​On February 17, 2023, the Illinois Supreme Court held that an entity violates the Illinois Biometric Information Privacy Act (“BIPA”) each and every time it fails to fully comply with BIPA’s strenuous collection and dissemination requirements. The Court’s holding, derived from the case of Cothron v. White Castle Systems, Inc., deals a severe blow to any entity that has utilized biometric technology without full BIPA compliance. While the issue had previously been subject to vigorous debate, the answer is now clear that a single individual (or a group of individuals in a class action) may bring a cause of action and seek significant statutory damages for each time he submitted a biometric identifier or had that identifier disseminated through non-compliant means. 

​What You Need to Know:

• The scope and applicability of the Illinois Biometric Information Privacy Act (“BIPA”) have been hotly contested in state and federal courts across the country, particularly with respect to when and how many times a BIPA violation can accrue.
• BIPA provides for a private right of action against an entity that fails to fully comply with BIPA’s regulations concerning the collection and transmission of an individual’s biometric identifier(s), but does not specify whether collection and/or transmission can occur on multiple occasions.
• BIPA also provides for severe penalties for those who fail to comply, prescribing $1,000 per negligent violation (and $5,000 per intentional violation), creating the potential for astronomical damages awards against businesses that utilize biometric technology.

The Illinois Biometric Information Privacy Act (“BIPA”) is a comprehensive Illinois statute governing the collection, storage, use, and destruction of biometric identifiers and biometric information, which include fingerprints, retina scans, voiceprints, and other unique biological markers used to identify a particular individual. BIPA was enacted by the Illinois legislature in 2008 in order to address and regulate the growing use of biometric identifiers for purposes such as employment timekeeping, identity verification and security, among other purposes. Two sections of BIPA have been subject to particular controversy and debate since BIPA was enacted. Those are sections 15(b) and 15(d).

Section 15(b) governs the collection of biometric identifiers, and states:

No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:

(1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;

(2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.

740 ILCS 14/15(b). Section 15(d), on the other hand, governs the disclosure or further dissemination of an individual’s biometric identifiers upon collection, stating:

No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless:

(1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure;

(2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative;

(3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or

(4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

740 ILCS 14/15(d).

There has been considerable debate since BIPA was enacted as to how many times a section 15(b) or section 15(d) violation can occur; specifically, whether a violation of sections 15(b) and 15(d) can occur only once upon the first improper collection or dissemination of a particular individual’s biometric information, or whether such a violation occurs each and every time that the individual’s biometric information is improperly collected or disseminated. On February 17, 2023, the Illinois Supreme Court settled this issue in the case of Cothron v. White Castle System, Inc., finding that a section 15(b) or 15(d) violation occurs each and every time that a biometric identifier is improperly collected or disseminated.

In Cothron, plaintiff brought a putative class action lawsuit against her employer, White Castle Systems (operator of the fast food chain, White Castle) alleging that White Castle introduced a system in approximately 2004 that required its employees to scan their fingerprint in order to access their pay stubs and White Castle computers, without first obtaining their written consent. Under the system, a third-party vendor would verify each scan and authorize the employee’s access. Plaintiff asserted that it was not until 2018, over a decade after the system was implemented, that White Castle sought to obtain her written consent to scan her fingerprint. Plaintiff therefore claimed White Castle violated sections 15(b) and 15(d) of BIPA by unlawfully collecting and disclosing her biometric information to a third party.

White Castle moved for judgment on the pleadings, arguing that Plaintiff’s claim accrued in 2008 when she first scanned her fingerprint, and was therefore untimely. The U.S. District Court for the Northern District of Illinois disagreed with White Castle, finding that a new claim accrued each and every time Plaintiff scanned her fingerprint into the system, rendering her claim timely at least for those scans and transmissions that occurred within the applicable limitations period. The district court certified the issue for appeal to the U.S. Court of Appeals for the Seventh Circuit, who then certified the question for determination before the Illinois Supreme Court. The certified question to the Illinois Supreme Court was:

“Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”

The Illinois Supreme Court held that section 15(b) and 15(d) claims accrue upon each and every scan or transmission.

Looking to the plain language of section 15(b), the Court held that it supports the proposition that a violation can occur more than once, as terms such as “collect” and “capture” connote actions which can take place on more than one occasion. Further, the Court found that the method in which Plaintiff’s fingerprint was collected in this case further supported the Court’s conclusion. Specifically, Plaintiff’s complaint alleges that White Castle obtains its employee’s fingerprint and stores it in a database. The employee must then scan their fingerprint in order to access their pay stub or White Castle’s computer system. Each time that the employee does this, the system compares that scan to the employee’s fingerprint scan on file, a process which necessarily requires collection and analysis of the employee’s fingerprint each and every time that employee wants to obtain access. The Court found further support for its conclusion in the fact that BIPA requires that White Castle notify the employee of the “length of term for which a biometric identifier or biometric information is being collected, stored, and used.” 740 ILCS 14/15(b)(2). According to the Court, “[t]hat the subject must be notified how long his or biometric data will be collected shows that the legislature contemplated collection as being something that would happen more than once.”

