The Illinois Supreme Court today resolved one of the most significant unsettled areas of law for claims arising under the Illinois Biometric Information Privacy Act (“BIPA”). In its decision in Cothron v. White Castle Sys., Inc., the Court confirmed that each separate violation of BIPA constitutes a distinct and separately actionable violation of the statute. The decision exponentially increases liability exposure and the scope of damages that may be collected for alleged violations of BIPA.

Background and Decision

In Cothron (covered extensively by Privacy World articles hereherehere, and here, and discussed in Squire Patton Bogg’s 2022 Q2 AI & Biometric Privacy Quarterly Review Newsletter), Plaintiff, a former employee of defendant White Castle, brought claims under Sections 15(b) and 15(d) of BIPA for alleged violations stemming from collections of her fingerprint. Plaintiff initially began working at White Castle in Illinois in 2004, and White Castle subsequently implemented an optional, consent-based finger-scan system for employees to sign documents and access their paystubs and computers. Plaintiff consented in 2007 to the collection of her biometric data but sued in 2018. She alleged that White Castle did not obtain consent to collect or disclose her fingerprints at the first instance the collection occurred under BIPA because BIPA did not exist in 2007. The Illinois Supreme Court denied White Castle’s judgment on the pleadings; White Castle appealed to the Seventh Circuit, which certified the question to the Illinois Supreme Court of “[w]hether, when conduct that allegedly violates BIPA is repeated, that conduct gives rise to a single claim under Sections 15(b) and 15(d) of BIPA, or multiple claims.”

The Illinois Supreme Court held that “a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).” Looking at the plain language of Section 15(b), the court disagreed with White Castle that “collection” or “capture” of biometric identifiers occurs only once, when an entity first obtains an individual’s fingerprint, in part because of the position White Castle had taken in prior pleadings. The court also looked to Section 15(b)’s language distinguishing collection and storage of biometric identifiers, observing that Section 15(b)(2)’s requirement that an entity notify an individual of how long their biometric identifiers would be collected “shows that the legislature contemplated collection as being something that would happen more than once.”

Similarly, in analyzing Section 15(d), the court held that the plain language of the provision applies to every transmission of biometric identifiers to a third party. The court looked to the dictionary definitions of terms in the statute, including “disclose” and “redisclose.” Ultimately, the court concluded that BIPA does not include a limitation that claims should only arise the first time that an entity scans or transmits an individual’s biometric data and that it could not rewrite the statute to include such a limitation.

The court also addressed White Castle’s argument that Plaintiff’s construction of the statute could lead to “astronomical” damages awards that could be unconstitutional but held that the statutory language “clearly support[ed]” Plaintiff’s position, and it was bound to give that language effect. The court observed that policy-based concerns about damages awards were best addressed by the legislature.

In a dissent joined by Chief Justice Theis and Justice Holder White, Justice Overstreet stated that the majority’s interpretation could not be reconciled with the plain language of the statute and would render compliance with BIPA unduly burdensome for employers. Justice Overstreet observed that Section 15(b) “broadly applies to any way that a private entity obtains a person’s biometric identifier or information,” which “can happen only once” because White Castle obtained the biometric identifiers with an employee’s first fingerprint scan—it does not obtain that information in subsequent scans, because it already has it. Subsequent scans did not collect any new information from Plaintiff, and she did not suffer any additional loss of biometric information. The dissent applies the same analysis to claims arising under Section 15(d), holding that this reading is the only one that is consistent with the original purpose of BIPA—to protect a privacy interest—because the individual loses control over their biometric information only once.

Takeaways

Cothron reflects a consistently expansive and plaintiff-friendly interpretation of BIPA in courts, following the much-anticipated Tims decision, which resolved the applicable statute of limitations for BIPA claims as five years rather than one year. Plaintiffs may now seek to collect liquidated damages for each separate violation of BIPA, compounding the associated statutory negligent damages of $1,000 per violation and intentional/reckless damages of $5,000 per violation for each alleged violation. The Cothron decision exponentially expands the scope of damages that may be sought by an individual plaintiff or a class and is certain to increase the already-high number of putative class actions filed under BIPA.

For more, stay tuned; Privacy World will be there to keep you in the loop.