Each Scan an Accrual: Long-awaited Illinois Supreme Court Decision Renders Risk of BIPA Claims Catastrophic
On Feb. 17, in a close 4-3 decision, the Illinois Supreme Court in Cothron v. White Castle System, Inc., 2023 IL 128004, ruled that a claim under the Illinois Biometric Information Privacy Act (“BIPA”) accrues with every scan or transmission of biometric identifiers or biometric information without prior informed consent. The decision acknowledged White Castle’s own estimate that the Court’s accrual interpretation could render it liable for up to $17 billion in damages, but said the result was necessitated by a strict interpretation of the statute.
The issue came to the Illinois Supreme Court from the United States Court of Appeals from the Seventh Circuit after it certified the question to be answered: do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?
White Castle had been collecting biometric data (i.e., fingerprints) in connection with its employee timekeeping system. In the litigation, Plaintiff claimed that White Castle did not seek her consent to acquire her fingerprint data until 2018 and therefore unlawfully collected the data and transmitted it to a third-party vendor in violation of BIPA. White Castle moved for judgment on the pleadings arguing that the claims accrued in 2008 when White Castle first obtained her biometric data. In response, Plaintiff argued that the claim accrued every time White Castle scanned her fingerprints and sent her data to the third party. The district court agreed with Plaintiff, denied the motion, but certified the question for interlocutory appeal to the 7th Circuit. The 7th Circuit accepted the appeal and then certified the question to the Illinois Supreme Court because it raised a novel issue under Illinois law.
After analyzing the various arguments made by the parties, the Illinois Supreme Court determined that the claim accrued each time the biometric information was scanned or sent to the third party.
White Castle and other amici supporting White Castle’s position also argued that the Court’s finding would lead to astronomical damages because such a holding could mean that each time the claim “accrues,” White Castle could be subject to a separate $1,000 or $5,000 damage award resulting in up to $17 billion in damages. The Court found that because the statute was clear, it should be followed even though “the consequences may be harsh, unjust, absurd or unwise.” The Court also stated that because the damages are discretionary rather than mandatory, a trial court can fashion a damage award that compensates class members without destroying the defendant’s business. Additionally, the Court held that any concerns over astronomical damage awards are best addressed by the legislature.
The dissent strongly disagreed with the majority’s holding and would have answered the certified question in White Castle’s favor. First, the dissent argued that the majority’s interpretation would incentivize a plaintiff to wait and sue as late as possible so that violations could continue to accrue, and it could keep racking up damages. It also observed that the majority’s holding could lead to annihilative liability to businesses operating in the state.
While the Court did not address whether each accrual would lead to a separate damage award, based upon this decision businesses should attempt to resolve BIPA claims early on in the litigation process and work to create BIPA-compliant disclosure and consent policies prior to rolling out the use of biometric devices, or as soon as possible thereafter. The risk of not addressing biometric practices in Illinois now includes catastrophic damage awards under BIPA.
BIPA is just one of several biometric statutes in the United States, and other state privacy laws now regulate biometric data as sensitive personal information. For businesses that collect biometric data – whether for timekeeping and access control purposes, or as part of their business model – the time is now to proactively address biometric compliance.
WEBINAR: The Race to 2024: Politics and Social Media in the Workplace and Employer Rights.
Over the last several years, employers have seen and continue to see increased political activities from their employees at work and on social media platforms, including on business-related social media platforms, like LinkedIn. Managing employee expression causes unique challenges for employers and HR professionals, and in a General Election year, these challenges are likely to increase as the Presidential race, and other races, heat up.
Webinar: A Cookieless Future and Promise of PETs: A Primer on Privacy Enhancing Technologies
This webinar will explore PETs – we will define what they are, what problems PETs exist to address, and emerging PET standards including the National Institute of Standards and Technology (NIST) draft guidance on how to evaluate PET effectiveness. We will provide specific PET use cases and discuss how PETs may be utilized to address the phase out of third party cookies by certain browsers for purposes of targeted advertising.
WEBINAR: Cybersecurity Resilience in Law Firms
This webinar focuses on law firms seeking useful information about robust cybersecurity strategies to protect their clients, maintain ethical and legal compliance, and fortify their digital infrastructure.