The Illinois Biometric Information Privacy Act (BIPA) has proven to be a significant burden on Illinois employers, and a recent Illinois federal court decision may have made the legal landscape even more difficult. In Cothron v. White Castle System, Inc., the court addressed when a “violation” takes place under BIPA — a question which had not been squarely addressed by the statute or other case law. How does the court’s interpretation affect Illinois employers?
What Does BIPA Require?
Before discussing the implications of the case, it is important to consider what BIPA requires. The statute mandates that private entities — including employers — that collect or maintain employees’ fingerprints, retinal or iris scans, voiceprints, hand scans, or face geometry must first receive written consent from the employee before such collection. It also requires covered businesses to develop a publicly available policy that establishes the retention schedule for the applicable biometric information, among other things. The statute also contains various data retention requirements concerning individuals’ biometric data.
BIPA states that an individual is entitled to $1,000 per negligent “violation” and $5,000 per willful “violation,” or actual damages, whichever is greater. The law also provides for attorneys’ fees, costs, and any other relief that a court may deem appropriate. It is notable, however, that BIPA does not define when such a “violation” accrues. The lack of clear statutory guidance has left an open question whether a violation occurs, for example, (1) with the initial collection of an employee’s biometric information or (2) with each scan of an employee’s biometric information. The Illinois federal court finally answered that question.
Illinois Federal Court Allows BIPA Claim To Proceed
In the recent case, White Castle used a fingerprint-based computer system that required employees to scan and register their fingerprint in order to obtain access to a computer system. Specifically, Latrina Cothron was asked to scan her finger each time she needed to access the system in her capacity as a manager and access her paystubs as an employee. But she did not, as required by BIPA, sign a written release allowing White Castle to scan and collect her biometric information. After several years of scanning Ms. Cothron’s fingerprints in order for her to access the computer system, White Castle implemented a written release for the collection of biometric information, which Ms. Cothron signed.
After signing the written release, she filed a class action complaint that ended up before a federal court in Illinois. In response to the complaint, White Castle sought to dismiss the case based upon a statute of limitations defense, arguing that Ms. Cothron waited too long after allegedly having her rights violated before filing suit.
In evaluating the request to dismiss, the court did not decide the appropriate limitations period (which is itself a contested issue), because it concluded that a violation had taken place even within the shortest of the limitations periods argued by White Castle. In arriving at this conclusion, the court decided that each individual scan – and not just the initial collection – of an employee’s fingerprint in the absence of a written release constituted an independent violation of BIPA.
The court further rejected White Castle’s argument that such a conclusion would lead to absurd results in the form of potentially astronomical damages if a penalty accrued for each daily scan by every member of a large class. In the court’s view, BIPA was not ambiguous and the absurdity of the results therefore did not factor into the court’s analysis, as that was a question best left to the Illinois legislature.
What Are The Implications Of This Decision?
The implications of this decision are potentially very significant for Illinois employers. In a claim brought by a single employee, legal exposure could increase from as little as $1,000 to at least $1,000 per day of an individual’s employment—likely more assuming the employee is clocking in and out at the beginning and end of the day using their fingerprints, and once again clocking in and out for each meal period provided by an employer. Moreover, if an employer is facing a class action instead of an individual claim, this court’s interpretation of what constitutes a “violation” could exponentially increase these penalties, all of which are in addition to attorneys’ fees and costs. As this case makes clear, compliance with BIPA is more important than ever.
This decision was handed down by a federal court interpreting Illinois law. For this reason, we are left with the possibility that the Illinois Supreme Court or state appellate courts could interpret BIPA differently, though they have yet to do so in this particular respect. At this writing, the question of whether to certify the issue to the 7th Circuit Court of Appeals is before the federal court. Accordingly, while the decision is decidedly unfavorable to Illinois employers, subsequent decisions by Illinois appellate courts (including the Illinois Supreme Court) could interpret when a “violation” occurs quite differently. Time will tell.
What Should Employers Do?
Now more than ever, you should be proactive in complying with BIPA’s requirements. Implementing the necessary policies, procedures, and authorizations before you collect any biometric information is essential to complying with the statute and defending cases pursuant to BIPA. This decision reinforces the need to reevaluate the biometric methodologies currently in place and coordinate with counsel to update them as necessary. As the decision has demonstrated, the implications of not doing so can be of existential importance for any business.