A recent decision interpreting the Illinois Biometric Information Privacy Act (BIPA) serves as a stark warning to all businesses collecting personal information, and specifically biometric information that may be subject to the requirements of BIPA: obtain informed consent or prepare for potentially crippling financial penalties. Answering a certified question from the United States Court of Appeals for the Seventh Circuit, the Supreme Court of Illinois, in Cothron v. White Castle Sys., Inc., 2023 IL 128004, concluded “that a claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent” in violation of section 15(b) or 15(d).
In Cothron, a group of Illinois residents, led by a former manager of White Castle (“Plaintiff”), filed a putative class action against the fast-food franchise alleging it violated Section 15(b) (applicable to the collection or capture of biometric data) and 15(d) (applicable to the disclosure or dissemination of biometric data) of BIPA when it required its employees to scan their fingerprints to access pay stubs and computers and then transmitted the scan to a third party for verification—all without first obtaining the employees’ informed consent. White Castle argued that the Plaintiff’s suit was untimely because it accrued in 2008—that is, only when the company first obtained Plaintiff’s biometric information and transmitted it to a third party after BIPA took effect. Plaintiff responded that “a new claim accrued each time she scanned her fingerprints and White Castle sent her biometric data to its third-party authenticator.”
BIPA Actions Accrue with Every Scan or Transmission
The court, in a 4–3 decision, held that claims arising under Section 15(b) and 15(d) of BIPA accrue each time a company either collects or discloses an individual’s biometric information without prior informed consent. Under Section 15(b) and 15(d), respectively, companies are prohibited from collecting or disclosing a person’s or a customer’s biometric identifier or biometric information “unless it first” obtains informed consent (emphasis added).[1] Relying on the common definitions of “collect” and “disclose,” the majority determined White Castle’s process of collection clearly fell within the scope of the statute: White Castle obtained its employee’s initial fingerprint scan and stored it for authentication purposes. Thereafter, when the employee needed to access company computers, for instance, a second fingerprint scan was then obtained and sent to a third-party vendor to compare both fingerprints and verify the employee’s identity. In the majority’s view, White Castle failed “to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer.”
Nevertheless, White Castle argued that interpreting BIPA to allow for repeated accruals of claims by one individual “would constitute ‘annihilative liability’ not contemplated by the legislature and possibly be unconstitutional.” The company contended “if [the] plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion.” The court was unpersuaded by these arguments, concluding that “policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature … [to] make clear its intent regarding the assessment of damages under [BIPA].”
Majority’s Rule Will Render BIPA Compliance Burdensome
The dissenting opinion contends the majority’s interpretation is unsupported by the statute’s plain language and, in no uncertain terms, “will lead to consequences that the legislature could not have intended.” For example, the dissent observed “that the ‘precise harm’ the legislature sought to prevent [in enacting BIPA] was an individual’s loss of the right to maintain biometric privacy.” With that in mind, the dissent argues that a private entity may obtain an individual’s biometric information in violation of BIPA only once as there is only “one loss of control or privacy, and this happens when the information is first obtained.” Accordingly, in the dissent’s view, subsequent scans cannot be considered as obtaining additional biometric information because “White Castle already has it.”
Turning to the implications of the majority’s rule, the dissent highlighted two areas of concern. First, under the majority approach, plaintiffs are incentivized to delay bringing their claims as long as possible, thereby impermissibly “racking up damages.” Second, in light of the potential $17 billion damages award White Castle may face, the dissent argued the majority’s interpretation is clearly contrary to legislative intent. In sum, the dissent concluded that “[i]mposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.”
Navigating a Post-Cothron World
The Cothron decision illustrates that statutory claims for alleged privacy violations can quickly turn into “bet the company” litigation. This risk is particularly acute whenever the potentially applicable statutory regime includes a private right of action for alleged violations. To effectively mitigate this risk, companies must clearly identify the regulatory requirements that apply to any personal information—not just biometric information—collected and processed as part of operations from any individual, whether a customer, employee, independent contractor, vendor, or other individual. With this foundation, companies can develop, implement, and regularly update comprehensive and robust compliance protocols with respect to the collection, processing, storage, and destruction of the regulated personal information.
In light of the Cothron decision, and specifically with respect to biometric information, any business collecting and processing biometric data should consider implementing the following best practices:
- develop a system for providing written notice and obtaining informed consent prior to the collection of biometric information
- ensure the written notice clearly informs the individual of: (1) the entity collecting or storing biometric information; (2) the entity’s purpose for collection, use, and storage; (3) whether the biometric information will be disclosed or disseminated to other parties, and if so, the specific purpose for each such disclosure or dissemination; and (4) how long the entity will use or store the information
- maintain a program for tracking the written consents and releases authorizing the entity to collect, process, and disclose biometric information
- develop, implement, and enforce a policy for destruction of biometric information that no longer serves a legitimate business purpose.
740 ILCS 14/15(b) and (d). ↑
