Illinois Supreme Court Doubles Down on Liability for BIPA Claims
On Friday, February 17, 2023, the Illinois Supreme Court issued another blockbuster ruling interpreting the Biometric Information Privacy Act (“BIPA”). In a 4 to 3 decision, the Court in Cothorn v. White Castle Systems held that a violation of the statute accrues each time a covered entity scans or transmits an individual’s biometric identifier or information – potentially creating crippling liability for any private sector employer that uses fingerprint scanning or other biometric data for timekeeping or other purposes. Given this and other prior BIPA rulings, private sector employers who use or collect biometric data have very few defenses if they have not strictly complied with notice and consent requirements of the statute.
In Cothorn, the Illinois Supreme Court held that each time a private entity scans a person’s biometric identifier (in violation of Section 15(b) of BIPA) and each time a private entity transmits such a scan to a third party (in violation of Section 15(d) of BIPA), a separate claim accrues. The ramifications of Cothorn are further magnified given that it comes on the heels of the February 2, 2023 decision in Tims v. Blackhorse –finding that claims under BIPA could reach back as far as 5 years—and against the backdrop of the Court’s 2019 decision in Rosenbach v. Six Flags Entertainment–holding that plaintiffs do not need to suffer an actual injury beyond a violation of rights provided for by BIPA in order to state a claim under the statute.
In its defense, White Castle argued that the loss of plaintiff’s right to control her biometrics, ostensibly the focus of BIPA, is a “single overt act” that occurs one time – when the fingerprint is first collected and disclosed. White Castle therefore argued that a claim should only accrue the on the first date of collection and disclosure, not on an ongoing basis.
A majority of the Illinois Supreme Court rejected this interpretation and held that the plain language of section 15(b) and 15(d) demonstrates that violations occur with every scan or transmission.
For a sense of just how economically disastrous this ruling could be for private employers who have not been fully complaint with the consent and notice requirements of BIPA, consider that White Castle, which employed up to 9,500 potential claimholders, could be liable for between $19 million and $95 million under the single accrual method. Under the Supreme Court’s ruling, whereby each fingerprint constitutes an independent actionable violation, class-wide damages may exceed $17 billion.
Recognizing the potentially calamitous economic consequences of its finding, the Court attempted to downplay the effects of its decision. The Court first pointed out that, under the Act, damages are discretionary rather than mandatory, and a trial Court presiding over a class action “would certainly possess the discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying defendant’s business.” The Court also pointed squarely at the Illinois General Assembly as the forum for addressing these concerns:
“[W]e continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature. … We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”
The opinion was joined by four Justices. Three Justices issued a vigorous dissent, arguing that both the plain language of the statute itself as well as policy considerations underlying the statute lead to the inevitable conclusion that a violation occurs only the first time a fingerprint scan is collected, and “with subsequent scans, the private entity is not obtaining anything it does not already have.”
It goes without saying that these recent rulings will have a significant impact on the potential exposure to BIPA liability for employers who have used fingerprint scanning time clocks or other biometric devices without following the notice and consent requirements of BIPA. If a private entity collects biometric information (such as finger scans) from employers or customers for timekeeping or other purposes, it should immediately take steps to comply with BIPA’s notice and consent requirements.
If you have any questions regarding BIPA compliance, please reach out to a Franczek attorney.