A split Illinois Supreme Court issued on Friday another long-awaited decision interpreting the Illinois Biometric Information Privacy Act (BIPA), holding that a separate BIPA violation occurs with each undisclosed and unconsented-to scan or transmission of an individual’s biometric identifier or information.

Because BIPA provides that a party may recover statutory damages for “each violation,” allowing multiple or repeated accruals of claims by one individual could potentially result in punitive and astronomical damage awards. This comes fresh on the heels of the court’s decision holding that all claims under BIPA are subject to a five-year statute of limitations.  

In Cothron v. White Castle Systems, 2023 IL 128004, the plaintiff, a manager of a White Castle restaurant in Illinois, alleged that White Castle required employees to use a fingerprint scanning system to access their pay stubs and computers. A third-party vendor was responsible for verifying each fingerprint scan. The plaintiff filed suit in state court, alleging that White Castle did not obtain her consent to acquire her fingerprint biometric data and therefore unlawfully collected her biometric data and unlawfully disclosed that data to its third-party vendor. 

After the case was removed to the US District Court for the Northern District of Illinois, White Castle argued the plaintiff’s claims were untimely because her claim accrued in 2008, on her first fingerprint scan after BIPA was enacted. The plaintiff argued her claims were timely because a new claim accrued each time she scanned her fingertips and White Castle sent the data to its third-party vendor. The district court agreed with the plaintiff but certified an appeal to the Seventh Circuit. The Seventh Circuit found both sides’ arguments on the accrual of BIPA claims reasonable, so it certified the question of claim accrual under BIPA to be answered by the Illinois Supreme Court.

In a 4-3 decision, the Illinois Supreme Court concluded that the statutory language of BIPA provides that violations occur with every scan or transmission of biometric data, not merely the first such instance. The court analyzed the statutory language of BIPA sections 15(b) and 15(d), the two provisions White Castle allegedly violated.

Section 15(b) provides that “[n]o private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information” without obtaining informed consent.  Each time White Castle scans an employee’s fingerprint, it is “collecting” or “capturing” biometric information, the court concluded.

Under Section 15(d), “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information” without consent. White Castle argued this applies only to the first disclosure of biometric data and not to subsequent disclosures of the same data to White Castle’s third-party vendor. The court disagreed, concluding that the language of Section 15(d) is “broad enough to include repeated transmissions to the same third party.”

In addition to its textual analysis, the court addressed and rejected other arguments by White Castle for a single-accrual interpretation of BIPA. The court rejected White Castle’s argument that BIPA protects only against the first instance of an individual’s loss of the “right to control” their biometric data—rather, the court said each statutory violation itself is the injury for purposes of a BIPA claim. The court also acknowledged White Castle’s argument that separate claim accrual for each scan or transmission of biometric information could result in “astronomical” damages awards not contemplated by the legislature—but the court suggested that such “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”

Three justices dissented in Cothron, arguing the majority ignored that the construction of a statute that leads to an absurd result must be avoided. The dissent highlighted two “significant consequences” of the majority’s decision. First, if every scan is a separate actionable violation, plaintiffs would be incentivized to delay bringing their claims as long as possible to maximize their damages.  Second, the majority’s construction could easily lead to “annihilative liability” for businesses. If statutory damages of $1,000 or $5,000 for “each violation” of BIPA are available for every scan or transmission, White Castle calculated its damages in the case “may exceed $17 billion.” The dissent argued that imposing crippling liability could not have been the legislature’s intent when passing BIPA.

This decision, together with the decision extending the limitations period for all claims under BIPA to five years, make it more important than ever that businesses that collect biometric data seek counsel to ensure they do so in compliance with BIPA and other biometric privacy laws and  develop legal strategies for successfully resolving BIPA claims.