February brought big changes to the Illinois Biometric Information Privacy Act (“BIPA”) litigation landscape. On the heels of a catastrophic 228 million dollar jury verdict against BNSF, the Illinois Supreme Court issued an opinion in Cothron v. White Castle Systems, Inc. that could increase exponentially the damages calculations in similar BIPA cases. And to make matters murkier, just one week before the White Castle decision, an Illinois federal district court issued an opinion in favor of a BIPA defendant, interpreting the law’s health care exemption extremely broadly.

This post recaps the key requirements of BIPA, summarizes the latest cases interpreting the calculation of damages and the scope of the law’s exemptions, and describes the practical implications for companies that collect biometric information and are subject to jurisdiction in Illinois.

The BIPA Basics

BIPA imposes the following key requirements on companies that are in possession of “biometric information”:

• Privacy Policy. Develop and publish a written policy describing the company’s practices related to the storage of biometric information, including establishing a retention schedule and setting guidelines for the permanent destruction of such information.
• Notice. Before collecting biometric information, companies must notify individuals that their biometric information is being collected or stored, and notify them of the specific purpose and length of time for which the information is collected, stored, and used.
• Consent. Companies must “obtain a written release executed by the subject” of the biometric information.
• Prohibition on Disclosure. BIPA prohibits companies from disclosing, redisclosing, or otherwise disseminating a person’s biometric information unless the data subject consents to the disclosure or redisclosure or another exception applies.
• Security. Companies must store, transmit, and protect from disclosure biometric information using “the reasonable standard of care within the company’s industry” and in the same manner as the company protects other confidential and sensitive information.

Critically, BIPA affords individuals a private right of action with statutory damages of $1,000 for negligent violations and $5,000 for reckless or intentional violations, which apply to “each violation” of the statute. That aspect of BIPA has led to numerous class actions and high dollar settlements.

Bad News for BIPA Defendants: Illinois Supreme Court Holds BIPA Violations Accrue with Each Unlawful Collection or Disclosure

The case against White Castle arose from its use of a system that required Illinois employees to periodically scan their fingerprints (which constitute biometric information under BIPA) to access pay stubs and computers.

The plaintiff in the case, who had worked for the company since 2004, alleged that White Castle did not provide notice or seek her consent to collect or disclose her biometric information until 2018—ten years after BIPA took effect. She also alleged that the company violated BIPA by sharing her biometric information without her consent with a third-party vendor responsible for administering the fingerprint scanning software. She alleged that a new BIPA violation occurred each time she scanned her fingerprints without notice and consent and each time White Castle sent that fingerprint information to its vendor for authentication. White Castle, in turn, argued that BIPA claims should only accrue at the time of the first alleged BIPA violation, because that is the point at which the injury—the invasion of privacy—occurs.

The Illinois Supreme Court sided with the plaintiff, concluding that “a claim accrues under [BIPA] with every scan or transmission of biometric . . . information without prior informed consent.” As a result, every separate scan or transmittal of biometric information in violation of the statute could give rise to statutory damages of $1,000, or $5,000 if the violation was intentional or reckless.

As such, if an employee does not receive notice or grant consent to collection of their biometric information, or if the notice and consent process is legally deficient, the employer could face multiple BIPA violations per employee per day. We’re not big on math, but even assuming a company’s BIPA violation is merely negligent, $1,000 per employee per working day per scan is . . . a lot.

But stay tuned. The Illinois Supreme Court acknowledged that its decision could result in “policy-based concerns about potentially excessive damage awards under [BIPA],” and invited the Illinois legislature to “review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”

Good News for “Health Care” Companies: Illinois Federal Court Broadly Interprets BIPA’s Health Care Exemption

It wasn’t all bad news for companies that collect biometric information—particularly for companies that operate in the health care space. A week before the White Castle opinion was released, a federal district court in the Northern District of Illinois issued an opinion in Warmack-Stillwell v. Christian Dior, Inc., that dismissed the plaintiff’s BIPA complaint and broadly interpreted the statute’s “health care” exemption.

BIPA exempts certain types of information from the definition of “biometric information,” including “information captured from a patient in a health care setting” and “information collected, used, or stored for health care treatment, payment, or operations under [HIPAA].” In Dior, the plaintiff used the “virtual try on” feature on fashion designer Christian Dior’s website to “try on” sunglasses before purchasing them. That feature used the plaintiff’s webcam to show her how Dior’s sunglasses would look on her face, and collected a facial geometry scan as part of that process.

The plaintiff alleged that Dior’s virtual try on feature violated BIPA, but Dior successfully argued that plaintiff’s information was collected in the context of her status as a “patient in a health care setting.” Notably, although acknowledging that the plaintiff and Dior likely did not enter into “a provider/patient relationship,” the court looked to the dictionary definition of “health care” and found that the purchase of sunglasses fell within that definition because it was in furtherance of “efforts made to maintain or restore physical, mental, or emotional well-being[.]”

That broad interpretation of BIPA’s health care exemption, and the Dior court’s conclusion that a patient/provider relationship is not required to trigger it, provides a potentially potent defense for companies in health care or health care-adjacent industries that find themselves subject to BIPA lawsuits.

Practical Implications for Companies Collecting Biometric Data in Illinois

Companies collecting biometric information in Illinois should carefully assess their compliance with BIPA to mitigate the risk of potentially ruinous damages in the event of a lawsuit.

As an initial matter, it’s worth considering avoiding the collection of biometric information in Illinois altogether. Since it is still unclear whether the Illinois legislature will accept the Supreme Court’s invitation to revisit the damages-related provisions of the statute, the risk of exorbitant damages remains high in the event of a violation.

If, however, you decide that the collection of biometric information in Illinois is necessary to achieve your business objectives, consider the steps below to improve your BIPA compliance posture:

• Check and recheck your notice and consent practices. The best offense against statutory damages is a good defense. Carefully evaluate your biometric information collection practices and ensure that your public-facing privacy notice, as well as other notices you provide to the individual in relation to your collection of their biometric information, accurately and comprehensively describe your biometric information collection and retention practices. In addition, review your consent forms to ensure they meet BIPA’s requirements. Remember that the individual release must be in writing and “executed by the [data] subject.”
• Minimize the collection of biometric information as much as possible. Data minimization is always a best practice, but it is particularly important in the context of biometric information collected under BIPA. Post-White Castle, any collection of biometric information without proper notice and consent counts as a BIPA violation, so the fewer instances of collection, the better.
• Evaluate whether your business objectives can be achieved without further disclosing biometric information to third parties. Query whether you can limit or avoid onward disclosures of biometric information to third parties. The White Castle court held that a new BIPA violation occurred each time the plaintiff scanned her fingerprint without notice and consent and each time White Castle sent her fingerprint information to its vendor for authentication. By using a vendor for processing its employees’ biometric information, White Castle doubled the potential damages recoverable by the plaintiff. Minimizing the number of third parties that touch biometric information is thus a good practice to mitigate the risk of racking up BIPA violations.

*             *             *

Robust litigation under BIPA is likely to continue, if not increase following the White Castle decision.