Ever-Expanding BIPA Damages: Illinois Supreme Court Holds Each Collection or Dissemination of Biometric Data Constitutes a Separate Violation of BIPA

In an eagerly-awaited decision in Cothron v. White Castle System, Inc, the Illinois Supreme Court recently held, by a 4-3 margin, that a separate claim for damages accrues under the Illinois Biometric Information Privacy Act (“BIPA”) every time a private entity scans or transmits an individual’s biometric identifier or information in violation of BIPA. In so holding, the Court rejected the commonly asserted position that a BIPA violation occurs only upon the first scan and first transmission. This is bad news for businesses operating in Illinois that utilize biometric data, as this holding significantly expands the potential BIPA damages. Because BIPA claims are often based on repeated actions, such as using a thumbprint scanner to clock in and out of work each day, the Illinois Supreme Court’s ruling ratchets up potential damages dramatically.

In Cothron, the plaintiff contended that her employer implemented a biometric collection system that required her to scan her fingerprints to access pay stubs and computer systems, that it did so without obtaining her consent, and that each such scan was a separate violation of BIPA. The case was initially brought in the U.S. District Court for the Northern District of Illinois. The issue of whether each scan constituted a new claim was presented to the Seventh Circuit Court of Appeals on interlocutory appeal and, given that the question presented required interpretation of a state statute, the Seventh Circuit certified the question to be determined by the Illinois Supreme Court.

On February 17, 2023, the Court issued its opinion. In holding that each collection or transmission of biometric data is a separate violation of BIPA, the Court stated that the plain language of Section 15(b) of BIPA, requiring prior informed consent before capturing or using biometric identifiers or information, applies separately to each and every capture or use of biometric identifiers or information. Likewise, the Court concluded that the plain language of Section 15(d) of BIPA, requiring informed consent in order to disclose, redisclose, or disseminate a person’s biometric identifier or information, applies to every such transmission, not just an initial transmission.

The Court acknowledged the ramifications of its holding, and that the statutory damages a party may recover could result in astronomic damages awards, but it gave these concerns short shrift. The dissent noted that the majority’s decision would improperly incentivize plaintiffs to delay bringing their claims for as long as possible in order to keep racking up damages, and that the potential imposition of crippling liability on a business is a proper consequence to consider when determining legislative intent. The dissent further noted that the majority’s ruling could lead to an absurd result where a business that collects a person’s biometric information once and intentionally sells it to a third party would be subject to statutory damages of $5000, whereas “an employer with no ill intent that used that same person’s fingerprint as an authentication method” could be subject to damages orders of magnitude greater.

The majority opinion holds out one thin reed for entities that face expensive BIPA claims: damages under BIPA are discretionary rather than mandatory, and BIPA contains no language “suggesting legislative intents to authorize a damages award that would result in the financial destruction of a business.” Moreover, the Court explained that a trial court presiding over a class action (as many BIPA cases are) has the discretion to structure damages that would fairly compensate class members but not destroy the defendant’s business. The majority opinion concludes with a statement that the policy concerns of potentially excessive damages awards are best addressed by the legislature.

In light of the Court’s opinion, along with its opinion earlier this month in Tims v. Black Horse Carriers, Inc. – holding that a five-year statute of limitations applies to all claims under BIPA – we expect to see a flurry of activity as the plaintiffs’ bar capitalizes on the new legal landscape created by these two opinions. To prepare for this new landscape, businesses should engage in the following steps:

• review the information gathered from employees, customers, or other members of the public to determine whether it constitutes biometric data as defined by BIPA (under BIPA, biometric identifiers include, e.g., retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry);
• for entities that do gather such biometric data, review processes to ensure compliance with BIPA’s requirements regarding collection, retention, disclosure, and destruction of biometric identifiers and information; and
• to the extent there is potential noncompliance, take actions to strengthen BIPA compliance to minimize legal exposure.

Katten’s Biometric Litigation Team can help you with each of these steps, other questions about BIPA, or biometric data protection issues in other jurisdictions. Entities that engage in practices that might constitute the collection or transmission of biometric information should review their policies and practices, even if they are not yet the target of BIPA claims.