Turning to section 15(d), the Court held that like section 15(b), a violation occurs each time that a biometric identifier is improperly transmitted to a third party. Rejecting White Castle’s argument that a disclosure is something that can only occur once, the plain language of section 15(d) also prohibits redisclosure, which contemplates including not only the initial transmission of a biometric identifier, but also every re-transmission that occurs thereafter. Moreover, the Court pointed out that section 15(d) includes a catch-all provision that broadly applies to any entity that may “otherwise disseminate” an individual’s biometric information. While White Castle argued that to “disseminate” is something that can only occur once, the court rejected this restrictive interpretation and—as it did with the terms “collect” and “capture”—held that information can be disseminated more than once, such that section 15(d) applies to each and every time an individual’s biometric information is disclosed or transmitted to a third party without the requisite BIPA-mandated safeguards and disclosures in place.

While the Court decided the certified question based on BIPA’s plain language (which, necessarily, does not require consideration of any non-textual arguments), the Court addressed several of White Castle’s ancillary arguments as well. Indeed, White Castle cited several of the Court’s seminal BIPA decisions, including Rosenbach v. Six Flags Entertainment Corp., West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., and McDonald v. Symphony Bronzeville Park, LLC, arguing those cases support White Castle’s one-time violation accrual argument. According to White Castle, these cases establish that BIPA was enacted to provide recourse to an individual that loses their “right to control” (Rosenbach, 2019 IL 123186, ¶ ), the right to protect their “secrecy interest” (West Bend, 2021 IL 125978, ¶ 46), and their right to privacy (McDonald, 2022 IL 126511, ¶ 24), which are rights that can only be abridged one time. To that end, White Castle argued that once an individual submits a biometric identifier through BIPA-violative means or has it improperly transmitted to a third party, their right to control that identifier and their right to privacy or secrecy are violated no matter how many other times their identifier is collected or transmitted.

The Court disagreed, however, finding that none of those cases actually addressed BIPA claim accrual. Looking to Rosenbach in particular, the Court noted that Rosenbach actually cuts against White Castle’s position. Specifically, the Court stated that its holding in Rosenbach was not that a BIPA injury is predicated on a loss of control, but rather—on the contrary—the injury is predicated on the statutory violation itself. Therefore, the loss of any right to control or right to privacy has no bearing on BIPA claim accrual, and it is the statutory violation (i.e., the improper collection or transmission) that controls.

Finally, the Court addressed what many believe to be the most controversial BIPA provision: the statutory penalties section. Section 20 of BIPA articulates the monetary damages which a successful BIPA plaintiff may recover, stating:

A prevailing party may recover for each violation:

(1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater;

(2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater;

(3) reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses; and

(4) other relief, including an injunction, as the State or federal court may deem appropriate.

Before the Illinois Supreme Court and throughout the underlying proceedings, White Castle argued that the Illinois legislature could not have intended that each and every improper collection or transmission instance give rise to a BIPA violation because to construe BIPA as such would give rise to astronomical judgments against BIPA violators. Indeed, construing BIPA as such not only compounds liability through tacking on damages for every time a given individual scans their fingerprint or has it improperly transmitted, this construction also dramatically expands the number of individuals falling within the BIPA statute of limitations period—which, per the Illinois Supreme Court’s February 2, 2023 decision in Tims v. Black Horse Carriers, is five years for BIPA section 15(b) and 15(d) claims. Providing its own mathematical example, White Castle estimated that if Plaintiff is successful in this case and each of its as many as 9,500 current and former aggrieved employees could join as class members, class-wide damages may exceed $17 billion.

The Court rejected this argument as well, however, noting that the plain language of BIPA was clear and could not be judicially modified. The Court also noted that the statutory damages provision is discretionary, in that a court is not bound to enforce the exact damage amounts spelled out in section 20 ($1,000 per negligent violation and $5,000 per intentional violation, plus attorneys’ fees for either), but rather “may” enforce those amounts but does not need to. This permissive language, according to the Court, would prevent the “astronomical” damages awards and resulting “annihilative liability” for businesses which White Castle raised in opposition to the Court’s interpretation. That did not stop the Court from requesting further guidance from the legislature, by stating “We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding assessment of damages under [BIPA].”

Notwithstanding this request for confirmation, along with a critical dissenting opinion authored by Justice Overstreet and joined by Chief Justice Theis and Justice Holder White, the majority’s opinion in Cothron represents the latest in a series of major blows to BIPA defendants in Illinois and across the county. Indeed, the Court’s holding that each and every scan or transmission carried out without full BIPA compliance creates a separate BIPA violation confers significant leverage on the BIPA plaintiffs’ bar. First, construing each and every scan or transmission as a separate violation will increase plaintiff class sizes by allowing those who may have first scanned more than five years before filing a complaint (who are therefore outside the five-year limitations period) to join the class. Specifically, while their first scan may be time-barred, subsequent scans may be considered timely and they may therefore be entitled to participate in the class. Second, given that BIPA damages are tied to each violation, the Court’s holding that a violation occurs upon each and every scan or transmission increases the number of violations per individual class member exponentially to potentially colossal proportions. These damages figures could easily bankrupt many businesses utilizing such technology in Illinois. Defendants are left with the uncertain tactic of appealing to the discretion of trial judges with the hope that those judges will take a reasoned approach in their assessment of damages.