In a recent 4-3 decision, the Illinois Supreme Court held that claims under sections 15(b) and 15(d) of Illinois’ Biometric Information Privacy Act (BIPA) accrue each time a private entity collects a biometric identifier (such as a fingerprint, voiceprint, or retinal scan) from a person and each time a private entity transmits such a biometric identifier to a third party. In Cothron v. White Castle System, Inc., 2023 IL 128004, the Court answered a certified question from the Seventh Circuit Court of Appeals, concluding that “the plain language of section 15(b) and 15(d) shows that a claim accrues under [BIPA] with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” In practical terms, the decision significantly impacts employers and others who routinely collect biometric identifiers, as now each collection or disclosure of a biometric identifier without informed consent—as opposed to just the first such collection or disclosure—could result in statutory fines of $1,000 to $5,000, as well as having to pay the opposing side’s attorney fees and costs.
Background – A BIPA Primer
The General Assembly unanimously adopted BIPA in 2008 in response to growing concern among the public about the collection and use of biometrics. 740 Ill. Comp. Stat. 14/5(d)-(e). Biometrics are “biologically unique” personal identifiers. Id. at § 14/5(c). They include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Id. at § 14/10. To address the public’s concern, the Act regulates how private entities may collect and handle biometric data and provides a private cause of action for any person “aggrieved by” a violation of the statute. Id. at § 14/20. A successful plaintiff can recover the greater of actual damages or statutory damages of $1,000 for each negligent violation and $5,000 for each reckless or willful violation. Id.
The Cothron Opinion
The Cothron case came to the Illinois Supreme Court on a certified question from the Seventh Circuit: “Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” Plaintiff, a longtime White Castle employee, alleged that not long after her employment began, White Castle introduced a system that “required employees to scan their fingerprints to access their pay stubs and computers.” Cothron, 2023 IL 128004, ¶ 4. A third-party vendor then verified each scan and authorized the employee’s access. Plaintiff alleged that White Castle violated BIPA by implementing the fingerprint scanning system without obtaining her consent.
White Castle moved for judgment on the pleadings, arguing that plaintiff’s action was time-barred because her claim accrued in 2008, which is when White Castle first scanned her fingerprint after BIPA went into effect. Plaintiff argued that a new claim accrued each time she scanned her fingerprints and White Castle sent the data to its third-party authenticator, thereby rendering her action timely with respect to any unlawful scans and transmissions that occurred within the applicable limitations period. The District Court for the Northern District of Illinois agreed with plaintiff and denied White Castle’s motion. The District Court then certified its order for immediate interlocutory appeal to the Seventh Circuit. The Seventh Circuit found the parties’ competing interpretations of BIPA claim accrual reasonable, and so certified this important question of state law to the Illinois Supreme Court.
In the Supreme Court, White Castle again argued that under the plain language of sections 15(b) and 15(d), claims can accrue only once—when the biometric data is initially collected or disclosed. White Castle also argued that because BIPA seeks to protect “a right to secrecy in and control over biometric data” and because one can only lose that secrecy and control once, only the initial collection or disclosure of biometric data is actionable. Id. at ¶¶ 33-34. The Supreme Court majority rejected these arguments, concluding that the “injury” for a section 15 claim is not based on an initial loss of secrecy of or control over biometric data; the “injury” is the statutory violation itself. Id. at ¶ 38. Accordingly, each statutory violation supports a separate claim. While observing the potential for large damages awards, the Court determined that was an issue best left to the legislature.
The dissenting opinion strongly disagreed. Among other things, the dissenters believe that the statute is best interpreted to say that the injury occurs upon the first scan and later ones do not add to it. The dissent also discussed the possible absurd results of annihilative liability from the majority’s view, remarking that such consequences could not square with legislative intent. Id. at ¶¶ 61-63.
Now that the Illinois Supreme Court has answered the certified question, the case goes back to the Seventh Circuit for further proceedings.
Other Recent BIPA Cases
Tims v. Black Horse Carriers, Inc., 2023 IL 127801. In Tims, an employee of Black Horse, a privately held logistics company, filed a class-action complaint alleging that Black Horse violated BIPA by requiring its employees to use a fingerprint authentication time clock without instituting and adhering to a biometric information retention and destruction policy, failing to provide notice and obtain consent when collecting biometric identifiers, and disclosing biometric information to third parties without consent. The Illinois Supreme Court accepted the case to decide whether a one-year or five-year statute of limitations applies to BIPA claims. Reversing the appellate court in part, the Supreme Court held that Illinois’ five-year “catchall” statute of limitations applies to all BIPA claims.
Watson v. Legacy Healthcare Financial Services, LLC, 2021 IL App (1st) 210279. In Watson, a certified nursing assistant sued his employers, Legacy Healthcare (Legacy) and Lincoln Park Skilled Nursing Facility (Lincoln Park), alleging BIPA violations. Legacy and Lincoln Park moved to dismiss, arguing that plaintiff’s claim was time-barred because it accrued the first time they collected his biometric information, seven years before plaintiff sued. The trial court found that a five-year statute of limitations applied and dismissed Legacy and Lincoln Park, agreeing that BIPA claims accrue the first time a person’s biometric information is obtained by a particular entity. Id. at 1. On appeal, both sides agreed that a five-year statute of limitations applied, but plaintiff argued that a new claim accrued each time defendants captured his biometric information in violation of BIPA. The appellate court reversed, concluding that under the Act’s plain language, a new claim accrues with each violative capture and use of biometric information.
Key Takeaways
-
In a 4-3 decision, the Illinois Supreme Court ruled that a claim under Illinois’ Biometric Information Privacy Act (BIPA) may accrue each time a private entity collects or discloses biometric identifiers (such as fingerprints and retina scans) without informed consent, as opposed to accruing only with the first collection or disclosure.
-
Because a claim may accrue with each collection or disclosure of biometric identifiers, motions to dismiss on statute of limitations grounds may be more limited.
-
As the majority and dissenting opinions reflect, damages of $1,000 or $5,000 may now be assessed for each BIPA violation, not just the first instance of collecting or disclosing a biometric identifier without informed consent. For example, if an employer requires an employee to scan his or her fingerprint every time they need to access the employer’s computer systems and the employee has not given informed consent, each such scan could result in damages of either $1,000 or $5,000. In other words, damages awards may add up quickly and create severe consequences.
-
Businesses that collect biometric identifiers or information from their employees or customers should seek legal advice regarding their compliance with all aspects of BIPA.