On Feb. 17, 2023, in the case of Cothron v. White Castle System, 2023 IL 128004, the Illinois Supreme Court issued a seminal decision as it relates to biometric privacy and accrual of claims and damages. Specifically, the court ruled that under the Illinois Biometric Information Privacy Act (BIPA), a separate violation accrues each time a private entity scans or transmits an individual’s biometric identifier or related biometric information. 

This decision has major implications for Illinois businesses and significantly increases potential liability for companies using biometric technology. As a result of this decision, the battleground shifts to the Illinois legislature to potentially reform BIPA in a manner that regulates the use of biometric information technology, rather than effectively prohibiting it within the state.

Background

For the last several years, floods of BIPA lawsuits have hit companies in practically every industry, stemming from the alleged collection or transmission of biometric information without informed written consent. BIPA generally applies to retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and any information based on these categories that is used to identify an individual. Where such biometric data is collected, BIPA provides very few exceptions to its requirements. And, of biggest import for Illinois businesses, BIPA provides a court may award damages of $1,000 for each negligent violation of the statute and $5,000 for each intentional or reckless violation. 

BIPA is not a model of clarity. As a result, both plaintiffs and defendants have vigorously litigated the question of how and when damages accrue under BIPA, and whether a private entity violates BIPA only once when it initially scans biometric information without prior informed, written consent, or whether the private entity commits a violation each time a scan is performed to match an individual with data collected during the initial scan. This open question has significant implications for purposes of assessing whether a claim is timely and total damages. 

The White Castle Litigation

In Cothron, defendant White Castle utilized a fingerprint scanner for employees, including the plaintiff-manager of one of its restaurants, to access their pay stubs and computers. The plaintiff brought a class action under Sections 15(b) and (d) of BIPA, which require informed written consent prior to collecting or transferring biometric information to third parties. White Castle moved for judgment on the pleadings, arguing that plaintiff’s claim accrued in 2008, when White Castle first obtained her biometric data, and thus, was time barred under BIPA’s five-year statute of limitations. The district court denied White Castle’s motion, and then the Seventh Circuit sent the accrual question to the Illinois Supreme Court for a decision. 

The Illinois Supreme Court’s Ruling

In a controversial 4-3 decision authored by Justice Elizabeth Rochford, the Illinois Supreme Court held that a BIPA claim accrues each time a private entity scans a person’s biometric identifier, as opposed to only the first time such information is scanned without informed, written consent. The court reached its decision by determining that the plain language of BIPA supports the proposition that every scan constitutes its own separate violation. 

The court further rejected White Castle’s policy-based arguments — what the court labeled as “nontextual” — in support of a single accrual theory. White Castle argued the multiple accrual theory would lead to a multi-billion-dollar damages award that could jeopardize the business. The court noted this policy argument was “best addressed by the legislature,” and concluded its opinion by challenging the Illinois General Assembly to fix the statute: “We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].” 

Perhaps the silver lining for Illinois businesses was the court’s recognition that a trial court has the discretion under BIPA to fashion a damages award that is “designed to deter future violations, without destroying defendant’s business.”

Takeaways

Cothron significantly increases potential exposure for entities sued under BIPA. This decision and its effects likely cross a red line for Illinois businesses, many of whom would be crippled by a damages award of the magnitude discussed in the opinion. It also provides a significant disincentive for most businesses to even use biometric technology in Illinois – a consequence the drafters of BIPA certainly never intended. The Illinois Supreme Court’s interpretation of BIPA could also raise constitutionality questions, given the potentially absurd damages awards that may follow from the Cothron decision. 

As a result, businesses and organizations may take their cue from Cothron to lobby the Illinois General Assembly to modify BIPA in a reasonable manner that protects the consumer and, at the same time, creates a reasonable structure for assessing damages. Taft will continue to monitor these efforts.