In a recent 4-3 decision, the Illinois Supreme Court held that claims under sections 15(b) and 15(d) of Illinois’ Biometric Information Privacy Act (BIPA) accrue each time a private entity collects a biometric identifier (such as a fingerprint, voiceprint, or retinal scan) from a person and each time a private entity transmits such a biometric identifier to a third party. In Cothron v. White Castle System, Inc., 2023 IL 128004, the Court answered a certified question from the Seventh Circuit Court of Appeals, concluding that “the plain language of section 15(b) and 15(d) shows that a claim accrues under [BIPA] with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” In practical terms, the decision significantly impacts employers and others who routinely collect biometric identifiers, as now each collection or disclosure of a biometric identifier without informed consent—as opposed to just the first such collection or disclosure—could result in statutory fines of $1,000 to $5,000, as well as having to pay the opposing side’s attorney fees and costs.

BIPA Background

The Illinois General Assembly unanimously adopted BIPA in 2008 in response to growing concern among the public about the collection and use of biometrics. 740 Ill. Comp. Stat. 14/5(d)-(e). Biometrics are “biologically unique” personal identifiers. Id. at § 14/5(c). They include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Id. at § 14/10. To address the public’s concern, the Act regulates how private entities may collect and handle biometric data and provides a private cause of action for any person “aggrieved by” a violation of the statute. Id. at § 14/20. A successful plaintiff can recover the greater of actual damages or statutory damages of $1,000 for each negligent violation and $5,000 for each reckless or willful violation. Id.

The Cothron Opinion

The Cothron case came to the Illinois Supreme Court on a certified question from the Seventh Circuit: “Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” Plaintiff, a longtime White Castle employee, alleged that not long after her employment began, White Castle introduced a system that “required employees to scan their fingerprints to access their pay stubs and computers.” Cothron, 2023 IL 128004, ¶ 4. A third-party vendor then verified each scan and authorized the employee’s access. Plaintiff alleged that White Castle violated BIPA by implementing the fingerprint scanning system without obtaining her consent.

White Castle moved for judgment on the pleadings, arguing that plaintiff’s action was time-barred because her claim accrued in 2008, which is when White Castle first scanned her fingerprint after BIPA went into effect. Plaintiff argued that a new claim accrued each time she scanned her fingerprints and White Castle sent the data to its third-party authenticator, thereby rendering her action timely with respect to any unlawful scans and transmissions that occurred within the applicable limitations period. The District Court for the Northern District of Illinois agreed with plaintiff and denied White Castle’s motion. The District Court then certified its order for immediate interlocutory appeal to the Seventh Circuit. The Seventh Circuit found the parties’ competing interpretations of BIPA claim accrual reasonable, and so certified this important question of state law to the Illinois Supreme Court.

In the Supreme Court, White Castle again argued that under the plain language of sections 15(b) and 15(d), claims can accrue only once—when the biometric data is initially collected or disclosed. White Castle also argued that because BIPA seeks to protect “a right to secrecy in and control over biometric data” and because one can only lose that secrecy and control once, only the initial collection or disclosure of biometric data is actionable. Id. at ¶¶ 33-34. The Supreme Court majority rejected these arguments, concluding that the “injury” for a section 15 claim is not based on an initial loss of secrecy of or control over biometric data; the “injury” is the statutory violation itself. Id. at ¶ 38. Accordingly, each statutory violation supports a separate claim. While observing the potential for large damages awards, the Court determined that was an issue best left to the legislature.

The dissenting opinion strongly disagreed. Among other things, the dissenters believe that the statute is best interpreted to say that the injury occurs upon the first scan and later ones do not add to it. The dissent also discussed the possible absurd results of annihilative liability from the majority’s view, remarking that such consequences could not square with legislative intent. Id. at ¶¶ 61-63.

Now that the Illinois Supreme Court has answered the certified question, the case goes back to the Seventh Circuit for further proceedings.
Key Takeaways

• In a 4-3 decision, the Illinois Supreme Court ruled that a claim under Illinois’ Biometric Information Privacy Act (BIPA) may accrue each time a private entity collects or discloses biometric identifiers (such as fingerprints and retina scans) without informed consent, as opposed to accruing only with the first collection or disclosure.

• Because a claim may accrue with each collection or disclosure of biometric identifiers, motions to dismiss on statute of limitations grounds may be more limited.

• As the majority and dissenting opinions reflect, damages of $1,000 or $5,000 may now be assessed for each BIPA violation, not just the first instance of collecting or disclosing a biometric identifier without informed consent. For example, if an employer requires an employee to scan his or her fingerprint every time they need to access the employer’s computer systems and the employee has not given informed consent, each such scan could result in damages of either $1,000 or $5,000. In other words, damages awards may add up quickly and create severe consequences.

• Businesses that collect biometric identifiers or information from their employees or customers should seek legal advice regarding their compliance with all aspects of BIPA.