An Illinois Supreme Court ruling on February 17, 2023 opened the door to astronomical damages under the Illinois Biometric Information Privacy Act (“BIPA”).  Enacted in 2008, BIPA provides for a private right of action against an entity that collects or discloses a person’s biometric identifier without opt-in consent.

The Case

Cothron v. White Castle System, Inc. involved a private BIPA class action against the White Castle fast-food chain by current and former employees. The lead plaintiff alleged that since 2004, White Castle employees had been required to scan their fingerprints to access pay stubs and company computers (which required transmission of the scanned print to a technology vendor), but White Castle did not begin seeking its employees’ consent until 2018.

White Castle sought dismissal on the basis of the applicable 5-year statute of limitations, arguing that the plaintiff’s claim accrued upon the first collection and disclosure of her fingerprint and was time-barred as of her suit a decade later. Plaintiff countered that separate claims accrued for each violation of BIPA, i.e., each time she scanned her fingerprint and each time that scan was accessed by the technology vendor.

The Question

The district court ruled in the plaintiff’s favor and, following an immediate appeal, the 7th Circuit certified the following question for immediate review by the Illinois Supreme Court: Do BIPA claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively?

The Decision

In a 4-3 split decision, the Illinois Supreme Court answered affirmatively. It found that separate claims under BIPA accrued for each nonconsensual collection or disclosure, including repeated collections of the same biometric identifier and repeated disclosures of that biometric identifier to the same third party.  

The Reasoning

The court reasoned that the statutory definition of “collection” encompassed scans of a biometric identifier for verification against a database, as well the initial capture of the identifier for storage in the database.

As to “disclosure,” the court found that the statute’s inclusion of the catchall – to “otherwise disseminate” – suggested that “disclosure” included any transmission of biometric information to a third party, including one that already possessed the information.

In so holding, the court was not swayed by arguments that its interpretation would allow for astronomical damages under BIPA’s ‘per-violation’ liquidated-damages clause. The court acknowledged that class-wide damages for 9,500 current and former White Castle employees could total $17 billion, but noted that these damages were discretionary and that the court was nonetheless bound to follow the plain language of the statute. The court suggested that any policy issues should be resolved by the legislature.

The Bottom Line

Two key implications follow from this ruling:

First, entities without robust opt-in consent policies for biometric data may have exposure in the billions of dollars.

Second, plaintiffs are entitled to damages for accumulated violations during a 5-year lookback period, and so may delay bringing a claim until the moment that a consent policy is implemented. Consequently, delay in adopting a consent policy will increase liability exposure (provided the entity has collected biometric data for less than 5 years).