Illinois Supreme Court Decision Exposes Employers to Significant Damages for Biometric Information Privacy Act Claims
On Feb. 17, 2023, the Supreme Court of Illinois held that claims brought pursuant to the Illinois Biometric Information Privacy Act (BIPA) accrue with every scan or transmission of biometric information without prior informed consent. This decision is likely to lead to additional BIPA litigation in Illinois, and potentially exposes employers to astronomical damages for violations of the Act.
The Biometric Information Privacy Act, enacted in 2008, regulates the collection, use, storage and dissemination of biometric identifiers and information, including retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. Section 15(b) of the Act provides that a private entity may not collect a person’s biometric data without first providing written notice to, and receiving written consent from, that person. Section 15(d) of the Act prohibits a private entity from disclosing or disseminating a person’s biometric data without consent or other legal authorization. The Act provides for damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation (in addition to attorneys’ fees and costs).
Regional restaurant chain White Castle utilized a system which required employees to scan their fingerprints to access pay stubs and computers, and a third-party vendor then verified each scan and authorized the employee’s access. In Cothron v. White Castle System, Inc., the plaintiff sought to bring a class action alleging that White Castle implemented this biometric data collection system without obtaining consent as required by the Act.
On a certified question from the U.S. Court of Appeals for the Seventh Circuit, the Supreme Court of Illinois was asked to answer whether BIPA claims accrue each time an entity scans a person’s biometric identifier and each time an entity transmits such a scan to a third party, or if such claims accrue only upon the first scan and first transmission. White Castle argued that such claims can accrue only once – when the biometric data is initially collected or disclosed. The court rejected this argument, ruling 4-3 that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric data in violation of the Act. (The dissent took the opposite view, stating that claims under sections 15(b) and 15(d) of the Act should accrue “only upon the first scan or transmission.”)
The majority acknowledged White Castle’s concern that allowing repeated accrual of claims by one individual “could potentially result in punitive and ‘astronomical’ damage awards that would constitute ‘annihilative liability.’” In particular, White Castle estimated that if the plaintiff was successful and allowed to bring her claims on behalf of 9,500 current and former employees, damages may exceed $17 billion. In response, the court emphasized that the “statutory language clearly supports plaintiff’s position,” and that it “has repeatedly recognized the potential for significant damages awards under the Act.” However, the court further noted that damages are discretionary, rather than mandatory, under the Act, and that “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” Ultimately, the court suggested that concerns about potentially excessive damages awards under the Act are best addressed by the legislature.
Employers in Illinois should carefully consider the use of biometric information in the wake of this decision and take immediate steps to ensure that such usage is consistent with the BIPA’s strict requirements. We will continue to monitor this case for additional developments, including appeal. If you have any questions specific to your organization, please contact your regular Armstrong Teasdale lawyer or one of the authors listed below.