Illinois Court Rules Privacy Act Claims Accrue With Each Biometric Scan

​On Feb. 17, the Supreme Court of Illinois held that claims under the Illinois Biometric Information Privacy Act (BIPA) accrue on each scan or collection, allowing per-scan damages. The ruling could open employers up to colossal and potentially devastating damages if the legislature does not amend the law.

Defense counsel for White Castle System, Inc. indicated that White Castle intends to file a petition for a rehearing within 21 days, a move that will make the decision non-final until the petition is ruled on by the Illinois Supreme Court.

The 4-3 ruling in Cothron v. White Castle System Inc. comes on a certified question from the federal Seventh Circuit Court of Appeals in a putative class action by a White Castle employee over the use of biometric technology that allegedly scans purported fingerprints in the workplace. The justices rejected arguments that BIPA is violated only the first time a fingerprint is scanned. The court rejected a reasonable "first collection" interpretation, which could still result in multi-million dollar class actions, but limit employers' exposure to $1,000 or $5,000 in statutory damages per class member. Instead, the justices held that the plain language of BIPA "demonstrates that such violations occur with every scan or transmission." Indeed, the court acknowledged that its interpretation could mean White Castle faces a potential $17 billion-dollar liability. However, the opinion appears to overlook the longstanding canon of statutory construction that a court should interpret a statute to avoid "absurd results."

The ruling is tempered only by the court's observation that a judge has the discretion to fashion an award that does not annihilate defendant businesses. This per-scan damages ruling would appear to eliminate the reason to file BIPA claims as class actions because any person who uses a biometric device for any extended period without informed consent can purportedly now collect millions individually. For the court to apply an interpretation that allows such extraordinary liability is a puzzling result when the court has previously stated that there is no physical, emotional or even monetary harm in most BIPA cases.

Background

BIPA, passed in 2008, regulates the use, collection, and storage of biometric data, including retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. Specifically, Section 15(b) of BIPA provides that employers may not "collect, capture, purchase, receive through trade, or otherwise obtain" individuals' biometric data without providing notice and receiving consent. Section 15(d) further states that a private entity may not "disclose, redisclose, or otherwise disseminate" biometric data without consent.

The current case involves a White Castle restaurant manager who filed a proposed class action, alleging the company required employees to scan their fingerprints to access paystubs and computers beginning in 2004. According to the decision, once a scan was taken, it was transmitted to a third-party vendor for verification and to authorize access. The employee alleged that the company did not obtain the requisite consent until 2018, nearly a decade after the statute was enacted and approximately 14 years after the company began using biometric technology.

The majority decision rejected White Castle's argument that the employee's claims were untimely because claims under BIPA only accrue once, the first time the biometric data is collected or disclosed. The decision stated that the plain meaning of "collect" and "capture" in Section 15(b) allows for the possibility that they happen more than once. The majority pointed out that the company failed to show how technology "could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or paystub."

Similarly, the majority was not convinced that the term "disclose," which may connote a "new revelation," did not limit the section to first time disclosures. The court said that regardless, the terms in Section 15(d) "are broad enough to include repeated transmissions to the same party."

The majority was unpersuaded by White Castle's argument that longstanding Illinois Supreme Court precedent provides that claims only accrue when a legal right is invaded and injury inflicted and that the primary purpose of BIPA is about control over the privacy and secrecy of one's unique biometric data. Therefore, White Castle argued, when a fingerprint is scanned and transmitted without informed consent, the injury has occurred as the plaintiff has lost the right to control his or her biometrics, and the information is no longer secret. White Castle further argued that the injury only occurs once because the privacy rights were lost on the first collection, and the information is already in the defendant's possession.

The majority held that an injury occurs when a statutory provision is violated and that nothing in BIPA limits a claim "to the first time that a private entity scans or transmits a party's biometric identifier or biometric information."

Three justices joined a dissenting opinion by Justice David Overstreet that argued BIPA was not "intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier." The dissent further argued that BIPA applies when "a private entity obtains a person's or customer's biometric information without consent" and that it is "axiomatic, however, that a private entity may obtain any one type of a person's biometric information only once, at least until that biometric identifier or information is destroyed."

Key Takeaways

The Illinois high court held that employers may violate BIPA each time biometric information is collected without notice and consent, including with fingerprint scanning technology used to protect access to sensitive information. This holding may open the floodgates to more class actions. Because BIPA provides for liquidated or statutory damages for each violation, potential damages in class actions could be devastating for businesses.

The court decision stated that "concerns about potentially excessive damage awards under the Act are best addressed by the legislature," meaning the issue could still be decided in a legislative forum and require effective lobbying by companies, their trade associations, insurance companies, and consortiums of aligned companies.

White Castle's filing of a petition for rehearing will make this decision non-final until the petition is ruled on by the court. In the meantime, employers may want to review their use of biometric technology and ensure they are in compliance with BIPA's policy, notice and consent requirements.

Anne Larson, Harry Secaras and Zachary Pestine are attorneys with Ogletree Deakins in Chicago. Zachary Zagger is an attorney with Ogletree Deakins in New York City. © 2023. All rights reserved. Reprinted with permission.