On Friday, February 17, 2023, a divided Illinois Supreme Court decided that claims under the Illinois Biometric Information Privacy Act (“BIPA”) accrue every time the law is violated, or each time a person’s biometric data is scanned or transmitted without prior consent.[1] The decision greatly increases the litigation exposure of businesses in Illinois who use biometric data, or systems that rely on biometric data.
Plaintiff, Latrina Cothron, sued White Castle, her employer, accusing the company of violating Sections 15(b) and (d) of BIPA by forcing employees to scan their fingerprints to access pay stubs and computers and disclosing the fingerprint scans to a third-party vendor who managed the fingerprint scanning system.[2] Cothron alleged that the fingerprint scanning system was introduced in 2004, four years before BIPA was enacted.[3]
The case was originally filed in Illinois state court and removed to the Northern District of Illinois, where Judge Tharp rejected White Castle’s theory that the plaintiff’s claims were untimely because the statute of limitations had run since her BIPA claims accrued in 2008—the first time she scanned her fingerprint after BIPA was enacted.[4] Judge Tharp concluded that the lawsuit was timely for the instances of unauthorized fingerprint scans that took place within the limitations period because every unauthorized fingerprint scan was a separate violation of the statute and a new claim accrued with each unauthorized scan.[5]
The Court acknowledged the decision was disfavorable to businesses in Illinois. However, like Judge Tharp, the Court concluded that it was bound by statute and any solution must come from the legislature.[6]
This is the second major Illinois Supreme Court decision this month to define BIPA’s scope. Earlier this month, the Court decided in Tims v. Black Horse Motor Carriers that BIPA claims were subject to a five-year statute of limitations.[7]
These two decisions, along with the Court’s 2019 Six Flags decision,[8] have a material impact on the litigation risk faced by businesses in Illinois. The three cases when read together state that plaintiffs need not prove an actual injury for any violation of the statute, each unauthorized scan is a separate violation of the statute, the statute of limitations extends to violations that occurred up to five years prior to when suit is filed, and plaintiffs are be entitled to at least statutory damages of $1,000 or $5,000 for each unauthorized scan or transmission of biometric data during five year period.
[1]Cothron v. White Castle System, Inc., Case No. 128004 (Ill. Feb. 17, 2023).
[2]Cothron v. White Castle Sys., No. 20-3202, 2021 U.S. App. LEXIS 37593 at 1 (7th Cir. Dec. 20, 2021). “Section 15(b) provides that a private entity may not ‘collect, capture, purchase, receive through trade, or otherwise obtain’ a person’s biometric data without first providing notice to and receiving consent from the person…Section 15(d) provides that a private entity may not ‘disclose, redisclose, or otherwise disseminate’ biometric data without consent.” Cothron v. White Castle Sys., No. 20-3202, 2021 U.S. App. LEXIS 37593 at 3 (7th Cir. Dec. 20, 2021)
[3]Cothron v. White Castle Sys., No. 20-3202, 2021 U.S. App. LEXIS 37593 at 2 (7th Cir. Dec. 20, 2021).
[4]Cothron v. White Castle Sys., No. 20-3202, 2021 U.S. App. LEXIS 37593 at 2 (7th Cir. Dec. 20, 2021).
[5]Cothron v. White Castle Sys., No. 20-3202, 2021 U.S. App. LEXIS 37593 at 2 (7th Cir. Dec. 20, 2021).
[6]Cothron v. White Castle System, Inc., Case No. 128004, paras. 30, 42 (Ill. Feb. 17, 2023). See also BIPA's Scope Shaped by Courts With No Legislative Relief in Sight, and BIPA in Play, Lower Courts Have Their Say
[7]Tims v. Black Horse Carriers, Inc., Case No. 127801 (Ill. Feb. 2, 2023).
[8]Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019)
Sign up for our newsletter and get the latest to your inbox.