February 2023 was a momentous month for Illinois’ Biometric Information Privacy Act (BIPA). Just two weeks after imposing a 5-year time limit for all BIPA claims, the Illinois Supreme Court resolved another pressing issue. In Cothron v. White Castle System, Inc., the Illinois Supreme Court considered whether a BIPA claim accrues every time a company scans or transmits a person’s biometric identifier (e.g., fingerprint) without consent. In a closely divided 4-3 ruling, the Court answered “yes.”
Cothron greatly increases companies’ liability exposure for violations of BIPA’s sections 15(b) and 15(d). Now, every unauthorized biometric scan entitles a plaintiff to damages ranging from $1,000 to $5,000. If the Court had ruled BIPA claims only accrue upon the first scan, plaintiffs’ maximum recoveries would be much lower.
The Court clarified that trial courts are not required to award the maximum damages award in a BIPA case. Rather, trial courts have discretion to determine the appropriate amount. But unfortunately, the Court provided no further guidance or standards for trial courts.
Cothron’spotentially ruinous effect on companies did not seem to trouble the majority. While recognizing companies could face bankruptcy for “per-scan” damages judgments, the Court laid blame at the Illinois legislature and gently encouraged lawmakers to clarify the issue. It remains to be seen whether the Illinois legislature will act.
Putting It Into Practice: After Cothron, BIPA poses an existential threat to companies who collect or transmit Illinois residents’ biometric data without consent. Especially in class actions, a company’s maximum potential exposure will skyrocket because every unauthorized scan of a fingerprint or faceprint entitles a person to at least $1,000. Companies should make sure their biometric procedures fully comply will BIPA to avoid potentially catastrophic damages judgments in class actions.