Recent Posts

Popular Topics



Legal developments in data, privacy, cybersecurity, and other emerging technology issues

Navigating the Biometrics Minefield: Illinois Supreme Court Rules That a BIPA Claim Accrues With Each Scan or Transmission

In an eye-opening 4-3 decision issued on Friday, the Illinois Supreme Court ruled that a separate Biometric Information Privacy Act (“BIPA”) claim accrues “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Cothron v. White Castle System, Inc., 2023 IL 128004 ¶ 45. The decision may have staggering consequences on all pending BIPA cases, converting what might have been a single claim, into thousands of separate claims for $1,000 or $5,000 (depending on whether the violation is negligent or willful). The impact of the decision is even more severe in light of the Illinois Supreme Court’s recent decision in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, applying a five-year statute of limitations to all BIPA claims. 

White Castle argued that damages in the action, which potentially involves approximately 9,500 current and former White Castle employees who provided scans multiple times per day, would be excessive, potentially exceeding $17 billion. However, the Court generally sidestepped such policy arguments on the ground that the Court was “not being asked to render a decision on the damages in this case or to make a policy-based decision about excessive damages,” but was being asked “to determine legislative intent by considering the consequences of construing the statute one way or another.” 2023 IL 128004, ¶ 62. The Court acknowledged that there is no language in the Act suggesting that “financial destruction of a business” is the intent of BIPA, but concluded that a trial court presiding over a class action “would certainly possess the discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying a defendant’s business.” Id. at ¶ 42 (quoting Century Mutual Insurance Co. v. Tracy’s Treasures, Inc., 2014 Il. App. (1st) 123339, ¶ 66 n4). Instead of allowing the magnitude of damages to impact the outcome of its decision, the Court “respectfully suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” Id. at ¶ 43.

The dissent took issue with the majority’s conclusion that a company could violate the law multiple times by taking the same fingerprint successively. The dissent reasoned that “[w]ith the subsequent scans, the fingerprint is not being obtained, it is being compared to the fingerprint that White Castle already has” and the plaintiff “suffered no additional loss of control over her biometric information.”  Id. at ¶ 52 (Overstreet, J., dissenting). The dissent concluded that the “precise harm” the legislature was addressing, i.e., an individual’s loss of the right to maintain biometric privacy, is suffered only upon the first scan. Id. at ¶ 53. But “[o]nce that entity has the fingerprint, there is no additional loss of control, loss of privacy, or loss of secrecy from subsequent scans of the same finger.” Id.

The dissent also faulted the majority for ignoring the principle of statutory construction that dictates an “absurd result must be avoided.” Id. at ¶ 59. The majority’s construction of the statute would both incentivize plaintiffs (who suffer no additional harm with each successive scan) to delay in bringing claims and would easily lead to “annihilative liability for businesses.” Id. at ¶ 61.

Finally, the dissent highlighted that the “legislature’s intent was to ensure the safe use of biometric information, not to discourage its use altogether.”  Id. at ¶ 66. With this decision, the risk of collecting biometric data may be so significant for businesses that they will no longer use these systems here and Illinois citizens will be deprived of the utility and benefits of biometric technologies. It remains to be seen whether the legislature will consider whether this was the intended outcome of BIPA.

Topics: Biometrics, BIPA
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.