On February 17, 2023, the Illinois Supreme Court ruled 4-3 that violations of the Biometric Information Privacy Act (“BIPA”) (the country’s first biometric privacy legislation) accrue for each incident of capture or dissemination of biometric information, and not only once for each data subject. Cothron v. White Castle Systems found based on the plain language of the statute that violations for collecting or disclosing biometric information occur at every scan or transaction. Cothron v. White Castle Sys., 2023 IL 128004. The court reached this conclusion while admitting the “absurd” implications, including that the ruling could result in damages of $17 billion. Id. at ¶ 40.

Cothron follows the recent decision in Tims v. Black Horse Carriers, Inc., which applying a uniform 5-year statute of limitations for all claims under BIPA. Tims et al. v. Black Horse Carriers Inc., case number 127801. Taken together, Cothron and Tims create a minefield of liability for organizations collecting biometric information and may significantly increase the number of plaintiffs, claims, and possible damages under BIPA.

Background

Latrina Cothron filed a proposed class action against White Castle System, Inc. (“White Castle”), her former employer, which required employee fingerprint scans to access computer systems and pay stubs. The scans were sent to a third-party vendor to verify and authorize access.  The White Castle policy, instituted in 2004, preceded the 2008 enactment of BIPA, but White Caste did not seek consent after BIPA’s enactment until 2018.  Cothron alleged that White Castle violated BIPA sections 15(b) and 15(d) by collecting and distributing her fingerprint identifier without prior consent. 

White Castle moved for judgment on the pleadings, arguing that Cothron’s action was time barred because it accrued in 2008, when it first obtained her biometric data after BIPA took effect. Cothron responded that a new claim accrued each time White Castle sent her biometric data to its third-party authenticator, and argued her action was timely as to the unlawful scans and transmissions that occurred within the statutory period.

To resolve the issue, the Court considered whether section 15(b) and 15(d) claims accrue each time an entity “scans a person’s biometric identifier and each time an entity discloses a scan to a third party, or only once, upon the first scan and transmission.” Cothron at ¶ 1. The relevant BIPA section, 15(b), states that a private entity may not “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first” obtains consent from the data subject. 740 ILCS 14/15. Section 15(d) states that a private entity in possession of a biometric identifier may not “disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” there is consent or the disclosure is required by law. Id.

When 15(b) and 15 (d) claims accrue has important implications for both the limitations period and calculating damages because statutory damages under BIPA accrue per violation.  A company that negligently violates a provision of BIPA is liable for damages of $1,000 per violation, while a company that intentionally or recklessly violates a provision is liable for damages of $5,000 per violation. 740 ILCS 14/20.

Illinois Supreme Court Decision

The Illinois Supreme Court held that “the plain language of section 15(b) and 15(d) demonstrates that such violations occur with every scan or transmission.” Cothron at ¶ 30.

For BIPA section 15(b), the court examined the plain text meaning of “collect” and “capture.” Id. at ¶ 23. The court found that information can be captured or collected more than once, explaining that each time the employee used their fingerprint to access pay stubs or computer systems, the system collected the fingerprint anew. Id. Therefore, each new capture constitutes a separate claim under BIPA.

For BIPA section 15(d), the court analyzed the plain meaning of “disclose” and “redisclose.” Id. at ¶ 27. It held that “redisclose” included repeated transmission to the same third-party. Id.  The court further pointed to the statutory catch-all language in BIPA providing that a violation occurs when entities “otherwise disseminate” the biometric information.  Thus, each disclosure represents a new violation. Id.

The majority in Cothron recognized the decision’s impact, stating “this court has repeatedly recognized the potential for significant damages awards under the Act.” Id. at ¶ 41. The court defended the decision as consistent with legislative intent, explaining that a “substantial potential liability” would give private entities “the strongest possible incentive to conform” to the statute. Id.  The court acknowledged that “if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion.” Id. at ¶ 40.

Key Takeaways

Far reaching consequences

Biometric information comes in many forms, and any time it is collected from Illinois residents, it must be handled consistently with the broad proscriptions of BIPA.  Critically, fingerprinting is not the only biometric information that falls under BIPA—its reach is broad.  BIPA claims have involved facial recognition features used to “tag” users in photos, collecting customers’ voices in drive-throughs, remote proctoring tools for online schooling, customer hotlines, vending machines, donation centers, and even virtual glasses try-on software. In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016), Carpenter v. McDonald’s Corp.  580 F. Supp. 3d 512 (N.D. Ill. 2022), Doe v. Nw. Univ., No. 21 C 1579 (N.D. Ill. 2022), Dorian v. Amazon Web Servs., Inc., No. 2:22-CV-00269 (W.D. Wash. 2022).  

Potential increase in damages and settlement amounts

Liability will now depend on the number of subjects from which organization collects data, as well as how that collection occurs.  An amusement park scanning fingerprints on entry may only accrue a handful of claims per data subject, whereas an employer scanning fingerprints for each employee several times per shift, as in Cothorn, may accrue hundreds of claims per subject. See Rosenbach v. Six Flags Entm’t Corp.,129 N.E.3d 1197 (2019). Companies that passively collect biometric information could see an astronomical number of claims. 

This increased liability risk under BIPA reinforces that companies must understand how they collect, store, use, and ultimately delete biometric information, to ensure that each step complies with BIPA.

Reduce Liability through Transparency – CONSENT IS KEY!

