In a highly anticipated decision, the Illinois Supreme Court recently held that a separate claim accrues under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) each time biometric data or information is collected and/or disclosed.  The Supreme Court’s holding in Cothron v. White Castle System, Inc., 2023 IL 128004, is likely to have a profound impact on both the ability of plaintiffs to file BIPA claims and the calculation of liquidated damages for such claims.   

The Cothron v. White Castle System, Inc. Decision  

In the Cothron case, Plaintiff Latrina Cothron sued White Castle System, Inc. (“White Castle”) in 2018, alleging that White Castle violated BIPA when it scanned the fingers of its employees, including plaintiff, in order to access the employees’ pay stubs and White Castle’s computers.[1]  Specifically, Plaintiff alleged that White Castle violated Sections 15(b) and (d) of the Act.  Those sections of the Act place both restrictions and affirmative obligations on private entities related to biometric identifiers (such as fingerprints, voiceprints, retinal scans and facial geometry) and biometric information (e.g., information based on biometric identifiers to the extent used to identify an individual), including the following:

• Private entities which collect, capture, purchase, receive or otherwise obtain biometric identifiers or biometric information must first inform the subject of that fact in writing, as well as the specific purpose and length of time for which the information will be retained, and must obtain a written release executed by the subject.  740 ILCS 14/15(b).   

• Private entities are prohibited from selling or disclosing biometric identifiers or biometric information, subject to certain exceptions.  740 ILCS 14/15(d).

Plaintiff alleged that shortly after her employment at White Castle began, in 2004, she was required to utilize a biometric scanning device as part of her employment.  However, according to Plaintiff, it was not until 2018 that White Castle first sought written consent from Plaintiff to acquire and disclose Plaintiff’s biometric data.  Based on these allegations, White Castle moved for judgment on the pleadings, arguing that Plaintiff’s claims were untimely because her claims accrued in 2008, when White Castle first obtained Plaintiff’s biometric data after the Act went into effect.  In response, Plaintiff argued that a new claim accrued each time she scanned her finger and White Castle disclosed her data to a third party, which rendered her claims timely. 

The trial court agreed with Plaintiff and denied White Castle’s motion.  However, the trial court later certified its order for immediate interlocutory appeal to the Seventh Circuit Court of Appeals.  The Seventh Circuit accepted the certification and ultimately concluded that the unique question of when a claim accrued under the Illinois statute was best left to the Illinois Supreme Court.  As a result, the Seventh Circuit certified the following question to the Illinois Supreme Court:

• “Do Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”

Cothron v. White Caste System, Inc., 20 F.4th 1156, 1167 (7th Cir. 2021).  The Illinois Supreme Court accepted the certification and chose to answer the question.

In a 4-3 decision, the Illinois Supreme Court found “that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).”  Cothron v. White Castle System, Inc., 2023 IL 128004, ¶ 1.  The Supreme Court’s analysis centered on the plain language of the Act.  Id. ¶ 20.  Moreover, the Supreme Court also rejected numerous nontextual arguments raised by White Castle, including the nature of the purported harm alleged by plaintiffs in BIPA actions and the possibility for “astronomical” damage awards.  Id. ¶¶ 32, 40. 

The dissent, authored by Justice Overstreet, stated that the majority opinion could “not be reconciled with the plain language of the statute,” the purpose behind BIPA, or case law.  Id. ¶ 48.  Noting the “potential imposition of crippling liability on businesses” as a “proper consequence to consider,” the dissent concluded that a claim accrues under BIPA “only upon the first scan or transmission.”  Id. ¶¶ 48, 62.               

The Cothron Ruling’s Impact on Your Business

The Cothron decision is likely to have a significant impact on BIPA cases in at least two critical respects.  First, the Cothron ruling, coupled with the Supreme Court’s ruling in Tims, et al. v. Black Horse Carriers, Inc. applying a five-year limitations period to all claims under the Act, severely limits the viability of a statute of limitations defense to a BIPA claim.  A defendant asserting such a defense will now need to prove that a given plaintiff’s biometric data was not scanned or transmitted at any time for the five years prior to the filing of the action.  Second, the Cothron ruling leaves open the possibility of absurd damage awards based on the frequency of scans or transmissions, allowing a single plaintiff the possibility of collecting many multiples of the liquidated damage amounts provided in the Act.

Notably, the Cothron decision left open the possibility of some relief for BIPA defendants in two respects.  First, the Cothron court observed that it “appears” the General Assembly made “damages discretionary rather than mandatory under the Act.”  Id. ¶ 42.  As such, the Supreme Court held that a trial court “would certainly possess the discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying defendant’s business.”  Id.  However, the Supreme Court provided no guidance to trial courts as to what factors or criteria should be utilized in exercising this discretion.  Second, the majority opinion ends with a call to action directed at the legislature to “review” the policy concerns raised by the parties and “make clear its intent regarding the assessment of damages under the Act.”  Id. ¶ 43.  Thus far, the legislature has declined repeated requests to revise or amend BIPA to address the possibility of catastrophic damage awards.       

Ultimately, every business should perform a critical analysis as to any business practice that potentially concerns biometrics—including employee timekeeping, identification procedures or security protocols.  The failure to fully comply with BIPA, even when such a failure results in no actual injury to an individual, may lead to significant liability. 

FOOTNOTES

[¹] Plaintiff originally filed her action in the Circuit Court of Cook County against White Castle and its third-party vendor Cross Match Technologies.  Cross Match Technologies removed the case to federal court and Plaintiff later voluntarily dismissed Cross Match Technologies.