Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

This decision comes on the heels of the Illinois Supreme Court’s decision earlier this month in Tims v. Black Horse Carriers, where the court held that a five-year statute of limitations (as opposed to a one-year period) applies to all claims under BIPA. See our prior alert.

Enacted in 2008, BIPA regulates the collection and possession of biometric data by private entities operating in Illinois. Biometric data includes, for example, fingerprints, voiceprints, eye scans, and face/hand scans (but not photographs or written signatures). BIPA requires entities to comply with certain obligations when collecting biometric data: Among other things, entities must provide notice to the individual whose biometric data is being collected, obtain written consent from that individual, establish and implement a written data retention policy, and ensure compliance with limitations on any transfers of biometric data, including prohibition on “sale” and “lease” of biometric data.

Notably, BIPA establishes a private right of action, allowing any person to seek damages, attorneys’ fees, and injunctive relief if the person has been aggrieved by a BIPA violation. The statutory damages available for a person aggrieved by a BIPA violation are steep, including $1,000 to $5,000 per violation, attorneys’ fees and costs, and the possibility of injunctive relief. In 2019, the Illinois Supreme Court clarified that a plaintiff may seek damages when the only injury is a violation of BIPA,2 a decision that accelerated the trend of filing putative class action lawsuits under the statute.

The two recent Illinois Supreme Court decisions, individually and collectively, highlight the potential for massive damages in BIPA suits and underscore the importance of remaining sensitive to BIPA requirements. Below is additional information regarding the Cothron decision.

Cothron v. White Castle System

Plaintiff, a manager of a White Castle restaurant in Illinois, filed a putative class action complaint against White Castle alleging unlawful collection and disclosure of her biometric data under BIPA Sections 15(b) and 15(d). The complaint was filed in December 2018 in Illinois state court and alleged that White Castle used a biometric-collection system that required its employees to scan their fingerprints to access their pay stubs and computers from 2008 to 2018, without obtaining the requisite consent.

White Castle removed to federal court and moved for judgment on the pleadings, arguing that Section 15(b) and 15(d) claims can accrue only once, when the biometric data is first collected or disclosed. It thus argued that plaintiff’s action was untimely because the first time White Castle obtained her biometric data after BIPA’s effective date was in 2008, falling outside of the applicable statute of limitations. Plaintiff disagreed, arguing that her action was timely because a new Section 15(b) claim accrued each time she scanned her fingerprints, and a new 15(d) claim accrued each time her employer disclosed her biometric data to a third party. The district court agreed with plaintiff and denied White Castle’s motion but certified its order for interlocutory appeal. The Seventh Circuit found both parties’ interpretations of BIPA on the accrual issue reasonable under Illinois law and certified the following question to the Illinois Supreme Court:

Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?

The Illinois Supreme Court agreed to answer the certified question and issued its decision last week. Its decision focused on the statutory text of Sections 15(b) and 15(d) and held that the plain language of the statute demonstrates that violations occur with every scan or transmission of biometric data. At the end of its opinion, the court briefly addressed the policy argument put forth by White Castle and several amici — that because BIPA sets forth statutory damages of $1,000 or $5,000 per “each violation,” damages awards premised on every scan or transmission of biometric data (e.g., each fingerprint scan) could be “astronomical” and possibly unconstitutional. The court concluded that any “policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature.” Notably, it also emphasized that BIPA’s liquidated damages provision is “discretionary rather than mandatory,” and a trial court thus has “discretion” to fashion a damages award that it deems fair.

The Cothron decision further demonstrates the importance of companies’ remaining sensitive to the requirements outlined by BIPA. For additional information regarding steps that companies can consider taking to help address BIPA risks, see our prior 2019 and 2023 alerts.

1Cothron v. White Castle System, Inc. 2023 IL 128004.

2See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.