Illinois BIPA Reform 2024 – Back Where We Started or Moving Forward? 

April 19, 2024

Last week, the Illinois Senate advanced the first significant BIPA amendment (SB 2979), passing it in the Senate by a vote of 46-13. The bill has broad Democratic support, and groups that have traditionally opposed BIPA have elected not to oppose the amendments. Given bipartisan support and Illinois’ growing reputation as an unfriendly environment for technology companies, the bill seems poised to become law.

Key takeaways

  • The bill is largely unchanged from last year’s failed BIPA legislative reform.
  • SB 2979 says that there is a single violation of BIPA’s biometric data collection provisions, and a single violation of BIPA’s biometric data disclosure provisions, when an entity repeatedly collects or discloses the same biodata, using the same methods, from an individual.
  • The bill further provides that there is “at most” one recovery for collection and disclosure violations.
  • Electronic signatures on BIPA consent forms are expressly allowed.
  • As with last year’s bill, SB 2927 currently is not written to be retroactive. However, the bill’s sponsor has noted that the Illinois Legislature is clarifying BIPA’s original intent, which was to provide for single-use damages, and that judges should consider this fact when determining damages in pending cases.

Where that leaves BIPA defendants is a matter of debate

  • There may be case settlement opportunities given that it is less likely courts will award “per use” damages should the bill become law.
  • Cothron v. White Castle established that any BIPA damages award is at the judge’s discretion. Judges may be reluctant to use their discretion and award “per use” or “per scan” damages, when the legislature has just indicated that there is only one recoverable set of damages when the same biodata is being collected and disclosed repeatedly. 
  • By qualifying damages as “up to” the statutory amounts, the legislature is making court discretion clear. This should make plaintiffs more accountable for their actions, such as repeatedly using the technology without complaint and even post-lawsuit. And post-suit compliance could also be key in reducing damages to nominal amounts.

BIPA Class Action Certified – Amazon Pushes Back

Svoboda v., Case No. 21 C 5336 (NDIL), involves BIPA “face geometry” claims brought on behalf of a class of around 164,000 consumers who used a mobile phone app to access Amazon’s “virtual try-on” (VTO) features for glasses and makeup. Svoboda and the class contend that Amazon’s VTO collected their facial geometry without a BIPA-compliant consent or a retention/destruction policy. The court granted the plaintiffs’ motion for class certification finding that they met the requirements under Rule 23:

  • Numerosity – The court held there was a sufficient number of class members because the class has at least 163,738 potential members.
  • Adequacy – The court held Svoboda and her counsel will adequately protect class interests despite (i) the different VTO technology used on apps by plaintiffs and consumers to try on eyewear and eye makeup; and (ii) the fact that claims of class members who used Amazon’s VTO for eyewear could be barred by application of BIPA’s well-established health care exclusion, and the named plaintiffs did not use the glasses try-on function. Ignoring multiple individualized inquiries and defenses, the court found that the plaintiffs suffered the same basic injury as the class members – they all used VTO that allegedly collected their facial geometry without complying with BIPA.
  • Typicality – The court found Svoboda’s claims/defenses are typical to class members’ claims/defenses because all class members’ claims arose from the use of VTO.
  • Commonality – The court found common questions of law/fact since all class members’ claims arise from Amazon’s alleged use of facial geometry scans and face templates without informed consent or a retention/destruction policy.
  • Predominance – The court found common questions predominate over individual questions of law and fact based on the above findings. The court cited the prior class certification opinion in Rogers v. BNSF for the proposition that class members BIPA claims are “essentially identical and will be premised on common proof” about how the VTO software works, and whether Amazon violated BIPA’s informed consent and policy requirements.
  • Superiority – The court found that a class action was the superior method of addressing the lawsuit claims in a particularly concerning analysis:
    • Manageability: The court rejected Amazon’s argument that the class was unmanageable because it would be difficult to determine whether class members were actually located in Illinois when they were using the technology. Here, the court chose to accept the lead plaintiffs’ assertions that they used the technology in Illinois, despite potential evidence that they were not in Illinois. To support its position, the court favorably cited Mullins v. Direct Digital to state that: “Given the significant harm caused by immunizing corporate misconduct, we believe a district judge has discretion to allow class members to identify themselves with their own testimony and to establish mechanisms to test those affidavits as needed.”
    • Constitutional Concerns Don’t Prevent Certification – Citing Cothron v. White Castle, Amazon argued that because damages are discretionary, the court will have to consider affirmative defenses. The court held that nothing about the potential for an excessive damages award would prevent class certification, and any constitutional analysis would be “best applied after a class has been certified.”
  • Potential Individual Damages Awards Does Not Prevent Certification – The court rejected Amazon’s argument that the mean recovery for class members could exceed $60,000 if “per use” damages were awarded, creating due process issues thereby making small-recovery class action procedures unnecessary.

Amazon has filed a motion to reconsider the class certification order in Svoboda. The motion seeks reconsideration on several grounds: (1) whether the class members can prove they were in Illinois when using the try-on app; (2) excluding those who tried on glasses; (3) asserting that consumers for whom Amazon has no identifying information should be excluded from the class because any biometric data arguably collected is not capable of being used to identify them. Amazon also cites to Cozen O’Connor’s win in the Gagen v. Mandell Menkes case for the proposition that any purported BIPA violations prior to January 25, 2019, should be excluded under then-prevailing law, which required an actual injury. This is our “Rosenbach I” and “Rosenbach II” argument that pre-2019 law would not have permitted accrual of these purely technical BIPA claims, and that BIPA defendants reasonably relied on prior appellate courts’ BIPA interpretations requiring actual harm to bring claims.




Share on LinkedIn


Melissa Siebert

Chair, Emerging Data Privacy Trends

(312) 474-4491

Erin Bolan Hines

Vice Chair, Emerging Data Privacy Trends

(312) 474-4490

Related Practices