On February 17, 2023, the Illinois Supreme Court held in a 4-3 split opinion that claims under the state’s Biometric Information Privacy Act (BIPA) accrue each time there is a biometric collection or transmission constituting a potential violation, even if the same biometric identifier is being collected or transmitted by the same entity from the same individual repeatedly. This opinion follows a recent Illinois Supreme Court decision that found a five-year limitations period for BIPA claims.
Companies should take note that these two rulings in combination could mean that they are vastly more exposed to litigation risk than previously anticipated. For example, a company that uses a fingerprint scanning system to track employee attendance that is not BIPA-compliant may be liable for every fingerprint scan going back five years, with the potential for penalties up to $5,000 per violation. While this allows for the possibility of astronomical damages figures, the Illinois Supreme Court’s latest decision noted that damages under BIPA are “discretionary,” rather than mandatory. Businesses that collect and process biometric information, especially of Illinois residents and residents of other states that regulate—or are considering regulating—biometric information, should ensure that their practices are compliant with the relevant privacy laws.
BIPA, enacted in 2008, regulates the collection, retention, disclosure, and destruction of biometrics, such as fingerprints, handprints, voiceprints, eye scans, and the facial geometry characteristics captured by facial recognition systems. Specifically, section 15 of BIPA outlines the obligations of private entities that collect or otherwise obtain biometrics. BIPA also provides a private right of action for parties that have been aggrieved by a BIPA violation, which makes possible lawsuits like the one addressed here.
The underlying case addressed by the Illinois Supreme Court, Cothron v. White Castle System, Inc., is a proposed class-action against an employer—White Castle—alleging violations of sections 15(b) and 15(d) of BIPA based on White Castle’s use of a fingerprint-based system for employees to access their pay stubs and computers. Each fingerprint scan was transmitted to a third-party vendor for verification to authorize an employee’s access. The plaintiff alleges that White Castle did not seek her consent to acquire and disclose her biometric data for nearly a decade after BIPA was enacted. After an interlocutory appeal from federal district court, the U.S. Court of Appeals for the Seventh Circuit certified the following question to the Illinois Supreme Court: “Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”
Sections 15(b) and 15(d) of BIPA essentially require informed consent for the collection and dissemination of biometric information, such as a fingerprint. White Castle argued that violations of these provisions only accrue when the biometric information is first collected and disseminated—because that is when the loss of privacy and control occurs—not every subsequent time. The plaintiff, however, asserted that the plain text of BIPA calls for each and every collection and dissemination without consent to be considered a separate violation. The majority opinion agreed with the plaintiff, while acknowledging that significant damages awards may result. The dissenting opinion would have sided with White Castle’s interpretation, arguing that the majority’s interpretation will lead to absurd results. Regarding the possibility for significant damages, the majority noted that BIPA damages are discretionary rather than mandatory, allowing damages awards to be equitable rather than necessarily astronomical. In the class action context, the majority imagined that a damages award could fairly compensate class members and deter future violations without destroying a defendant’s business. The majority also suggested that the legislature clarify its intent as to the accrual of claims and damages if that intent does not align with the plain text of BIPA as interpreted by the court.
This decision has direct implications for entities that collect or otherwise obtain biometric information from Illinois residents, but entities operating in other states should also take notice. Some states—such as California and Colorado—have comprehensive state privacy laws going into effect in 2023 that regulate biometrics as “sensitive” information. Several other states—such as Arizona, Hawaii, Maryland, Massachusetts, Minnesota, and New York—have seen proposed standalone legislation similar to BIPA focusing on biometric information specifically. If any of those states pass laws with language similar to BIPA’s language, courts in those states may look to this case if asked to clarify this same claim accrual issue in their states.
Any entities that already obtain biometrics should ensure that they are compliant with BIPA and reevaluate their potential litigation risk in light of this decision. Entities that are considering collecting or obtaining biometrics should be deliberate in building policies that will be BIPA-compliant. Entities should also be on the lookout for insurance policy terms to change as insurance companies seek to mitigate the potential for massive damages awards and increased litigation for BIPA violations. We will continue to monitor developments related to BIPA and other legislation covering biometric data.