Background

The Illinois Supreme Court recently issued a decision that could have wide-ranging implications for defendants and plaintiffs alike under the Illinois Biometric Information Privacy Act (BIPA). In response to a certified question from the U.S. Court of Appeals, the Illinois Supreme Court ruled that damages claims under BIPA accrue on each violation, not just the first.

In the case, Cothron v. White Castle, a former White Castle manager alleged that White Castle violated her rights under BIPA every time she clocked in and out of the White Castle timekeeping system, which scanned and collected her fingerprints allegedly without her written consent.  Cothron, on behalf of a putative class, claimed that White Castle collected this biometric information and then disclosed it to a third-party vendor in violation of BIPA, which bars entities from collecting, capturing, purchasing, obtaining, disclosing or disseminating an individual’s biometric information without written consent.

Significantly, Cothron also alleged that she had a new claim under BIPA each time White Castle scanned her finger and sent that data to its third-party vendor.  White Castle argued that Cothron’s BIPA claims accrue only once, no matter how many times it collected Cothron’s biometric information or sent it to a third-party vendor.
 

Cothron v. White Castle Decision

On February 17, 2023, the Illinois Supreme Court held in a 4-3 decision that BIPA’s statutory damages provision, which authorizes $1,000 in damages for each violation, and $5,000 when the violation is found to be intentional or reckless, accrue on each violation, not just the first.  This means that, under the facts of Cothron, White Castle could be on the hook for damages each time the plaintiffs’ fingertips were scanned without their consent, and each time that data was shared to a third-party vendor without their consent.

The Court’s decision was grounded in a textual interpretation of the statutory language of BIPA  and rejected White Castle’s argument that if it was liable for statutory damages on a “per-scan” basis, such damages could reach into the billions, a potentially astronomical award that White Casetle argued is inconsistent with legislative intent.  The Court noted Section 20 of BIPA provides that a prevailing party “may” recover statutory damages—and that the discretionary, rather than mandatory, provision for damages, would likely act as a safety net to prevent the financial ruin of businesses like White Castle, but called on the legislature to clarify BIPA.

The dissent disagreed, arguing that the Court should assume the legislature did not intend such an “absurd result,” which would “impos[e] punitive, crippling liability on businesses” and would also give plaintiffs an incentive to wait for as long as possible to “rack[] up” violations of BIPA before asserting claims. 
 

Potential Impacts of the Decision

BIPA claims, already increasing in popularity, are likely to emerge in full force following this decision.  Plaintiffs in class actions had seen significant damages awards even before this decision, as in Rogers v. BNSF Railway Co. (N.D. Ill., 19 Civ. 3803), in which a jury awarded a class $248 million in statutory damages after finding that the plaintiffs’ employer collected and used their fingerprints without obtaining written consent.  This case also follows other decisions that allow plaintiffs to sustain BIPA claims even if they do not prove that they sustained actual injury or damage from the violation, and a recent decision, Tims v. Black Horse Carriers, Inc., No. 127801 (Feb. 2, 2023), holding that BIPA claims are subject to a five-year statute of limitation.

Defendants are expected to use the Cothron decision to oppose class certification in putative class actions, which arise frequently in the BIPA context, by arguing that plaintiffs cannot meet the “superiority” requirement of Federal Rule of Civil Procedure 23(b)(3), given the potential for individuals to recover large damages.  Defendants may also argue that awards of high damages violate due process, if such damages are found to be disproportionate to the offenses.  On the other side, plaintiffs are expected to use the risk of enormous damage awards to leverage higher settlements.

Given this decision, entities that are covered by BIPA and use fingerprint scanners, facial recognition, or other methods of biometric data collection, should, if they have not already, implement procedures compliant with BIPA to protect against liability. 

We will continue to monitor and report on developments under BIPA.