By Danielle Kays and James Nasiri

Seyfarth Synopsis: In February 2023, the Illinois Supreme Court issued a landmark opinion in Cothron v. White Castle finding that claims under the Illinois Biometric Information Privacy Act (“BIPA”) accrue each time a private entity scans or transmits an individual’s biometric data. (Seyfarth’s analysis of this decision can be found HERE.) Defendant White Castle promptly filed a petition for rehearing, arguing that the Court incorrectly interpreted the Act and failed to consider practical factors concerning the amount of damages plaintiffs would now be entitled to under BIPA. In a blow to Illinois businesses, on July 18, 2023, the Court denied White Castle’s petition for rehearing and upheld the standard that BIPA claims accrue upon each scan or transmission.

Illinois Supreme Court Relies on Prior Reasoning in Denying the Petition for Rehearing

As a brief background, Plaintiff Cothron was a manager at a White Castle store in Illinois, and she sued the Company alleging that its fingerprint-scanning system used for payroll purposes violated Section 15(b) and (d) of BIPA. White Castle moved to dismiss Plaintiff’s Complaint as time-barred on the grounds that Plaintiff’s claims accrued in 2004 when she was hired, but Plaintiff responded that her claims accrued every time she scanned her fingerprint. This issue eventually went up to the Illinois Supreme Court, and as we discussed in our February blog post, the Court held that Section 15(b) and (d) claims accrue each time an entity captures or transmits an individual’s biometric identifier.

In its petition for rehearing, White Castle primarily argued that the Illinois Supreme Court erred in its interpretation of the relevant BIPA provisions. More specifically, White Castle highlighted the phrase “unless it first” within Section 15(b), contending that this language suggests that the acts of collecting or capturing biometric data can only happen at one singular point in time. Along these same lines, White Castle took the position that Section 15(d) refers to “the disclosure of biometrics by one party to a new, third party—said differently, a party that has not previously possessed the relevant biometric identifier or biometric information[KD1] [NJ2] .” According to White Castle, a “transmission” under Section 15(d) can also only occur one time.

The Illinois Supreme Court firmly rejected White Castle’s statutory arguments, just as it did in February, without offering any new analysis. By relying on its prior ruling, the Court thus determined that actions like “collecting,” “capturing,” and “disclosing” can occur more than once, especially given that White Castle had to scan and analyze an employee’s fingerprint each time they needed computer or pay stub access. The Court also copied its previous analysis in rejecting White Castle’s practical argument concerning the potential for massive damages awards of BIPA, again stating that “where statutory language is clear, it must be given effect, ‘even though the consequences may be harsh, unjust, absurd or unwise.’”

Judge Overstreet Issues a Stark Dissent

While the majority did not write a new opinion when it denied White Castle’s petition for rehearing, Judge Overstreet – joined by Judges Theis and Holder White – issued a fresh dissent. In the dissent, Judge Overstreet focused more on practical and constitutional concerns rather than analyzing the statutory language. According to the Judge Overstreet, the majority’s holding “subverted the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois, and consequently raises significant constitutional due process concerns.”

As to the legislative intent, Judge Overstreet emphasized that the Illinois General Assembly intended for BIPA “to be a remedial statute that implemented prophylactic measures . . . .” However, “under the majority’s view, the legislature intended for Illinois businesses to be subject to cataclysmic, job-killing damages, potentially up to billions of dollars, for violations of the Act.” The dissent found no statutory support for such an interpretation and emphasized that, under the majority’s holding, Plaintiff Cothron alone could be entitled to “damages exceeding $7 million for this single employee despite the fact that plaintiff has not alleged a data breach or any costs or other damages associated with identity theft or compromised data.”

Judge Overstreet further emphasized that, by acknowledging the “harsh” and “absurd” consequences of their interpretation but nevertheless finding the per-scan approach to be proper, the majority “authorized exorbitant damages awards threatening financial ruin for some businesses . . . .” Moreover, the dissent found the majority’s interpretation to not only pose practical concerns for businesses, but to also present constitutional due process concerns for Illinois courts. Therefore, the dissent concluded by “implor[ing]” the Court to reconsider White Castle’s petition for rehearing and assess whether the resulting interpretation of BIPA passes constitutional scrutiny.

Implications For Employers

The Illinois Supreme Court’s Cothron decision remains a large disappointment for Illinois businesses, especially when considered in light of the Court’s Tims decision (summary can be found HERE) finding a 5-year limitations period to be appropriate for BIPA claims. Moreover, BIPA claims are no longer limited to just timekeeping technology – plaintiffs’ firms are targeting companies’ use of other biometric technology such as retinal scans, facial scans, and voiceprint-collecting headsets.

With Cothron and Tims being the law within Illinois courts, companies must quickly adjust to this new BIPA landscape. While there have been proposed legislative amendments to the Act that would limit its broad scope and damages potential, these measures have not progressed to the point of becoming law. As a result, it is now more important than ever for Illinois businesses to thoroughly assess their use of biometric technology, analyze their biometric data policies, and ensure compliance with BIPA. For more information about the Illinois Biometric Information Privacy Act and how this decision may affect your business, contact the authors—Danielle Kays and James Nasiri—your Seyfarth attorney, or Seyfarth’s Workplace Privacy & Biometrics Practice Group.