On February 17, 2023, the Illinois Supreme Court ruled that claims under the Biometric Information Privacy Act (“BIPA”) may accrue with each biometric scan and not just on an individual’s first scan. Cothron v. White Castle System, Inc., 2023 IL 128004.
In Cothron, the plaintiff alleged that the employer failed to follow BIPA’s requirements in connection requiring employees to scan their fingerprints in order to access computer systems and pay stubs. When the case ascended to the Seventh Circuit, the employer argued that the plaintiff’s claims were untimely because the fingerprints were initially collected years before BIPA went into effect. The employer asserted that only the first collection or scan of an individual’s biometric information could give rise to liability, as opposed to each subsequent scan used to “match” an individual’s fingerprint with the stored information. The Seventh Circuit send this issue to the Illinois Supreme Court for resolution.
The Illinois Supreme Court rejected the employer’s argument, holding that BIPA violations may accrue with every subsequent scan of a fingerprint, not just the initial fingerprint capture. The Court analyzed the “plain language” of the statute, particularly section 15(b), which provides that
No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information unless it first obtains informed consent from the individual or the individual’s legally authorized representative.
740 ILCS § 14/15(b) (West 2018). The Court agreed with the district court’s analysis that
Each time an employee scans her fingerprint to access the system, the system must capture her biometric information and compare that newly captured information to the original scan (stored in an off-site database by one of the third parties with which White Castle contracted).
477 F. Supp. 3d 723, 732 (N.D. Ill. 2020). In essence, according to the Court, every time an employee scans his or her fingerprint in order to compare it with the identifying scan, this counts as an additional “collection” for purposes of BIPA.
BIPA allows for statutory damages of up to $1,000 per negligent violation and up to $5,000 per intentional or reckless violation. So it’s easy to see how the Illinois Supreme Court’s interpretation could lead to unusually significant damage awards if companies use biometric information as employee identifiers on a frequent basis. Additionally, now that the Illinois Supreme Court has confirmed in a ruling earlier this month that BIPA claims have a five-year statute of limitations, this ruling could potentially incentivize individuals to delay making claims under BIPA until hundreds or thousands of individual violations have occurred. As a result, businesses that plan to collect biometric information should work with counsel to draft and implement BIPA-compliant policies and review current policies and practices.