Illinois Supreme Court's Recent Decision May Prove Disastrous for Companies Using Biometric Scanning Systems
Key Takeaway – A company that collects or transmits an individual's biometric information or identifier without first obtaining written consent from the individual is liable for each scan and each transmission that lacked the requisite consent – paving the way for plaintiffs to pursue massive damage awards.
In a 4-3 decision issued on February 17, 2023, the Illinois Supreme Court held that a separate claim accrues under the Biometric Information Protection Act ("BIPA") each time a private entity scans or transmits an individual's biometric information or identifier before receiving written consent. This article discusses the decision's key implications for companies using or considering biometric scanning systems.
The Court's Decision
In Cothron v. White Castle System, Inc., White Castle introduced a biometric scanning system in 2004 that required its employees (including Cothron) to scan their fingerprints to access their paystubs and computers. Each time an employee scanned their fingerprint, White Castle sent the scan to a third-party vendor who then verified each scan and authorized the employee's access.
In 2008, BIPA went into effect. The Act requires that private entities receive written consent from an individual before collecting and/or disclosing the individual's biometric data. It was undisputed that White Castle did not obtain written consent from Cothron until 2018 (presumably after it had collected her scanned fingerprint and sent it to the third-party vendor a substantial number of times). Cothron subsequently filed a lawsuit alleging that White Castle collected and disclosed her fingerprint biometric data in violation of BIPA for several years.
The case before the Illinois Supreme Court presented one significant issue – whether an individual's BIPA claims accrue each time a private entity scans a person's biometric identifier and each time it transmits such a scan to a third party, or only upon the first scan and first transmission. The Court rejected White Castle's argument that BIPA claims should be limited to the first time that a private entity scans or transmits an individual's biometric identifier or biometric information, pointing out that no such limitation appears in the Act. Relying instead on the plain language of BIPA, the Court concluded that a claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent.
Excessive Damage Awards
The obvious consequence of the Court's decision is that individual BIPA claims will now include allege violations for each scan or transmission of biometric data that occurs without consent, thereby expanding the amount of damages individuals may receive. Keep in mind, the Illinois Supreme Court recently decided that individuals have five years to bring a claim under BIPA and the damages per violation are significant. For instance, a failure to comply with BIPA’s requirements can result in liquidated damages of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater. BIPA also allows individuals to obtain attorneys’ fees, costs, and any other relief that a court may deem appropriate.
Perhaps the most alarming concern is that BIPA claims lend themselves so easily to class action lawsuits, especially when a company's failure to obtain the requisite consent often extends to many (or all) individuals from which it collected and transmitted biometric data. While the Court tried to temper this concern in its decision by suggesting the language in BIPA appears to provide trial courts with the discretion to limit damages in a way that would fairly compensate class members and deter future violations (without destroying a defendant's business), it failed to mention the possibility that a trial court might not exercise that discretion. Ultimately, the Court punted to the legislature, stating that "concerns about potentially excessive damages awards under the Act are best addressed by the legislature."
Incentive to Obtain Consent
In addition, the decision provides strong incentive for companies to obtain the written consent BIPA requires. This incentive applies to companies that are planning to implement a biometric scanning system and want to avoid any liability, as well as companies that have collected or transmitted biometric data without obtaining the requisite consent and wish to limit their liability by obtaining written consent as soon as possible.
Consideration of Next Steps
Regardless of the reasons companies use biometric scanning systems (time keeping, computer access, security/facility access, etc.) or the individuals from which they collect biometric data (employees, customers, vendors, etc.), the Court's decision exponentially increases the potential liability for collecting or transmitting biometric data without obtaining the requisite written consent first. The key to preventing liability is obvious – companies need to ensure that they receive written consent before collecting or transmitting biometric data. On the other hand, companies that did not obtain written consent before collection or transmission can still limit their liability by obtaining written consent as soon as possible.
This communication is provided as a general informational service to clients and friends of Pedersen & Houpt. It should not be construed as and does not constitute legal advice on any specific matter, nor does this message create an attorney-client relationship. This material may be considered Attorney Advertising in some states. Please note that any prior results discussed in this material do not guarantee similar outcomes.
© 2023 Pedersen & Houpt, all rights reserved.