Illinois employers who use employees’ fingerprints, face scans, or other biometric identifiers to enable workers to access timekeeping, payroll, IT, or other systems have long been on notice that the Illinois Biometric Information Privacy Act (BIPA) imposes an obligation to obtain an employee’s informed consent before collecting, storing, and using such information.
A recent decision from the Illinois Supreme Court, which may lead to catastrophic damage awards, means that those who fail to address BIPA compliance may find their castle in ruins.
Queen of the Castle
Starting in 2004, Latrina Cothron worked as a manager of a White Castle restaurant in Illinois. Shortly after she began her employment, White Castle introduced a system that required employees to scan their fingerprints to access their pay stubs and computers. A third-party vendor, Cross Match Technologies, then verified each scan and authorized the employee’s access.
In late 2018, Cothron sued White Castle on behalf of Illinois employees of the fast-food restaurant chain, alleging that the company had violated BIPA because it failed to seek employees’ consent to acquire, store, and use their fingerprints.
After some procedural skirmishes that are not pertinent here, the case made its way to federal court in Chicago, where White Castle argued that Cothron’s suit was untimely. The company claimed that Cothron waited too long to file the suit after White Castle first obtained her biometric data after BIPA’s effective date in 2008.
Original Slider
The federal district court denied White Castle’s dismissal request. It agreed with Cothron that a new claim accrued each time she scanned her fingerprints and White Castle sent her biometric data to its third-party authenticator, rendering her suit timely (at least with respect to the allegedly unlawful scans and transmissions that occurred within the applicable five-year statute of limitations).
White Castle was permitted to take an immediate appeal to the U.S. Seventh Circuit Court of Appeals (whose rulings apply to Illinois, Indiana, and Wisconsin employers). The Seventh Circuit, in turn, found the parties’ competing interpretations of claim accrual reasonable under Illinois law, and agreed that “the novelty and uncertainty of the claim-accrual question” warranted certification of the question to the Illinois Supreme Court, since the issue is one interpreting Illinois state (rather than federal) law.
May I Take Your Order
Specifically, the Seventh Circuit certified the following question to the Illinois Supreme Court: “Do [BIPA] section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”
In a 4-3 decision on February 17, 2023, the Illinois Supreme Court ruled that a separate claim accrues under BIPA each time an employer or other private entity scans or transmits an individual’s biometric identifier in violation of section 15(b) or 15(d) of the Act. The court reached this conclusion after an extensive analysis of the statutory language.
Section 15(b) of BIPA provides in part that no private entity may collect, capture, or otherwise obtain a person’s biometric identifier or biometric information “unless it first” 1) informs the person that biometric information is being collected or stored; 2) informs the person of the purpose and length of time for which the information is being collected, stored, and used; and 3) receives a written release. Further, section 15(d) states that no private entity “may disclose, redisclose, or otherwise disseminate” without the individual’s consent.
One of a Kind
White Castle argued that claims under these sections can accrue only once—when the biometric data is initially collected or disclosed. It claimed that the phrase in section 15(b) that says, “unless it first,” refers to a singular point in time, indicating that notice and consent must occur before collection.
Similarly, for section 15(d), White Castle argued that the verbs disclose, redisclose, or disseminate refer to disclosure of biometrics by one party to a new, third party—one that has not previously possessed the information.
This happens, said the company, only on the first instance of disclosure or dissemination. According to White Castle, the invasion and injury to an individual are one and the same and occur only upon the initial loss of control over her biometrics.
Sacked
Cothron responded that the plain meaning of the statutory language indicates that claims under both sections accrue every time a private entity collects or disseminates biometric information without prior informed consent.
In particular, Cothron argued that the word “first” in section 15(b) modifies the words “informs” and “receives.” Similarly, section 15(d) prohibits the disclosure or redisclosure “unless” it receives prior consent. Therefore, an entity violates these sections every time it collects, captures, otherwise obtains, discloses, or rediscloses a person’s biometrics without prior informed consent.
The Illinois Supreme Court majority agreed with Cothron that the plain language of BIPA means that a new claim accrues each time an entity collects, captures, discloses, or otherwise disseminates an individual’s biometric information without their informed consent.
The court disagreed with White Castle that these things can happen only once. It ruled that section 15(b) is violated fully and immediately when an entity collects biometric information without the necessary disclosure and consent. And section 15(d) is violated each time an entity discloses or otherwise disseminates a person’s information to a third party without her consent. Cothron v. White Castle System, Inc., 2023 IL 128004 (Feb. 17, 2023).
In a spirited dissent, three justices warned that the majority’s interpretation will render compliance with BIPA “especially burdensome for employers.” The dissent argued that an employer or other entity may obtain “a person’s biometric information only once,” and that with subsequent authorization scans, the entity isn’t obtaining anything it doesn’t already have, and conversely there’s no additional loss of privacy, secrecy, or control suffered by the individual.
Therefore, the dissenting jurists would have ruled that a BIPA claim accrues only upon the first scan or transmission. The dissent warned of unintended consequences, such as “potential imposition of crippling liability on businesses” as a result of the court’s ruling.
Because BIPA provides for liquidated damages of between $1,000 and $5,000 for each violation, damages in the suit against White Castle might exceed $17 billion—an absurd result that should be avoided, according to the dissent.
Get the Deal You Crave
This decision is a wake-up call to all Illinois employers that use employees’ fingerprints or other biometric information to gain access to their premises or systems. As the dissent warned, under this decision, the penalties for violating BIPA may be astronomical.
Please contact the author, or the Fox Swibel attorney with whom you usually work, to discuss any questions or for guidance on your organization’s compliance with BIPA’s informed consent requirements.