On Friday, the Illinois Supreme Court held in Cothron v. White Castle Systems, Inc. that a separate claim for damages accrues under Sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act (“BIPA”) every time a private entity collects or discloses an individual’s biometric identifier or information. The majority rejected White Castle’s argument that claims should accrue only at the first unlawful scan or first transmission—which would essentially have limited a plaintiff to a single award of damages no matter how many times their biometric data was collected without proper consent. The Court’s decision to apply a “per violation” statutory damages interpretation will significantly impact every business that improperly collects, retains, or discloses biometric information (fingerprints, handprints, voiceprints, retina or iris scans, and facial geometry characteristics) for any purposes in Illinois. Because the Court’s decision exposes companies to catastrophic damage awards for BIPA violations, all companies that utilize biometric information for any purpose should immediately review their BIPA compliance and ensure consent forms are obtained.
Plaintiff alleged that after she started working at White Castle in 2004, the company required her to use a fingerprint-based system to access the workplace computer that she used in her position as a manager. In 2018, Plaintiff sued White Castle alleging that the company violated Sections 15(b) and 15(d) of BIPA in connection with a fingerprint-based system by (i) collecting her biometric data without providing her with the requisite notice and obtaining her written consent, and (ii) disclosing her biometric data without consent.
Friday’s ruling came on a certified question from the United States Court of Appeals for the Seventh Circuit, which asked the Court to decide whether each scan or transmission of a person’s biometric identifier—like an employee’s fingerprint—constitutes a separate BIPA violation or whether only the first scan and transmission count. White Castle argued that claims under these sections of the Act can accrue only once – when the biometric data is initially collected or disclosed. The plaintiff argued that claims accrue every time a private entity collects or disseminates biometrics without prior informed consent.
The Illinois Supreme Court rejected White Castle’s “nontextual arguments in support of its single-accrual interpretation,” including an argument that imposing liability on Illinois businesses for hundreds or thousands of statutory violations – in which no harm occurred – “could potentially result in punitive and astronomical damages awards” to the tune of billions of dollars. Despite these potential implications, the Illinois Supreme Court affirmed its reasoning from Rosenbach v. Six Flags and McDonald v. Symphony Bronzeville, in which it “repeatedly recognized the potential for significant damages awards” because “the legislature intended to subject private entities who fail to follow [BIPA’s] requirements to substantial potential liability.” According to the majority opinion, White Castle estimates that if the plaintiff is successful and allowed to file her claims on behalf of as many as 9,500 current and former White Castle employees, class-wide damages could total more than $17 billion.
However, all hope may not be lost for Illinois businesses that have yet to resolve their potential liabilities for using biometric technology without complying with the statute. In discussing Cothron’s multi-billion-dollar liability windfall, the Court stated that it “appears that the General Assembly chose to make damages discretionary rather than mandatory under [BIPA]” and noted that, pursuant to the statute’s plain language, a “prevailing party may recover” under the Act. It also noted that the First District Appellate Court’s decision in Watson v. Legacy Healthcare – binding on Cook County trial courts – came to the same conclusion. On this finding, the Court “generally agreed” that “a trial court presiding over a class action—a creation of equity—would certainly possess the discretion to fashion a damage award that (1) fairly compensated claim class members and (2) included an amount designed to deter future violations, without destroying defendant’s business.” The Cothron majority’s decision concluded with a call to the General Assembly to “respectfully suggest” that lawmakers “review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” For now, the imposition of liquidated damages appears to be within the discretion of state and federal courts in Illinois.
What To Expect In The Aftermath of Cothron
The Illinois Supreme Court’s ruling in Cothron follows the similar pro-plaintiff ruling in Tims v. Black Horse Carriers, 2023 IL 127801 (Ill. Feb. 2, 2023), which applied a five-year, rather than one-year, statute of limitations to BIPA claims. With these two pivotal decisions on the books, the Illinois Supreme Court has finally brought clarity to seminal, threshold issues affecting hundreds of BIPA class actions that have been stayed at the federal and state courts in Illinois while the Illinois Supreme Court reviewed the issues. These stays are set to be lifted imminently by the trial courts, with the Tims decision ensuring the expansion of the size of putative classes and the Cothron decision exponentially increasing potential liabilities for Illinois businesses facing BIPA suits.
Implications and Best Practices for Employers
In light of the Illinois Supreme Court’s rulings in both Cothron and Tims, businesses facing potential BIPA class actions start from a disadvantaged position in terms of potential defenses. While employers can still explore novel exemptions and alternative possible defenses, most companies caught in the crosshairs of BIPA class actions will be facing monumental potential damage amounts in light of the Supreme Court's decision.
Any entity doing business in Illinois that collects or otherwise obtains biometrics (particularly of Illinois residents) should consider reviewing their policies, including all notice and consent processes, for the past five years. For example, companies should be aware of all biometric technology in the workplace and ensure there is a biometric policy in place addressing the use of the technology and what information is captured to provide disclosures to employees. Moreover, companies should check vendor contracts for indemnification obligations and be mindful of these provisions when implementing new technology.
Employers that want to re-examine their existing BIPA policies and procedures to ensure compliance or who are confronted with active and/or potential BIPA class actions can contact Kevin S. Borozan or any member of Masuda Funai’s Employment, Labor and Benefits Group.
©2023 Masuda, Funai, Eifert & Mitchell, Ltd. All rights reserved. This publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended solely for informational purposes and you should not act or rely upon information contained herein without consulting a lawyer for advice. This publication may constitute Advertising Material.