March 23, 2023

Volume XIII, Number 82


March 22, 2023

Subscribe to Latest Legal News and Analysis

March 21, 2023

Subscribe to Latest Legal News and Analysis

March 20, 2023

Subscribe to Latest Legal News and Analysis

BREAKING: Illinois Supreme Court Determines BIPA Claims Accrue Individually With Each Violation

The Illinois Supreme Court today resolved one of the most significant unsettled areas of law for claims arising under the Illinois Biometric Information Privacy Act (“BIPA”). In its decision in Cothron v. White Castle Sys., Inc., the Court confirmed that each separate violation of BIPA constitutes a distinct and separately actionable violation of the statute. The decision exponentially increases liability exposure and the scope of damages that may be collected for alleged violations of BIPA.

Background and Decision

In Cothron (covered extensively by Privacy World articles hereherehere, and here, and discussed in Squire Patton Bogg’s 2022 Q2 AI & Biometric Privacy Quarterly Review Newsletter), Plaintiff, a former employee of defendant White Castle, brought claims under Sections 15(b) and 15(d) of BIPA for alleged violations stemming from collections of her fingerprint. Plaintiff initially began working at White Castle in Illinois in 2004, and White Castle subsequently implemented an optional, consent-based finger-scan system for employees to sign documents and access their paystubs and computers. Plaintiff consented in 2007 to the collection of her biometric data but sued in 2018. She alleged that White Castle did not obtain consent to collect or disclose her fingerprints at the first instance the collection occurred under BIPA because BIPA did not exist in 2007. The Illinois Supreme Court denied White Castle’s judgment on the pleadings; White Castle appealed to the Seventh Circuit, which certified the question to the Illinois Supreme Court of “[w]hether, when conduct that allegedly violates BIPA is repeated, that conduct gives rise to a single claim under Sections 15(b) and 15(d) of BIPA, or multiple claims.”

The Illinois Supreme Court held that “a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).” Looking at the plain language of Section 15(b), the court disagreed with White Castle that “collection” or “capture” of biometric identifiers occurs only once, when an entity first obtains an individual’s fingerprint, in part because of the position White Castle had taken in prior pleadings. The court also looked to Section 15(b)’s language distinguishing collection and storage of biometric identifiers, observing that Section 15(b)(2)’s requirement that an entity notify an individual of how long their biometric identifiers would be collected “shows that the legislature contemplated collection as being something that would happen more than once.”

Similarly, in analyzing Section 15(d), the court held that the plain language of the provision applies to every transmission of biometric identifiers to a third party. The court looked to the dictionary definitions of terms in the statute, including “disclose” and “redisclose.” Ultimately, the court concluded that BIPA does not include a limitation that claims should only arise the first time that an entity scans or transmits an individual’s biometric data and that it could not rewrite the statute to include such a limitation.

The court also addressed White Castle’s argument that Plaintiff’s construction of the statute could lead to “astronomical” damages awards that could be unconstitutional but held that the statutory language “clearly support[ed]” Plaintiff’s position, and it was bound to give that language effect. The court observed that policy-based concerns about damages awards were best addressed by the legislature.

In a dissent joined by Chief Justice Theis and Justice Holder White, Justice Overstreet stated that the majority’s interpretation could not be reconciled with the plain language of the statute and would render compliance with BIPA unduly burdensome for employers. Justice Overstreet observed that Section 15(b) “broadly applies to any way that a private entity obtains a person’s biometric identifier or information,” which “can happen only once” because White Castle obtained the biometric identifiers with an employee’s first fingerprint scan—it does not obtain that information in subsequent scans, because it already has it. Subsequent scans did not collect any new information from Plaintiff, and she did not suffer any additional loss of biometric information. The dissent applies the same analysis to claims arising under Section 15(d), holding that this reading is the only one that is consistent with the original purpose of BIPA—to protect a privacy interest—because the individual loses control over their biometric information only once.


Cothron reflects a consistently expansive and plaintiff-friendly interpretation of BIPA in courts, following the much-anticipated Tims decision, which resolved the applicable statute of limitations for BIPA claims as five years rather than one year. Plaintiffs may now seek to collect liquidated damages for each separate violation of BIPA, compounding the associated statutory negligent damages of $1,000 per violation and intentional/reckless damages of $5,000 per violation for each alleged violation. The Cothron decision exponentially expands the scope of damages that may be sought by an individual plaintiff or a class and is certain to increase the already-high number of putative class actions filed under BIPA.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume XIII, Number 48

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

Kyle R. Fath Cybersecurity Attorney Squire Patton Boggs New York Los Angeles
Of Counsel

Kyle Fath is counsel in the Data Privacy & Cybersecurity Practice. He offers clients a unique blend of deep experience in counselling companies through compliance with data privacy laws, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of mergers & acquisitions and other corporate transactions. His practice has a particular focus on the the ingestion and sharing of data by way of strategic data transactions, data brokers, and vendor relationships, the implications of digital advertising (as companies look toward...

Christina Lamoureux Litigation Attorney Squire Patton Boggs Washington DC

Christina Lamoureux is an associate in the Litigation Practice in the Washington DC office. She represents a wide variety of clients in complex commercial matters.


  • District of Columbia, 2020

Related Services

  • Litigation
David Oberly Attorney Data Privacy Squire Patton Boggs Cincinnati
Senior Associate

David Oberly is a senior associate in the Data Privacy, Cybersecurity & Digital Assets Practice. David focuses his practice on providing sophisticated advice and guidance to corporate clients on a broad assortment of biometric privacy, data privacy and security/data protection matters. David’s clients range from startups to Fortune 50 companies and extend across myriad industries, including advertising, media, retail, consumer products, technology, e-commerce, financial services, social media and healthcare.

Outside of his day-to-day...