By Danielle Kays, Paul Yovanic, Jr., and Sarah Bauman
Seyfarth Synopsis: Today, the Illinois Supreme Court issued its second Illinois Biometric Privacy Act (BIPA) decision in the past two weeks, ruling in Cothron v. White Castle System that claims under BIPA accrue each time a person scans or otherwise transmits his or her biometric information. This 4-3 decision significantly expands exposure to companies (particularly employers) faced with BIPA litigation, paving the way for astronomical, unwarranted damage awards.
Background on Cothron v. White Castle
In 2004, White Castle began utilizing a technology system that allowed employees to access their pay stubs and work computers by scanning their fingers. Plaintiff claims that White Castle did not obtain her written informed consent as required by BIPA once the statute took effect in 2008.
White Castle moved for judgment on the pleadings, arguing the suit was time-barred to the extent Plaintiff’s claim accrued (meaning, the statute of time period started to run) when she first used the system in 2008. Plaintiff countered that every unauthorized biometric scan constitutes a separate BIPA violation and a new claim accrues upon each scan (or other biometric transmission). To that end, Plaintiff claimed her suit was timely because she continued to scanned her finger within the limitations period.
The District Court denied White Castle’s motion, and White Castle appealed the decision to the U.S. Court of Appeals for the Seventh Circuit. Rather than rule on the appeal, the Seventh Circuit certified the following question to the Illinois Supreme Court: “Do Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”
The Illinois Supreme Court’s Decision
Today, in a majority decision written by newly-elected Justice Rochford (who was not on the Illinois Supreme Court bench during oral argument last year), the Illinois Supreme Court held that a separate claim accrues under BIPA “each time a private entity scans or transmits an individual’s biometric information.” Citing the plain language of statute, the Court reasoned that after initial enrollment in the biometric device at issue, the employee continued to “use his or her fingerprint to access” information, requiring that the finger be “compared to the stored copy of the fingerprint.” The Court believed that White Castle “fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or paystub.” Thus, the Court agreed that a party violates BIPA without prior informed consent the first time an entity scans biometric information, as well as “each subsequent scan or collection.”
In spite of its ruling, the Court recognized its statutory interpretation would entangle businesses in “‘astronomical’ damages awards that would constitute ‘annihilative’ liability, not contemplated by the legislation and possibly be unconstitutional.” Indeed, White Castle estimates that class-wide damages in the action may exceed $17 billion. Though recognizing the potential for astronomical damages, the Court held “where statutory language is clear, it must be given effect, ‘even though the consequences may be harsh, unjust, absurd, or unwise.’”
Nonetheless, the Court also recognized the power of trial courts which “certainly possess the discretion to fashion a damage award . . . to deter future violations, without destroying defendant’s business.” Indeed, BIPA plainly provides that a “prevailing party may recover,” whereas no language in the Act suggests legislative intent to authorize a damages award that would result in the financial destruction of a business.
The Illinois Supreme Court concluded with an explicit call to the Illinois legislature to “review these policy and concerns and make clear its intent regarding the assessment of damages under the Act.”
Justice Overstreet, in part of the narrow-margin minority, wrote a thorough dissent. The minority wrote the “majority’s interpretation cannot be reconciled with the plain language of the statute, the purposes behind the [BIPA], or this court’s case law, and it will lead to consequences that the legislature could not have intended.”
The dissent cited a critical error by the majority’s assumption that every private entity collects or captures a person’s biometric information with every scan. The minority argued that White Castle obtained an employee’s biometric information only the first time that a fingerprint is scanned, and not on every subsequent scan–because White Castle already had it. In other words, “[t]he subsequent scan did not collect any new information from plaintiff, and she suffered no additional loss of control over her biometric information.”
Finally, the minority concluded that they “see nothing in the Act indicating that the legislature intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier.”
Implications for Employers and Businesses
Today’s decision is the Illinois Supreme Court’s second BIPA decision in the past two weeks affecting the timeliness and scope of BIPA claims. Notably, this also is the Illinois Supreme Court’s second explicit call for the Illinois Legislature to act following the Court’s BIPA decisions over the years.
Without such legislative action, damages against companies can be ruinous and further subject the BIPA to due process challenges already being raised. Simultaneously, plaintiffs will to continue to expand the scope and technologies targeted. This decision is another reminder to employers and businesses to closely watch the evolving BIPA landscape and regularly and carefully review their technology, policies, and procedures, especially before implementing new technological advancements.
For more information about the Illinois Biometric Information Privacy Act and how this decision may affect your business, contact the authors—Danielle Kays, Paul Yovanic, Jr., and Sarah Bauman—your Seyfarth attorney, or Seyfarth’s Workplace Privacy & Biometrics Practice Group.