Organizations may be able to significantly mitigate risk through thoughtful and transparent implementation of biometric data collection.  Most recent biometric litigation has centered on notice and consent.  Organizations wishing to reduce liability and increase transparency can (1) obtain consent from employees before collecting biometric information and (2) maintain and publish a robust privacy policy outlining the use and retention of employee biometric information.  Businesses may significantly reduce their risk of BIPA exposure by establishing a culture of transparency throughout the organization.

* * *

Crowell & Moring LLP has a robust and highly experienced team advising organizations of all sizes on compliance with biometric privacy laws. Crowell also has an extensive library of resources associated with the Illinois Biometric Privacy Act, including:

BIPA Claims Uniformly Have a 5-Year Statute of Limitations

A Statute of Limitations for BIPA Claims? We May be One Step Closer

Ninth Circuit Rejects Facebook’s Article III Argument; Biometric Lawsuit Will Proceed

Illinois’ First Settlement under Biometric Law; AMA Adopts Principles for Mobile Health Apps; Ecuador to Enact Data Privacy Law

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Laura Foggan Laura Foggan

Laura Foggan is a partner in Crowell & Moring’s Washington, D.C. office, and chair of the firm’s Insurance/Reinsurance Group. She has been described by LawDragon 500 Magazine as “one of the most successful advocates for the insurance industry to ever practice.” Laura was…

Laura Foggan is a partner in Crowell & Moring’s Washington, D.C. office, and chair of the firm’s Insurance/Reinsurance Group. She has been described by LawDragon 500 Magazine as “one of the most successful advocates for the insurance industry to ever practice.” Laura was recently recognized as a Global Elite Thought Leader for Insurance & Reinsurance by Who’s Who Legal (2019), who praised her as a “dynamic and creative thinker” who has “very high standards and delivers superior work.” She is a Chambers-ranked Band 1 practitioner and included in the Best Lawyers in America directory, and consistently named one of Washington D.C.’s “Top 100 Lawyers” and “Top 50 Women Lawyers” and a “Super Lawyer” for Insurance Coverage by Super Lawyers Magazine. Laura represents clients in a variety of litigation and counseling matters.

Photo of Jason Stiehl Jason Stiehl

Balance and comprehension are Jason Stiehl’s strengths. Splitting his practice between class action defense and trade secret protection, Jason immerses himself in the business of his clients. With a depth of understanding and appreciation for the risks and growth strategies in his clients’…

Balance and comprehension are Jason Stiehl’s strengths. Splitting his practice between class action defense and trade secret protection, Jason immerses himself in the business of his clients. With a depth of understanding and appreciation for the risks and growth strategies in his clients’ markets, he defends the assets and brands most valuable to his clients before trouble strikes.

Jason is a partner in Crowell & Moring’s Chicago office, where he is a member of the firm’s Litigation and Technology and Brand Protection groups. Jason is an experienced trial lawyer with a nationwide practice in federal and state courts focusing on complex litigation, consumer class actions, and advertising disputes. He serves clients in the retail, food and beverage, pharmaceutical and medical equipment, advertising, and technology sectors defending allegations related to consumer fraud, false labeling and deceptive practices, and Lanham Act violations. As a leading consumer class action defense lawyer, Jason also defends clients in matters involving the regulatory alphabet soup. His experience includes defense and counseling regarding the Illinois Biometric Information Privacy Act and the Telephone Consumer Protection Act and navigating the myriad varying state consumer protection statutes, including California’s Legal Remedies Act and the California Consumer Privacy Act.

Photo of Laura Schwartz Laura Schwartz

Laura Schwartz is a counsel in Crowell & Moring’s Los Angeles office, where she is a member of the Commercial Litigation and White Collar & Regulatory Enforcement groups. Laura represents corporate and individual clients in high stakes litigation including healthcare fraud, intellectual property…

Laura Schwartz is a counsel in Crowell & Moring’s Los Angeles office, where she is a member of the Commercial Litigation and White Collar & Regulatory Enforcement groups. Laura represents corporate and individual clients in high stakes litigation including healthcare fraud, intellectual property and trade secrets theft, data privacy, and related criminal investigations in state and federal courts. Her clients include Fortune 500 companies, multinational health care services and investment bank and financial services companies, university systems, and technology start-ups.

Photo of Jacob Canter Jacob Canter

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent…

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent, as well as general complex commercial matters.

Jacob graduated from the University California, Berkeley School of Law in 2018, where he launched Berkeley’s election law outreach program and pro bono project. He joins the firm after a year of practice at an international law firm in Washington, D.C., and a year clerking in the Southern District of New York for the Hon. Lorna G. Schofield. Jacob was exposed to and provided support in a variety of complex substantive and procedural legal topics during the clerkship, including trade secrets, insurance/reinsurance, contracts, class actions, privacy, intellectual property, and arbitrability.

Photo of Alexis Ward Alexis Ward

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity and Government Contracts groups, Alexis has assisted clients in matters including False Claims Act investigations; developing corporate policies, procedures and governance; and in diverse matters involving cybersecurity and data privacy compliance, risk assessment and mitigation, and incident response.

During law school, Alexis founded USC Gould’s Privacy and Cybersecurity Law Society and was on the board of OUTLaw. Alexis also worked as a teaching assistant for the graduate programs’ Information Privacy Law course. Her paper The Oldest Trick in the Facebook: Would the General Data Protection Regulation Have Stopped the Cambridge Analytica Scandal? was published by the Trinity College Law Review.