Illinois Supreme Court Strengthens Biometric Law Again, Finds Separate Claim Accrues with Each Scan

On February 17, 2023, the Illinois Supreme Court issued its highly-anticipated decision in Cothron v. White Castle, No. 2023 IL 128004, holding that a separate claim accrues under the Illinois Biometric Information Privacy Act (“BIPA”) each time a company scans or transmits an individual’s biometric data in violation of BIPA. This decision, paired with the Court’s recent decision establishing a 5-year statute of limitations under BIPA (as discussed in our prior alert here), strengths BIPA’s impact and drastically increases companies’ potential exposure under BIPA.

The statutory language of BIPA allows a prevailing party to recover damages “for each violation.” However, prior to the Court’s decision in Cothron, it was unclear what this meant. Some lower courts interpreted “for each violation” to mean that a BIPA violation accrues only once—at the time of the first violation with respect to each individual, essentially limiting recovery to one instance per person.  Other courts interpreted it more broadly to mean that recovery could be had every time a BIPA violation occurs with respect to each individual.

In Cothron, the Illinois Supreme Court sided with the latter, explaining that when a company violates BIPA by collecting, capturing, or otherwise obtaining a person’s biometric information without prior informed consent, “this is true the first time an entity scans a fingerprint or otherwise collects biometric information” and “it is no less true with each subsequent scan or collection.” With BIPA providing for liquidated damages of $1,000 or actual damages, whichever is greater, for negligent violations, and liquidated damages of $5,000 or actual damages, whichever is greater, for intentional or reckless violations, the Court’s decision in Cothron is significant.

In siding with the plaintiff in Cothron and finding that a separate violation accrues every time a BIPA violation occurs with respect to each individual, the Court focused on the language and intent of BIPA. The Court was not shy about the dramatic implications of its ruling, observing that, “White Castle estimates that if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, classwide damages in her action may exceed $17 billion. We have found, however, that the statutory language clearly supports plaintiff’s position.”

While the Court recognizes the potential for significant damages awards under BIPA due to its holding in Cothron and its prior holding in Rosenbach v. Six Flags Entertainment Corp., where it held that mere statutory non-compliance, without more, is sufficient “injury” to allow individuals to sue for damages, the Court stated that “policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature.”

Further, the Court said that its holdings are intended to “give private entities ‘the strongest possible incentive to conform to the law and prevent problems before they occur.’” (quoting Rosenbach). In support of its position, the Court said that private entities would have little incentive to comply with BIPA if subsequent violations carry no legal consequences.

While employers and other companies operating in Illinois may benefit from the clarity of the Court’s decision in Cothron, it ultimately could subject them to steep statutory damages. Companies utilizing biometric technology or using biometric data should ensure they are doing so in compliance with applicable law, such as BIPA, and need to stay aware of potential pitfalls, liability, and increasing regulation. If you need assistance complying with biometric information laws or other privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.