(March 13, 2023) – Laura Foggan, Jason Stiehl, Laura Schwartz and Alexis Ward of Crowell & Moring discuss liability risks in light of recent Illinois Supreme Court decisions interpreting the state’s biometric privacy law.
On February 17, 2023, the Illinois Supreme Court ruled 4-3 that violations of the Biometric Information Privacy Act (“BIPA”) (the country’s first biometric privacy legislation) accrue for each incident of capture or dissemination of biometric information, and not only once for each data subject.
Cothron v. White Castle Systems found based on the plain language of the statute that violations for collecting or disclosing biometric information occur at every scan or transaction.1 The court reached this conclusion while admitting the “absurd” implications, including that the ruling could result in damages of $17 billion.2
Cothron follows the recent decision in Tims v. Black Horse Carriers Inc., which applying a uniform 5-year statute of limitations for all claims under BIPA.3
Taken together, Cothron and Tims create a minefield of liability for organizations collecting biometric information and may significantly increase the number of plaintiffs, claims, and possible damages under BIPA.
Background
Latrina Cothron filed a proposed class action against White Castle System, Inc. (“White Castle”), her former employer, which required employee fingerprint scans to access computer systems and pay stubs. The scans were sent to a third-party vendor to verify and authorize access.]
The White Castle policy, instituted in 2004, preceded the 2008 enactment of BIPA, but White Caste did not seek consent after BIPA’s enactment until 2018. Cothron alleged that White Castle violated BIPA sections 15(b) and 15(d) by collecting and distributing her fingerprint identifier without prior consent.
White Castle moved for judgment on the pleadings, arguing that Cothron’s action was time barred because it accrued in 2008, when it first obtained her biometric data after BIPA took effect.
Cothron responded that a new claim accrued each time White Castle sent her biometric data to its third-party authenticator, and argued her action was timely as to the unlawful scans and transmissions that occurred within the statutory period.
To resolve the issue, the Court considered whether section 15(b) and 15(d) claims accrue each time an entity “scans a person’s biometric identifier and each time an entity discloses a scan to a third party, or only once, upon the first scan and transmission.”4
The relevant BIPA section, 15(b), states that a private entity may not “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first” obtains consent from the data subject.5
Section 15(d) states that a private entity in possession of a biometric identifier may not “disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” there is consent or the disclosure is required by law.6
When 15(b) and 15 (d) claims accrue has important implications for both the limitations period and calculating damages because statutory damages under BIPA accrue per violation. A company that negligently violates a provision of BIPA is liable for damages of $1,000 per violation, while a company that intentionally or recklessly violates a provision is liable for damages of $5,000 per violation.7
Illinois Supreme Court decision
The Illinois Supreme Court held that “the plain language of section 15(b) and 15(d) demonstrates that such violations occur with every scan or transmission.”8
For BIPA section 15(b), the court examined the plain text meaning of “collect” and “capture.”9 The court found that information can be captured or collected more than once, explaining that each time the employee used their fingerprint to access pay stubs or computer systems, the system collected the fingerprint anew.10 Therefore, each new capture constitutes a separate claim under BIPA.
For BIPA section 15(d), the court analyzed the plain meaning of “disclose” and “redisclose.”11 It held that “redisclose” included repeated transmission to the same third-party.12
The court further pointed to the statutory catch-all language in BIPA providing that a violation occurs when entities “otherwise disseminate” the biometric information. Thus, each disclosure represents a new violation.13
The majority in Cothron recognized the decision’s impact, stating “this court has repeatedly recognized the potential for significant damages awards under the Act.”14 The court defended the decision as consistent with legislative intent, explaining that a “substantial potential liability” would give private entities “the strongest possible incentive to conform” to the statute.15
The court acknowledged that “if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion.”16
Key takeaways
Far reaching consequences
Biometric information comes in many forms, and any time it is collected from Illinois residents, it must be handled consistently with the broad proscriptions of BIPA. Critically, fingerprinting is not the only biometric information that falls under BIPA — its reach is broad.
BIPA claims have involved facial recognition features used to “tag” users in photos, collecting customers’ voices in drive-throughs, remote proctoring tools for online schooling, customer hotlines, vending machines, donation centers, and even virtual glasses try-on software.17
Potential increase in damages and settlement amounts
Liability will now depend on the number of subjects from which organization collects data, as well as how that collection occurs. An amusement park scanning fingerprints on entry may only accrue a handful of claims per data subject, whereas an employer scanning fingerprints for each employee several times per shift, as in Cothron, may accrue hundreds of claims per subject.18 Companies that passively collect biometric information could see an astronomical number of claims.
This increased liability risk under BIPA reinforces that companies must understand how they collect, store, use, and ultimately delete biometric information, to ensure that each step complies with BIPA.
Reduce liability through transparency — CONSENT IS KEY!
Organizations may be able to significantly mitigate risk through thoughtful and transparent implementation of biometric data collection. Most recent biometric litigation has centered on notice and consent.
Organizations wishing to reduce liability and increase transparency can (1) obtain consent from employees before collecting biometric information and (2) maintain and publish a robust privacy policy outlining the use and retention of employee biometric information.
Businesses may significantly reduce their risk of BIPA exposure by establishing a culture of transparency throughout the organization.
For further information, please contact:
Laura Foggan, Partner, Crowell
lfoggan@crowell.com
Notes
1 Cothron v. White Castle Sys., 2023 IL 128004.
2 Id. at ¶ 40.
3 Tims et al. v. Black Horse Carriers Inc., case number 127801.
4 Cothron at ¶ 1.
6 Id.
8 Cothron at ¶ 30.
9 Id. at ¶ 23.
10 Id.
11 Id. at ¶ 27.
12 Id.
13 Id.
14 Id. at ¶ 41.
15 Id.
16 Id. at ¶ 40.
17 In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016), Carpenter v. McDonald’s Corp., 580 F. Supp. 3d 512 (N.D. Ill. 2022), Doe v. Nw. Univ., No. 21 C 1579 (N.D. Ill. 2022), Dorian v. Amazon Web Servs., Inc., No. 2:22-CV-00269 (W.D. Wash. 2022).
18 See Rosenbach v. Six Flags Entm’t Corp.,129 N.E. 3d 1197 (2019).