BIPA Liability in the Billions?

 

Illinois employers, do you utilize any workforce monitoring or security measures, such as time clocks, that involve individuals’: 

  • Fingerprints
  • Retina or iris scans
  • Scans of hand or face geometry
  • Voiceprints
  • Biometric information (information based on the above that is used by the company to identify an individual)

 

If so, read ahead because the Illinois Supreme Court just decided that doing so, without strict compliance with the Illinois Biometric Information Privacy Act (BIPA), could be a multi-billion dollar mistake.

In Cothron v. White Castle System, Inc. (issued February 17, 2023), the Court held that a separate BIPA claim accrues each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d) of BIPA–not just the first time. Employers subject to BIPA now have no margin of error, because noncompliance with sections 15(b) or 15(d) of BIPA could mean cost-prohibitive–even ruinous–damages for the company.

What happened

Latrina Cothron, a manager of a White Castle restaurant in Illinois, alleged that shortly after her employment started with the company in 2004, White Castle introduced a system that required employees to scan their fingerprints to access their pay stubs and computers. A third-party vendor then verified each scan and authorized the employee’s access.

In 2018, Cothron filed a putative class action in the Circuit Court of Cook County against White Castle and the third-party vendor, later voluntarily dismissing the third-party vendor after the case was removed to the U.S. District Court for the Northern District of Illinois. Cothron alleged that White Castle violated sections 15(b) and 15(d) of BIPA (which provide for the consensual collection and disclosure of biometric identifiers and biometric information) by unlawfully collecting and disclosing her biometric data to its third-party vendor for years, until the company obtained her consent until 2018.

White Castle moved for judgment on the pleadings, arguing that Cothron’s action was untimely because her claim accrued when White Castle first obtained her biometric data after BIPA’s effective date in 2008. Cothron responded that a new claim accrued each time she scanned her fingerprint and White Castle sent her biometric data to its third-party vendor, making her action timely with respect to scans and transmissions that occurred within the applicable limitations period. The district court agreed with Cothron and denied White Castle’s motion. Following White Castle’s appeal, the certified question of claim accrual made its way to the Illinois Supreme Court. 

 

What the Illinois Supreme Court said

The Court held that a separate claim accrues under BIPA each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).

The Court looked to BIPA’s plain language in its analysis. White Castle argued that section 15(b) and 15(d) claims can accrue only once—when the biometric data is initially collected or disclosed. White Castle relied on the language in section 15(b) providing that no private entity “may collect, capture… or otherwise obtain” a person’s biometric identifier or biometric information “unless it first” provides notice and receives consent as outlined in section 15(b). “Unless it first”, the company argued, refers to a singular point in time. The Court disagreed, finding that that “collect” and “capture” can occur more than once because each time an employee scans her fingerprint, the system captures her biometric information to compare it to the original scan for purposes of granting access.

The Court also pointed to section 15(b)(2) of BIPA, which distinguishes between collection and storage, and provides that the private entity must notify the subject of the length of time for which a biometric identifier or biometric information is being collected, stored, and used–showing that the legislature considered collection as something that would happen more than once.

White Castle also argued that disclosure is a single occurrence activity under section 15(d). The Court concluded that the plain language of section 15(d) applies to every transmission to a third party because the language in section 15(d) is broad enough to include repeated transmissions to the same party.

 

Potential for astronomical damages

White Castle (and amici in support) cautioned the Court against ruling as it did because section 20 of BIPA sets forth liquidated damages a party may recover for “each violation,” meaning multiple or repeated accruals of claims by one individual could potentially result in punitive and “astronomical” damage awards constituting “annihilative liability” that the legislature did not consider–and that such damages could be unconstitutional. White Castle estimated that if Cothron was allowed to bring her claims on behalf of approximately 9,500 current and former White Castle employees, class-wide damages in the action could exceed $17 billion. However, the Court dismissed this as a reason for caution, standing on its finding that BIPA’s statutory language supports Cothron’s position and noting that the legislature intended to provide incentive for compliance.

The Court did, however, signal that lower courts should carefully consider excessive damages awards in BIPA class actions. It “generally agree[d]” with the Illinois appellate court’s recognition in Century Mutual Insurance Co. v. Tracy’s Treasures, Inc., that “[a] trial court presiding over a class action—a creature of equity—would certainly possess the discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying defendant’s business.” The Court noted that the Illinois legislature chose to make damages discretionary rather than mandatory under the Act, and emphasized that there is no language in BIPA suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.

 

Where employers should go from here

Employers should be more diligent than ever in meeting BIPA’s requirements. Employer liability for a violation of sections 15(b) or 15(d) will quickly compound since claims now accrue with each scan or transmission of a biometric identifier or information (e.g., every time an employee clocks in or out of work for five years).

The only consolation for employers–if you can call it that–is that the Court left the door open for a trial court to reduce damages if, in its discretion, an award would result in the financial destruction of a business. Even so, employers facing huge damages awards that could, in fact, “annihilate” their business will be forced to rely upon the grace of the trial court as the fine line between continuing operations or not.

Illinois employers and businesses that collect or use biometric identifiers or biometric information should immediately update and maintain policies and procedures to ensure unequivocal compliance with BIPA, including:

  • Drafting and communicating a clear written policy that describes the purpose and terms of the collection and storage of biometric information;
  • Notifying employees (and consumers) in writing before any biometric information is collected;
  • Obtaining written consent from the data subject; and
  • Making publicly available a written “retention schedule and guidelines” the company uses for permanently destroying biometric identifiers and biometric information within a certain time period.

 

What else employers should look out for

Biometric laws in other states and pending legislation across the country

Washington and Texas both have biometric laws similar to BIPA, which apply to employees. See Washington’s Biometric Identifiers Law and Texas’ Capture or Use of Biometric Identifier Act. Unlike BIPA, neither Washington’s nor Texas’ biometric laws provide a private right of action, and instead each state’s attorney general enforces the statute.

However, there is pending legislation in at least nine other states–ArizonaHawaiiMarylandMassachusettsMinnesotaMissouriNew YorkTennessee and Vermont–that would protect employee biometric information and provide a private right of action for individuals alleging violations. Employers should keep an eye on developments at the state level as bills similar to BIPA work their way through state legislatures.

BIPA and the National Labor Relations Act

Employers should also watch for Walton v. Roosevelt University, in which the Illinois Supreme Court will decide whether the Labor Management Relations Act preempts union-represented workers from pursuing BIPA claims. (For more on this case, see our prior blog here).

To get your BIPA ducks in a row (meaning implementing compliant policies, proper notice and consent forms, and other BIPA requirements), reach out to your Baker McKenzie attorney.

Originally published March 3, 2023 at Baker McKenzie’s “The Employer Report – Used by permission

Facebook
Twitter
LinkedIn
Pinterest