Illinois High Court Rules Every Collection Or Disclosure Is A Separate BIPA Violation

• Jurisdiction: Illinois,United States
• Law Firm: Crowell & Moring
• Subject Matter: Privacy, Data Protection
• Author: Ms Laura Foggan, Jason Stiehl, Laura Schwartz, Jacob Canter and Alexis Ward
• Published date: 28 February 2023

On February 17, 2023, the Illinois Supreme Court ruled 4-3 that violations of the Biometric Information Privacy Act ("BIPA") (the country's first biometric privacy legislation) accrue for each incident of capture or dissemination of biometric information, and not only once for each data subject. Cothron v. White Castle Systems found based on the plain language of the statute that violations for collecting or disclosing biometric information occur at every scan or transaction. Cothron v. White Castle Sys., 2023 IL 128004. The court reached this conclusion while admitting the "absurd" implications, including that the ruling could result in damages of $17 billion. Id. at ' 40.

Cothron follows the recent decision in Tims v. Black Horse Carriers, Inc., which applying a uniform 5-year statute of limitations for all claims under BIPA. Tims et al. v. Black Horse Carriers Inc., case number 127801. Taken together, Cothron and Tims create a minefield of liability for organizations collecting biometric information and may significantly increase the number of plaintiffs, claims, and possible damages under BIPA.

Background

Latrina Cothron filed a proposed class action against White Castle System, Inc. ("White Castle"), her former employer, which required employee fingerprint scans to access computer systems and pay stubs. The scans were sent to a third-party vendor to verify and authorize access. The White Castle policy, instituted in 2004, preceded the 2008 enactment of BIPA, but White Caste did not seek consent after BIPA's enactment until 2018. Cothron alleged that White Castle violated BIPA sections 15(b) and 15(d) by collecting and distributing her fingerprint identifier without prior consent.

White Castle moved for judgment on the pleadings, arguing that Cothron's action was time barred because it accrued in 2008, when it first obtained her biometric data after BIPA took effect. Cothron responded that a new claim accrued each time White Castle sent her biometric data to its third-party authenticator, and argued her action was timely as to the unlawful scans and transmissions that occurred within the statutory period.

To resolve the issue, the Court considered whether section 15(b) and 15(d) claims accrue each time an entity "scans a person's biometric identifier and each time an entity discloses a scan to a third party, or only once, upon the first scan and transmission." Cothron at ' 1. The relevant BIPA section, 15(b), states that a private entity may not...