Biometric Information Privacy Act Blows Burdens Business

by W. Anthony Andrews and Joseph S. Davidson

For the past several years, a flood of Biometric Information Privacy Act (“BIPA”) lawsuits have hit companies in nearly every industry. The law generally restricts the collection and use of retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and any information based on these categories used to identify an individual. Businesses that violate BIPA’s terms expose themselves to damage awards of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.

While those penalties sound stiff enough on their own, the Illinois Supreme Court just made them much harsher. On February 17, 2023, the Illinois Supreme Court decided Cothron v. White Castle Systems, Inc., 2023 IL 128004. The Court ruled that, under BIPA, a separate $1,000 or $5,000 violation accrues each time an employer scans or transmits an individual’s biometric information.

The Cothron decision has major implications for Illinois businesses and significantly increases potential liability by several orders of magnitude. Claims that once may have been limited to six-figures have now skyrocketed well into the seven to ten figure range. And, because the Cothron decision came from Illinois’ highest court, there is no relief in sight unless the Illinois General Assembly steps in to legislatively reverse course.

The Litigation

Cothron involves claims brought by Latrina Cothron, a manager of a White Castle restaurant, on behalf of a putative class of White Castle employees who allegedly scanned their fingers to access their paystubs and computers.

Cothron alleged that White Castle unlawfully collected her alleged biometric information and disclosed it to its third-party vendor in violation of sections 15(b) and 15(d) of BIPA.

White Castle argued that Cothron’s claims were untimely because they accrued when the law went into effect in 2008, more than ten years before her complaint was filed, and White Castle first allegedly collected her biometric data thereafter. White Castle also asserted that claims under sections 15(b) and 15(d) accrue only once, when alleged biometric data is initially collected or disclosed.

Cothron contended that a new claim accrued each time she scanned her finger and White Castle allegedly sent her biometric data to its third-party vendor, rendering her action timely with respect to alleged scans and transmissions that occurred within the applicable limitations period.

The Ruling

The Illinois Supreme Court agreed with Cothron and rejected White Castle’s argument that a “collection” or “capture” of biometric data “can only happen once.” After reviewing the law, the court found that its text did not limit a claim “to the first time that a private entity scans or transmits a party’s biometric identified or biometric information.”

The court further rejected as “nontextual” White Castle’s policy-based argument that the multiple accrual theory could easily lead to crippling liability for businesses. The court did however implore the Illinois General Assembly to address any policy-based concerns about potentially excessive damages awards and “make clear its intent regarding the assessment of damages under the Act.”

Perhaps the silver lining for businesses was the court’s recognition that “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” The court further stated that “a trial court presiding over a class action . . . would certainly possess the discretion to fashion a damage aware that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations without destroying defendant’s business.” In other words, the court found the statutory language makes clear that Illinois legislature chose to make damages discretionary, rather than mandatory, under BIPA.

So, What Does This Mean?

Where an employer scans its employees’ fingers to clock in and out of work and for their meal breaks, there are potentially four separate BIPA violations each workday. If that employee works five days a week for fifty weeks a year, the employer could be liable for up to $1,000,000 in statutory BIPA penalties—in just one year and for just one employee. And this is on the low side. If there are “willful” violations, the $5,000 statutory penalty applies, bringing the damages up to $5,000,000 per employee per year. This could be catastrophic if a company has fifty full-time employees. In a five-year period, that company could face a whopping $375,000,000 in BIPA damages.

This is untenable, to be sure. And yet, there is only one narrow path toward resolution: through the General Assembly. Regrettably, however, the legislature has shown little appetite to amend BIPA’s penalty scheme.

In light of these developments, businesses, and organizations that interact with biometric information in any capacity should immediately draft and implement a BIPA-compliant notice and consent policy. Now more than ever, such a policy is necessary because even one BIPA claim could be cataclysmic.