Thumbs Up: Illinois Supreme Court Gives The Green Light For Damages Fines Under The Illinois Biometric Information Privacy Act (BIPA) In Cothron V. White Castle System, Inc.

• Jurisdiction: United States,Federal,Illinois
• Law Firm: Arnold & Porter
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Privacy Protection, Class Actions, Trials & Appeals & Compensation, Personal Injury
• Author: Ms Jami Mills Vibbert, Daniel E. Raymond, Brian Lohan, D. Tyler Nurnberg, Maja Zerjal Fink and Steven Wickman
• Published date: 27 February 2023

A January 18, 2023 New York Times Podcast¹ titled "The 'Enemies List' at Madison Square Garden" (the Podcast) brought to light the use of facial recognition technology at Madison Square Garden (MSG) not only for legitimate security purposes, but also as a means of creating and enforcing bans of lawyers suing MSG (by obtaining pictures of the attorneys from their law firm's website). The Podcast noted that Illinois and Texas have statutes governing the nonconsensual collection of biometric information. In the context of the Podcast discussion, one could conclude that such statutes are beneficial. However, as discussed below, the Illinois statute-as has been interpreted by the Illinois Supreme Court-could be financially devastating for companies collecting biometric information in a much more benign manner.

The Decision

In a 4-3 decision, the Illinois Supreme Court in Cothron v. White Castle System, Inc. answered the following certified question from the Seventh Circuit: "Do Section 15(b) and 15(d) claims accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?" A divided court held that a separate claim accrues under the Biometric Information Privacy Act (BIPA or the Act)² each time a private entity scans or transmits an individual's biometric identifier or information in violation of Section 15(b) or 15(d).³ As a result, White Castle System, Inc. (White Castle) could be held liable under the Act for each time a White Castle employee used their fingerprint to access their paystubs and computers since 2008, subjecting White Castle to damages in excess of $17 billion. The decision also vastly increases the litigation exposure of businesses that collect biometric data in Illinois.

The case stems from a proposed class action filed by plaintiff, Latrina Cothron, on behalf of all Illinois employees of defendant, White Castle. Ms. Cothron alleges that her employer, White Castle, violated Sections 15(b) and (d) of BIPA by requiring employees to scan their fingerprints to access their paystubs and computers and disclosing their fingerprint scans to a third-party vendor who verified each scan and authorized the employee's access.⁴ Ms. Cothron alleges that White Castle implemented this biometric-collection system without obtaining her consent in violation of the Act (740 ILCS 14/1 et seq. (West 2018)), which became...