Privacy & Information Security Law Blog

On February 17, 2023, the Illinois Supreme Court issued an opinion in Cothron v. White Castle Systems, Inc., in response to a certified question from the Seventh Circuit, ruling that the plain language of Section 15(b) and 15(d) of the Illinois Biometric Privacy Act (“BIPA”) shows that a claim accrues under BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent. 

The case arose from a proposed class action filed by the plaintiff on behalf of all Illinois employees of defendant, White Castle System, Inc. (“White Castle”). The plaintiff alleged that White Castle implemented a biometric-collection system shortly after she started her employment in 2004 that required employees to scan their fingerprints to access their pay stubs and computers, but did not seek her consent until 2018, even though BIPA went into effect in 2008. White Castle used a third-party vendor to verify each scan and authorize the employee’s access. Thus, the plaintiff alleged that White Castle collected her biometric data and disclosed such data to its third-party vendor in violation of Section 15(b) and (d) of BIPA for several years. Section 15(b) of BIPA provides that a private entity may not “collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data without first providing notice to and receiving consent from the person. Section 15(d) provides that a private entity may not “disclose, redisclose, or otherwise disseminate” biometric data without consent.

White Castle moved for judgment on the pleadings, arguing that the plaintiff’s action was untimely because her claim accrued in 2008, when White Castle first obtained her biometric data after BIPA came into effect. In essence, White Castle claimed that claims under BIPA “can accrue only once – when the biometric data is initially collected or disclosed.” The plaintiff responded that “a new claim accrued each time she scanned her fingerprints and White Castle sent her biometric data to its third-party authenticator, rendering her action timely.” The district court agreed with the plaintiff and denied White Castle’s motion but certified its order for immediate interlocutory appeal, finding that the “decision involved a controlling question of law on which there is substantial ground for disagreement.” The Seventh Circuit accepted the certification and agreed that “the novelty and uncertainty of the claim-accrual question” warranted certification to the Illinois Supreme Court. The Illinois Supreme Court focused on the statutory language of BIPA, finding that the plain language of Section 15(b) and Section 15(d) demonstrates that such violations occur with every scan or transmission. 

Although the certified question did not expressly inquire about the issue of damages, the Court noted White Castle’s concern that the accrual of claims for each scan or transmission could potentially result in “punitive and astronomical” damage awards. The court found, based on the language of the statute, that the Illinois legislature chose to make damages discretionary, rather than mandatory under BIPA. It recognized that a “trial court presiding over a class action – a creature of equity- would certainly possess the discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying a defendant’s business.” That being said, the Court noted policy-based concerns about potentially excessive damage awards under BIPA are best addressed by the legislature, and “respectfully suggests that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”