On February 17, 2023, the Supreme Court of Illinois ruled in Cothron v. White Castle that a separate claim accrues under Illinois’s Biometric Information Privacy Act (“BIPA”) each time biometric information is unlawfully collected or disclosed, rather than upon the first unlawful collection or disclosure. This decision paves the way for potentially astronomical damages under BIPA §§ 15(b) and 15(d) and may incentivize further litigation.
Overview
As we previously covered, this case is based on a White Castle employee’s claims that the company collected and disclosed her fingerprint scans from its biometric time clock and computer access system in violation of BIPA §§ 15(b) (requiring informed consent to collect biometrics) and 15(d) (generally requiring consent to disclose biometrics). The case went to the U.S. Court of Appeals for the Seventh Circuit, which found both sides’ arguments as to the question of claim accrual plausible and certified the question to the Illinois Supreme Court due to its “novelty and uncertainty.”
White Castle has maintained that because an individual loses control of their biometric data upon the first collection or disclosure, claims accrue under BIPA §§ 15(b) and 15(d) only upon the first alleged violation, not each subsequent time a company allegedly violates the statute. The plaintiff argued that a new claim accrues upon every collection or disclosure in violation of BIPA.
Decision
The court decided 4-3 that the plain language of BIPA and past cases supported the plaintiff’s interpretation. BIPA § 15(b) provides that a company may not “collect, capture, purchase, receive through trade, or otherwise obtain” biometric information without informed consent. White Castle argued that “collect,” “capture,” etc. refer to the first point of collection. The court disagreed, concluding that these verbs refer to each instance that biometric information is collected – in this case, each time the plaintiff scanned her fingerprint to access her computer or pay stubs.
The court similarly reasoned that “disclose, redisclose, or otherwise disseminate” in § 15(d) refer to each time, not just the first time, biometric information is disclosed. The court found this language broad enough to include repeated disclosures to the same party, holding that each disclosure can give rise to a claim under § 15(d).
As White Castle noted, this decision could expose it (and others) to colossal damages. Under BIPA § 20, plaintiffs can recover liquidated damages for each violation of the statute in the amount of $1,000 per negligent violation or $5,000 per intentional or reckless violation. If each unlawful collection or disclosure of biometric information constitutes a separate violation, damages add up quickly, especially in a class action. In this case, for instance, White Castle noted that damages assessed on a per-violation basis could exceed $17 billion. The court was not swayed by concerns about excessive damages. The court noted that BIPA damages are discretionary (i.e., § 20 refers to what claimants “may recover”) and emphasized that the legislature is responsible for addressing such policy-based concerns. Ultimately, the court said, it must give effect to the “clear” language of the statute, “even though the consequences may be harsh, unjust, absurd, or unwise.” (Internal quotation marks omitted.)
Implications
First and foremost, this decision allows plaintiffs to seek extremely high damages under BIPA §§ 15(b) and 15(d). The dissent characterizes these potential damages as “annihilative,” “punitive, crippling,” and “wildly exceeding any remotely reasonable estimate of harm.” As the dissent points out, the threat of such liability may discourage companies from using biometric information entirely rather than using them in compliance with the statute. The only backstop to extreme damages is that courts have the discretion to lower these damages to ensure fairness and equity, as the majority mentions.
The dissent also notes that the prospect of such high damages may incentivize plaintiffs to wait as long as possible to bring claims under BIPA §§ 15(b) and 15(d). Per another recent decision by the Illinois Supreme Court, all BIPA claims have a five-year statute of limitations. Thus, a plaintiff could identify an alleged BIPA violation and then wait five years to sue, merely to maximize their damages. As the dissent points out, this is at odds with BIPA’s goal of protecting privacy because it incentivizes plaintiffs to allow alleged privacy infringements to multiply rather than pursue recourse as soon as such alleged violations are identified.
Facing high damages under this holding, we may see defendants relying more heavily on due process arguments. However, the best way to avoid the consequences of the White Castle decision is to avoid being sued in the first place. Now, more than ever, companies subject to BIPA should carefully consider their practices and what steps they can take to mitigate their litigation risk.
