Feb 17, 2023

Illinois Supreme Court Expands Exposure to Penalties Under Illinois Biometric Information Privacy Act

Alert | Cybersecurity and Data Privacy Alert

The Illinois Supreme Court issued its much-anticipated decision today in the Cothron v. White Castle case, which interpreted the Illinois Biometric Information Privacy Act (“BIPA”). The decision is likely to have far-reaching and adverse implications for many companies who scan or transmit employees’ biometric information.

In this class-action case, which was initially filed in federal court, plaintiff argued that there were separate BIPA violations (and separate statutory penalties of $1K-$5K) each and every time a company scans or transmits a person’s biometric information (usually a fingerprint or palm print). By contrast, White Castle argued that there should be only one statutory penalty per person, no matter how many times that person’s biometric information was scanned or transmitted. 

The federal court referred this issue to the Illinois Supreme Court. Specifically, the federal court posed the following certified question: “Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”

In a 4-3 decision, the Illinois Supreme Court answered that question, agreeing with plaintiff that a separate claim accrues under BIPA each time a company scans or transmits an individual’s biometric information in violation of BIPA. This decision magnifies companies’ potential BIPA exposure exponentially, since plaintiffs will seek a statutory penalty for each BIPA violation, consisting of $1K for negligent violations and $5K for intentional or reckless violations, along with attorneys’ fees and additional relief that the court may award. 

Indeed, the majority acknowledges White Castle’s warning that, if successful, plaintiff’s class-wide damages may exceed $17 billion. Nevertheless, the majority held that the statutory language is clear and must be given effect “even though the consequences may be harsh, unjust, absurd or unwise.”  The dissent argued that the majority’s decision “could easily lead to annihilative liability for businesses,” but that draconian prospect now is the law in Illinois.

That said, there still are viable and potentially strong defenses in BIPA cases, and our Technology and Cyber Group is vigilant in defending companies against BIPA claims. Please don’t hesitate to contact Hillard M. Sterling to discuss those defenses and the Cothron decision.

View PDF