19 May 20233 minute read

Illinois Supreme Court construes BIPA damages

Recently, the Illinois Supreme Court addressed the question of whether claims under sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act (BIPA) accrue each time a private entity scans a persons' biometric identifier and each time that entity transmits the scan to a third party. The case of Cothron v. White Castle System, Inc. (2023 IL 128004, February 17, 2023) was decided 4-3 on certification from the US Court of Appeals for the Seventh Circuit, and held that a separate claim for damages accrues each time an entity collects or transmits an individual's biometric data without BIPA-compliant consent.

Cothron was required to scan her fingerprints to access her paystubs and computers while employed with White Castle over a period of several years. White Castle used a third-party vendor to verify each scan and authorized the employee's access. Cothron alleged that White Castle had failed to obtain her consent before collecting and transmitting this biometric data as required by BIPA.

The court focused on the statutory language of section 15(b) of the BIPA, which does not allow an entity to "collect [or] capture" a person's biometric identifier "unless it first" obtains informed consent. Section 15(d) uses similar language which does not allow an entity to "disclosure, redisclose or otherwise disseminate" biometric data "unless" it obtains informed consent. Interpreting this language, the court found that collection or capture of biometric data, and disclosure of that data to the third-party vendor, occurred each time Cothron scanned her fingerprint to access her White Castle computer or pay stub – which was a violation of BIPA as White Castle had not "first" obtained Cothron's informed consent as that law requires.

As a result of this decision, companies that regularly use biometric systems that either store or utilize biometric data are now facing the risk of "significant damages awards" and "substantial potential liability." However, the court noted that such damages are discretionary, rather than mandatory: section 20 of the BIPA provides that "a prevailing party may recover" $1,000 in statutory damages "for each violation," and $5,000 when the violation is found to be intentional or reckless. BIPA claims are also subject to a 5-year statute of limitations, which was confirmed by the Illinois Supreme Court in Tims v. Black Horse Carriers, (2023 IL 127801, February 2, 2023). Due to these recent holdings, businesses that regularly operate, collect or use biometric systems in any way (eg, fingerprint scanners, facial recognition, retinal detection, among others) should confirm that they have obtained all users' consent after provision of a BIPA-compliant disclosure before collecting or transmitting any biometric information.

For more information, please contact the authors.