By: Mary T. Yong
Illinois was one of the first states to adopt Biometric Privacy legislation. The Illinois Biometric Information Privacy Act (740 ILCS 14) provides for the award of damages where a private entity violates an individual’s privacy rights under the Act. A private entity violates section 15(b) of the Act if it obtains an individual’s biometric data, as defined by the Act, without first informing the individual in writing, advising the individual of the purpose and length of time that data will be retained and obtaining a written release from an individual. Under section 15(d), a private entity has breached the Act if it discloses or disseminates an individual’s biometric data without consent.
Prior to the amendment, the amount of damages to be assessed against a private entity that has breached the Act was the greater of $1,000 or actual damages for each separate negligent violation, and $5,000 or actual damages for each such intentional or reckless violation. The Appellate Court confirmed the plain meaning of this damages provision in Cothron v. White Castle Sys., 216 N.E.3d 918, 922 (1st Dist. 2023). However, on 8/2/24, Governor J.B. Pritzker signed an amendment into law addressing the calculation of damages defined by the Act to lessen the potentially devastating effect this calculation of damages could have on private entities.
Under the Amendment, a prevailing individual who has made a successful claim under 15(b) or 15(d) is entitled to a single recovery only, even if they were subject to a series of recurring violations. While the Act intends to subject private entities to legal consequences that incentivize them to course correct where their policies violate the Act, the intent was not to also authorize damages awards that would result in the financial destruction of a business. See Cothron, at 929. Accordingly, this Amendment mitigates the potentially devastating effect of pre-amendment damages awards businesses while still holding them accountable.