BIPA liability may extend further following new Illinois Supreme Court decision
On February 17, 2023, the Illinois Supreme Court issued its latest opinion interpreting the Illinois Biometric Information Privacy Act (BIPA). The court held that each separate scan or disclosure of a person’s biometric identifier or information may give rise to a new and separate violation where the entity has not complied with BIPA’s notice-and-consent requirements.
The decision comes on the heels of the court’s holding that a five-year statute of limitations applies to all BIPA claims. The court further acknowledged that treating each scan as a separate violation may lead to massive statutory damages awards (at $1,000 per negligent violation or $5,000 per intentional violation) but left it for the legislature or future courts to address the potentially catastrophic consequences of such an outcome.
The decision, combined with federal and state lawmakers’ increasing focus on privacy legislation that may cover biometric data, places renewed emphasis on how businesses’ practices align with BIPA and similar expected laws.
Who and what does BIPA regulate?
Subject to certain exclusions, BIPA applies to “private entities,” which includes businesses and nonprofits. BIPA regulates the collection and use of certain “biometric identifiers” (retina and iris scans, fingerprints, voiceprints and scans of hand or face geometry), as well as information based on an individual’s biometric identifier used to identify that individual (“biometric information”).
BIPA’s obligations are triggered where a private entity collects or is in possession of individuals’ biometric data. For example, private entities must provide prior written notice to and receive prior written consent from individuals before collecting or redisclosing biometric data, must develop written policies establishing retention schedules and guidelines for destroying biometric data in the private entity’s possession, and must comply with certain security requirements for storing or transmitting biometric data. Additionally, BIPA prohibits selling, leasing, trading or otherwise profiting from an individual’s or a customer’s biometric data.
What was the decision and why is it important?
In Cothron v White Castle, the Illinois Supreme Court was asked to decide whether, for statute of limitation purposes, a private entity that scans biometric identifiers on multiple occasions (eg, a biometric timeclock to clock in and out of work) can be found to have committed a single violation (only the first scan) or multiple violations (each subsequent scan). The Cothron court determined it is the latter.
In opposing such a rule, the defendant and amici organizations demonstrated it would lead to absurd results and potentially “annihilative liability for businesses” where a plaintiff can seek statutory damages for “each violation” (negligent: $1,000; intentional: $5,000). White Castle had estimated its total potential liability to an alleged class of 9,500 current and former employees exceeded $17 billion.
The Cothron majority rejected this argument, finding that the language of the statute allows “for significant damages awards” and “policy-based concerns about potentially excessive damages awards under the Act are best addressed by the legislature.” The majority also “generally agree[d]” with the Illinois Appellate Court that Illinois trial courts may have discretion to limit or deny damages but did not provide guidance as to the circumstances under which exercising such discretion would be warranted.
Together with the recent decision in Tims v Black Horse Carriers that the statute of limitations for BIPA claims is five years, the Illinois Supreme Court’s 2023 BIPA jurisprudence may see an already aggressive plaintiffs’ class action bar emboldened to file new claims or demand more to settle existing claims.
The Illinois Supreme Court’s decision is a stark reminder that businesses should ensure they are taking their compliance obligations under BIPA seriously. Private entities that collect biometric data are encouraged to review their policies and practices in light of the recent BIPA rulings. They may also consider whether liability insurance policies are available that could defray the liability for BIPA violations.
Private entities are further encouraged to consider how biometric data collection fits within their broader data governance strategy and operations.
Lastly, companies are monitoring litigation in this area, including an expected appeal of Illinois’ first jury verdict in a biometric privacy class action awarding $228 million to plaintiffs.
To find out more about the implications of BIPA for your organization, please contact the authors or your DLA Piper relationship attorney.