On February 17, 2023, the Supreme Court of Illinois held claims under the Illinois Biometric Information Privacy Act (Privacy Act or BIPA) accrue on each and every scan or collection and further allowed so-called per scan damages. The ruling could open employers up to colossal and potentially devastating damages if the legislature does not amend the Privacy Act. Defense counsel for White Castle System, Inc. indicated that White Castle intends to file a petition for rehearing within twenty-one days, a move that will make the decision “non-final” until the petition is ruled on by the Illinois Supreme Court.
The 4-3 ruling in Cothron v. White Castle System Inc. comes on a certified question from the federal Seventh Circuit Court of Appeals in a putative class action by a White Castle employee over the use of biometric technology that allegedly scans purported fingerprints in the workplace. The justices rejected arguments that the Privacy Act is violated, if at all, only the first time the alleged fingerprint is scanned or collected. The court rejected a reasonable “first collection” interpretation before it, which could still result in multi-million dollar class actions but limit exposure under Section 15(b) to $1,000 or $5,000 in statutory damages per class member. Instead, the justices held that the “plain language” of Sections 15(b) and 15(d) of the Privacy Act “demonstrates that such violations occur with every scan or transmission.” Indeed, the court acknowledged that its interpretation could mean White Castle faces a potential $17 billion-dollar liability. However, the opinion appears to overlook the longstanding canon of statutory construction that a court should interpret a statute to avoid “absurd results.”
The ruling is tempered only by the court’s observation that a judge has the discretion to fashion an award that does not annihilate defendant businesses. This per scan damages ruling would appear to eliminate the reason to file Privacy Act claims as class actions because any person who uses a biometric device for any extended period (without informed consent) can purportedly now collect millions individually. For the court to apply an interpretation that allows such extraordinary liability is a puzzling result when the court has previously stated that there is no physical, emotional or even monetary harm in most Privacy Act cases.
Background
The Privacy Act, passed in 2008, regulates the use, collection, and storage of biometric data, including retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. Specifically, Section 15(b) of the Privacy Act provides that entities, including employers, may not “collect, capture, purchase, receive through trade, or otherwise obtain” individuals’ biometric data without providing notice and receiving consent. Section 15(d) further states that a private entity may not “disclose, redisclose, or otherwise disseminate” biometric data without consent.
The current case involves a White Castle restaurant manager who filed a proposed class action alleging the company required employees to scan their fingerprints to access pay stubs and computers beginning in 2004. According to the decision, once a scan was taken, it was transmitted to a third-party vendor for verification and to authorize access. The employee alleged that the company did not obtain the requisite consent to the collection under the Privacy Act until 2018, nearly a decade after the statute was enacted and approximately fourteen years after the company began using biometric technology.
Plain Language
The majority decision rejected White Castle’s argument that the employee’s claims were untimely because claims under Section 15(b) and 15(d) only accrue once, the first time the biometric data is collected or disclosed. The decision stated that the plain meaning of “collect” and “capture” in Section 15(b) allows for the possibility that they happen more than once. The majority pointed out that company failed to show how technology “could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.”
Similarly, the majority was not convinced that the term “disclose,” which may connote a “new revelation,” did not limit the section to first time disclosures. The court said that regardless, the terms in Section 15(d) “are broad enough to include repeated transmissions to the same party.”
The majority was unpersuaded by White Castle’s argument that longstanding Illinois Supreme Court precedent provides that claims only accrue when a legal right is invaded and injury inflicted and that the primary purpose of the Privacy Act is about control—specifically, control over the privacy and secrecy of one’s unique biometric data.  Therefore, White Castle argued, when a fingerprint is scanned and transmitted without informed consent, the injury has occurred as plaintiff has lost the right to control his or her biometrics and the information is no longer secret. White Castle further argued that the injury only occurs once because the privacy rights were lost on the first collection and the information is already in the defendant’s possession.
The majority held that an injury occurs when a statutory provision is violated and that nothing in the Privacy Act limits a claim under Section 15 “to the first time that a private entity scans or transmits a party’s biometric identifier or biometric information.”
Three justices joined a dissenting opinion by Justice David Overstreet that argued the Privacy Act was not “intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier.” The dissent further argued that the Privacy Act applies when “a private entity obtains a person’s or customer’s biometric information without consent” and that it is “axiomatic, however, that a private entity may obtain any one type of a person’s biometric information only once, at least until that biometric identifier or information is destroyed.”
Key Takeaways
The Illinois high court held that employers may violate the Privacy Act each time biometric information is collected without requisite notice and consent under the act, including with fingerprint scanning technology used to protect access to sensitive information. This holding may open the floodgates to even more Privacy Act class actions. Further, because the Privacy Act provides for liquidated or statutory damages for “each violation,” potential damages in class actions could be devastating for businesses.
The decision stated that “concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” meaning the issue could still be decided in a legislative forum and require effective lobbying by companies, their trade associations, insurance companies, and consortiums of aligned companies. Furthermore, White Castle’s filing of a petition for rehearing will make this decision non-final until the petition is ruled on by the court. In the meantime, employers may want to review their use of biometric technology and ensure they are in compliance with the Privacy Act’s policy, notice, and consent requirements.