Companies in Illinois that collect fingerprints, face scans, and voiceprints without proper consent face the risk of millions of dollars in penalties, after the state’s high court ruled that claims under the Biometric Information Privacy Act accrue at each violation.
The Illinois Supreme Court on Friday found, 4-3, that a separate claim for damages can arise each time a business fails to seek permission to gather biometric data from workers or consumers, or fails to disclose retention plans for that information.
The majority, led by Justice Elizabeth Rochford, rejected White Castle’s argument that claims should accrue only at the first unlawful scan or first transmission—which would essentially have limited a plaintiff to a single award of damages no matter how many times their biometric data was collected without proper consent.
Writing for the dissent, Justice David K. Overstreet said the majority’s interpretation “will lead to consequences that the legislature could not have intended” and renders compliance with the law “especially burdensome for employers.”
But attorneys said one important holding from the decision is that damages are discretionary and not mandatory.
A view the decision is wholly favorable to the plaintiff’s bar is tempered by the fact a court may now decide not to award any monetary damages to a complainant, Lewis Brisbois Bisgaard & Smith LLP partner Mary Smigielski said in an interview.
Prior to Friday’s decision, some plaintiffs had argued that monetary damages were required under the statute, but the decision makes clear a court has discretion to set awards, she said.
Since the state law’s enactment in 2008, it’s been viewed by defense lawyers as a boon to the plaintiff’s class action bar, which has filed litigation against big tech and social media companies, airlines, railroads, retailers, grocery stores, restaurants, and more.
The decision could affect pending legislation in several states, including New York, currently contemplating similar biometric privacy statutes, Thompson Coburn LLP partner and privacy specialist James Shreve said in an interview.
Fingerprint Timekeeping
The ruling answered certified questions posed by the US Court of Appeals for the Seventh Circuit in a case brought by former White Castle manager Latrina Cothron.
She alleged the hamburger chain violated her biometric privacy rights by collecting fingerprints without her written consent every time she clocked in and out of the timekeeping system.
“We are extremely gratified that after three years of litigating this important issue, Ms. Cothron and the class she represents will now have an opportunity to proceed with her case and prove to a jury that White Castle disregarded their biometric privacy rights under BIPA for over a decade,” said James B. Zouras of Stephan Zouras LLP in Chicago, which represents Cothron.
“The Illinois Supreme Court’s well-reasoned decision affirms that the law means what it says and that biometric data collectors cannot shirk their duties by relying on dubious interpretations of the statutory text,” he said in a written statement.
Illustration: Jonathan Hurtarte/Bloomberg Law
Potential Damages
The decision follows the Illinois high court’s recent grant of a five-year statute of limitations to all biometric privacy claims, a move that also may increase liability for companies.
BIPA provides $1,000 in damages per violation or $5,000 per intentional or reckless violation. For companies with multiple locations and hundreds of employees who use biometric systems each day, adopting the interpretation put forward by Cothron would be catastrophic, businesses had argued.
“Even a small employer using a biometric time clock for say five years, has 10 employees, instead of looking at $10,000 in claims you could be looking at 1,000 times that over the course of five years,” Thompson Coburn’s Shreve said. “Because the multiples can add up so quickly even relatively small companies can be looking at claims in the multi millions of dollars.”
Last fall, BNSF Railway Co. was hit with a $288 million jury award in a biometric privacy class action that included more than 45,000 truck drivers. Attorneys at the time told Bloomberg Law that the damages outcome of that case could potentially change based on the Illinois high court’s White Castle ruling.
White Castle spokesman Mac Joseph said the court’s decision would cause “significant business disruption” to companies in Illinois that “now face potentially huge damages.”
“We are reviewing our options to seek further judicial review, given the strong dissenting opinion, which included the Court’s Chief Justice. This dissent justifiably raises serious concerns about today’s opinion,” Joseph said in a written statement.
Shook Hardy & Bacon LLP represents White Castle.
Impact, Questions
Attorneys said the ruling could result in workplace changes.
“I think some employers may stop using fingerprint time clocks,” Thompson Coburn partner and employment specialist Ryan Gehbauer said.
“I think for a lot of employers the purpose was to have very accurate time recording and it’s a nice use of technology do to that,” he said in an interview. “But I think some employers aren’t even going to want to mess with this anymore.”
Additionally, the decision will likely result in courts lifting stays on pending BIPA cases and allowing those cases to proceed, said Smigielski, co-chair of her firm’s Illinois Biometric Information Privacy Act practice group.
But while the decision may clarify what a violation is, several other issues regarding the statute remain unanswered, she said.
Chief issues that case law still must address include which technologies are governed by the biometric law, the extent of its extra-territorial application, when damages should be awarded, and how employers and other businesses should comply with consent regimes they may enact, she said.
“We’re still in the early stages of BIPA law,” Smigielski said.
The case is Cothron v. White Castle Sys., Inc., Ill., No. 128004, opinion 2/17/23.
—with assistance from Jake Holland
