The Illinois Supreme Court resolved a critical question in Illinois Biometric Information Privacy Act (BIPA) cases with an answer that threatens to devastate companies and drive settlement values in pending cases through the roof: a separate claim under the statute accrues each time a private entity scans or transmits an individual’s biometric information.

The 4-3 opinion in Cothron v. White Castle System, Inc., issued on February 17, 2023, took up a certified question from the Seventh Circuit Court of Appeals: “Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” The case arises from a putative class action case in which the plaintiff, a former White Castle employee, claims the restaurant chain violated BIPA when it introduced a system that required her to scan her fingerprints, without first obtaining her consent, in order to access company computers and paystubs.

Finding for the BIPA plaintiff, the Illinois Supreme Court focused on the language of the Act and agreed that the acts of collection and capture do not “happen only once.” Instead, it found that in Cothron’s case, “collection and capture” occurred each and every time she scanned her finger to access the company’s computer system. The court agreed with the federal district court’s earlier decision, quoting its observation that “[e]ach time an employee scans her fingerprint to access the system, the system must capture her biometric information and compare that newly captured information to the original scan (stored in an off-site database by one of the third parties with which White Castle contracted).”

The decision concludes that BIPA provides more than just a one-time liquidated penalty — a statutory violation exists with each and every subsequent scan, collection, or disclosure: “We believe that the plain language of section 15(b) and 15(d) demonstrates that such violations occur with every scan or transmission.”

The court considered arguments made by White Castle and amici that “allowing multiple or repeated accruals of claims by one individual could potentially result in punitive and ‘astronomical’ damage awards that would constitute ‘annihilative liability’ not contemplated by the legislature and possibly be unconstitutional” given that BIPA provides liquidated damages of $1,000 or $5,000 “for each violation.” The court acknowledged its crippling effect but found that the language of the Act supports its conclusion, regardless of the resulting harsh, unjust, or unwise consequences. Instead, the court explained that it had previously warned of severe penalties under BIPA and contends that without them, there would be little incentive for companies to comply. Of course, that does nothing to address defendants that allegedly violated the statute well before any of those Illinois court decisions.

As the slimmest of silver linings for defendants, the court noted that in a class action, a court has discretion to award damages that fairly compensate the class and deter future violations without destroying a defendant’s business and that the liquidated damages are discretionary — not mandatory. The court noted that “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” For what it’s worth, plaintiff’s counsel acknowledged during last year’s oral argument before the court that “astronomical damages are not proper under the statute” after the justices signaled discomfort with viewing liquidated damages on a per-scan basis. He suggested that trial courts could use their discretion to apply “other more rational methods” to calculate damages. Still, no defendant will be eager to test this discretion.

Going no farther to address this significant concern that will have very real consequences on defendants, the court punted the issue by concluding that excessive damage awards are a policy-based concern best left to the legislature. It concluded by focusing its attention directly to the legislature: “We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” Dozens of amendments to BIPA were previously introduced in the Illinois legislature in recent years that would have limited damages, eliminated the statute’s private right of action, specified when and how often claims accrue, and tightened the statute of limitations. So far, those proposals made little traction in the legislature. This decision could be the wake-up call legislators need to address the devastating consequences that Cothron itself has actualized.  

The justices dissenting from the opinion explained that the majority opinion is incompatible with the statute’s purpose in protecting individuals from the loss of control over their data: “The majority tellingly never explains how there is any additional loss of control or privacy with subsequent scans that are used to compare the employee’s fingerprint with the fingerprint that White Castle already possesses.” The dissent also identified a major flaw in the majority’s reasoning because the Act’s worst offenders could receive a slap on the wrist while technical violations are punished severely. It could not have been the legislature’s intent, for example, that a bad actor who made a one-time sale of biometric information to a third party with no regard for what that party would do with it could be subject to at most $5,000 in liquidated damages. Meanwhile, a well-meaning employer who used an employee’s finger scan to access her computer each workday would be on the hook for thousands of dollars in damages as a result of the reoccurring violations.

Earlier this month, the court released another discouraging BIPA opinion in Tims v. Black Horse Carriers setting the statute of limitations for claims under the Act at five years. Coupled with Cothron, the two decisions greatly expand the potential for liability for BIPA defendants.

Impacts of the Ruling and Key Takeaways for Your Business

The magnitude of this ruling is not hard to envision. Simply multiply the number of an employee’s finger scans (since 2008 to present on each day she worked) by the liquidated damage amounts of $1,000 or $5,000 per violation. Even for only one employee — let alone thousands for most employers — you can see why this decision imposes scary ramifications on BIPA defendants. In the Cothron case, White Castle estimated the potential number to be $17 billion.

This is not the last we will hear of this issue—as defendants actually face these crippling damages, we can certainly expect more appeals. Consider a recent 2022 decision by the Ninth Circuit Court of Appeals involving statutory damages under the Telephone Consumer Protection Act (TCPA). In Wakefield v. ViSalus, Inc., a TCPA class action related to robocalls, a jury returned a verdict of more than $925 million in statutory damages (based on the TCPA’s $500 statutory damages). The defendant challenged the damages award under the Due Process Clause of the Fifth Amendment. It argued not that the $500 statutory penalty was unconstitutional, but that when aggregated to more than $925 million in the class action, it was so severe and oppressive that it violated the company’s due process rights.

The Ninth Circuit held that aggregated statutory damage awards are, in certain extreme circumstances, subject to constitutional due process limitations. The court discussed that due process concerns are heightened when statutory damages are awarded as strict liability without any quantification of actual damages — particularly where there are a large number of violations or aggregation in a class action.

Cothron will lead to similar results and raises these same constitutionality questions. Whether this will actually lead to bankrupting a defendant or not, the dissent and the Seventh Circuit both recognized that this conclusion will lead to “crippling financial loss” for companies.

Also, there’s a very real concern that class counsel will use this decision as leverage to extract significant settlement payments from BIPA defendants — settlements in which the class attorneys generally receive 30 percent to 40 percent of the total in fees and costs. Those will likely face little challenge or appeal, and so we may not see any remedy to this concern quickly.

You’ve likely already been cautioned about ensuring your company is compliant with BIPA and taking mitigating steps to protect your company. Any company that collects or uses biometric data such as finger, face, or retina scans should evaluate its processes and policies with respect to these technologies and consider any applicable laws implicated by their use. At a minimum, companies in Illinois that use biometric information must have a written policy in place, obtain consent before collection, maintain the data securely, refrain from disclosing the data except with the data subject’s consent, and refrain from profiting from the biometric data.  We strongly encourage you to immediately assess (or reassess) whether you collect or use any type of data that could arguably be subject to BIPA to ensure compliance and avoid the crippling remedies that may result from violation of the statute.

For information on Abby Risner’s and Lauren Daming’s BIPA practice, including their counseling of clients on BIPA compliance and defense of BIPA class actions, click here.