPA be applied retroactively? A pivotal ruling in Gregg v. Ameriprise Financial Services, Inc., combined with an ongoing split between Illinois courts and the Northern District of Illinois, has added complexity to the interpretation of BIPA’s scope. This article explores these developments and their implications for organisations handling biometric data.

The  The Biometric Information Privacy Act Amendment

In May 2023, Illinois enacted an amendment to BIPA that introduced two critical changes:

1. Expanded Definition of “Prejudice”: The amendment clarified that plaintiffs alleging BIPA violations are not required to demonstrate actual harm or prejudice to establish liability.
2. Statutory Damages: It confirmed that individuals can recover statutory damages for violations, ranging between $1,000 to $5,000 per breach, regardless of whether harm is proven.

The amendment aims to strengthen protections for individuals while holding organisations accountable for mishandling sensitive biometric data. However, it also raised concerns among businesses, particularly regarding retroactive liability for pre-enactment violations.

The Gregg Case Ruling

In Gregg v. Ameriprise Financial Services, Inc., the Illinois appellate court tackled the issue of whether the 2023 amendment should apply to claims filed for violations that occurred before the amendment’s enactment.

The court ruled that the amendment does not apply retroactively. It reasoned that retroactive application would unfairly disadvantage organisations that could not have anticipated these specific legislative changes. The court emphasised principles of fairness and due process, determining that liability should be based on the legal framework in place at the time of the alleged violation.

This ruling provided some relief for organisations facing The Biometric Information Privacy Act -related lawsuits for historical practices. However, it is not the final word on the matter, as other courts continue to interpret the amendment differently.

The Court Split with the Northern District

While Illinois courts have taken a more conservative stance on retroactivity, the Northern District of Illinois has diverged, suggesting that the amendment could, in certain contexts, be applied retroactively.

This jurisdictional split has created uncertainty for businesses operating in Illinois, especially those with cases pending in both state and federal courts. Employers and data controllers must carefully assess the legal landscape and prepare for outcomes that could vary significantly depending on the court in which their case is adjudicated.

What Employers and Data Controllers Can Now Expect

The ambiguity surrounding the retroactive application of the The Biometric Information Privacy Act  amendment poses several challenges for organisations:

1. Increased Litigation Risk: With courts divided, plaintiffs may continue to file lawsuits arguing for retroactivity, leading to prolonged and costly litigation.
2. Heightened Compliance Standards: Regardless of retroactivity, organisations must ensure that their biometric data practices align with BIPA’s stringent requirements. This includes obtaining informed consent, providing clear disclosures, and establishing secure data retention policies.
3. Reputational Damage: Beyond financial penalties, organisations found non-compliant with BIPA risk severe reputational harm, particularly as cases of non-compliance are publicly reported.

To mitigate these risks, businesses should conduct regular audits of their biometric data practices and adopt proactive compliance measures.

Conclusion

The retroactivity of the 2023 BIPA amendment remains a contentious issue, with significant implications for organisations collecting and processing biometric data in Illinois. While the Gregg ruling provides some clarity, the ongoing split between Illinois courts and the Northern District underscores the importance of vigilance in compliance efforts.

Formiti Data International Ltd is a global leader in data privacy compliance, offering expertise in navigating complex regulatory environments like BIPA. Our services include compliance assessments, outsourced Data Protection Officer (DPO) support, and tailored advice on mitigating litigation risks. With a track record of success across six regions and 120 countries, we are uniquely positioned to help your organisation achieve and maintain compliance with biometric data laws.

Take the first step towards robust compliance today by contacting Formiti for a free consultation. Let us safeguard your business against fines, penalties, and reputational risks while ensuring seamless adherence to global privacy standards.