By Gerald L. Maatman, Jr., Alex W. Karasik, Tyler Z. Zmick, and Jennifer A. Riley
Duane Morris Takeaways: In the latest ruling in Illinois in the biometric privacy class action space, the Illinois Supreme Court decided today in Cothron v. White Castle, 2023 IL 128004 (Ill. Feb. 17, 2023), that a separate claim for damages accrues under the Biometric Information Privacy Act (“BIPA”) each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d).
This ruling could exponentially increase monetary damages in class actions brought under the BIPA, especially in the employment context, where employees scan in and out of work multiple times per day for several hundred days per year.
Plaintiff alleged that after she started working at White Castle in 2004, the company required her to use a fingerprint-based system to access the workplace computer she used in her position as a manager. Plaintiff sued White Castle several years later in 2018, alleging that the company violated Sections 15(b) and 15(d) of the BIPA in connection with the fingerprint-based system by (i) collecting her biometric data without providing her with the requisite notice and obtaining her written consent, and (ii) disclosing her biometric data without consent.
After removing the complaint to the U.S. District Court for the Northern District of Illinois, White Castle moved for judgment on the pleadings on the basis that Plaintiff’s claims were untimely. Specifically, White Castle argued that Plaintiff’s BIPA claims accrued in 2008 (when her first fingerprint scan occurred after the BIPA took effect), yet she did not file her complaint until 2018. The District Court rejected White Castle’s one-time-only theory of claim accrual, holding that the lawsuit was timely because each separate unauthorized fingerprint scan constituted an independent violation of the statute, meaning Plaintiff’s BIPA claims were timely because her last fingerprint scan occurred within five years of the filing of her complaint. Because the issue presented a close call, however, the District Court permitted White Castle to file an interlocutory appeal with the Seventh Circuit regarding whether Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits a scan to a third party, respectively, or only upon the first scan and first transmission.
The U.S. Court of Appeals for the Seventh Circuit accepted the interlocutory appeal. Id. ¶ 9. After determining that Plaintiff had standing to bring her action in federal court under Article III of the U.S. Constitution, the Seventh Circuit addressed the parties’ respective arguments on the accrual of a claim under the Act. Id. Ultimately, the Seventh Circuit found the parties’ competing interpretations of claim accrual reasonable under Illinois law, and it agreed with Plaintiff that “the novelty and uncertainty of the claim-accrual question” warranted certification of the question to the Illinois Supreme Court. Id. at 1165-66. The Seventh Circuit “observed that the answer to the claim-accrual question would determine the outcome of the parties’ dispute, this court could potentially side with either party on the question, the question was likely to recur, and it involved a unique Illinois statute regularly applied by federal courts.” Id..
The Illinois Supreme Court’s Decision
In a 4-3 split ruling, the Illinois Supreme Court held today that that a separate claim accrues under the BIPA each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d). First, the Illinois Supreme Court analyzed the certified question with respect to Section 15(b), which provides that no private entity “may collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data unless it first provides notice and receives written consent. 740 ILCS 14/15(b). Relying on the plain language of the statute and the fact that the actions of “collecting” and “capturing” biometric data can occur more than once, the Supreme Court agreed with Plaintiff’s interpretation – namely, that Section 15(b) “applies to every instance when a private entity collects biometric information without prior consent.” Id. ¶¶ 19, 23. As interpreted in the context of the facts of the case, the Supreme Court further observed that White Castle obtains an employee’s fingerprint, stores it in its database, and then compares the fingerprint taken during subsequent scans to verify the identity of the employee. In the Supreme Court’s words, White Castle “fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.” Id. ¶ 23. Accordingly, consistent with the District Court’s decision in Cothron and the Illinois Appellate Court’s conclusion in Watson, 2021 IL App (1st) 210279, ¶ 46, the Illinois Supreme Court held that an entity violates Section 15(b) the first time it collects biometric data without having provided the requisite notice and obtaining consent, in addition to “each subsequent scan or collection.” Id. ¶ 24.
Next, closely tracking its analysis of Section 15(b), the Supreme Court similarly held that BIPA Section 15(d) – which prohibits the disclosure, redisclosure, or dissemination of biometric data without consent – “applies to every transmission to a third party.” Id. ¶ 28. Like the verbs “collect” and “capture” in Section 15(b), the acts of disclosing and redisclosing biometric data occur upon the initial disclosure in addition to any subsequent disclosure or redisclosure of the data. See id. ¶ 29 (“A fingerprint scan system requires a person to expose his or her fingerprint to the system so that the print may be compared with the stored copy, and this happens each time a person uses the system.”).
The majority opinion also rejected White Castle’s remaining “nontextual” arguments supporting its single-accrual interpretation. White Castle argued that a BIPA claim accrued only upon the initial collection or disclosure of a person’s biometric data because an individual loses the right to control his or her biometric data as soon as the data is collected and/or disclosed. In rejecting the argument, the Supreme Court again relied on the statute’s plain language, stating: “[n]o such limitation appears in the statute. We cannot rewrite a statute to create new elements or limitations not included by the legislature.” Id. ¶ 39.
Next, the Supreme Court turned to White Castle’s argument that in light of the BIPA’s liquidated damages provision, interpreting the statute to mean an entity violates Sections 15(b) and 15(d) every time it collects or discloses biometric data means “a party may recover for “each violation,” allowing multiple or repeated accruals of claims by one individual could potentially result in punitive and “astronomical” damage awards that would constitute “annihilative liability” not contemplated by the legislature and possibly be unconstitutional.” Id. ¶ 41. For example, White Castle estimated that if Plaintiff was successful and allowed to bring her claims on behalf of as many as 9,500 current and former White Castle employees, classwide damages in her action may exceed $17 billion. Once again, the Supreme Court rejected White Castle’s argument because the statutory language is clear and supports plaintiff’s position. See id. ¶ 40 (“As the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, “ ‘even though the consequences may be harsh, unjust, absurd or unwise.’ ” (Emphasis omitted.) Cothron, 477 F. Supp. 3d at 734 (quoting Peterson v. Wallach, 198 Ill. 2d 439, 447 (2002)).”).
Importantly, however, the Supreme Court acknowledged that trial courts could exercise their discretion to reduce the amount of statutory damages that plaintiffs can recover. Id. ¶ 42. In closing, the Supreme Court reiterated the position that White Castle’s “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” and it “suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” Id. ¶ 43. Accordingly, the Illinois Supreme Court concluded that the plain language of section 15(b) and 15(d) shows that a claim accrues under the BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent.
Notably, three Illinois Supreme Court Justices, inclusive Chief Justice Theis, joined the Dissenting Opinion. Of note, the Dissent opined that two significant consequences militate against the majority’s construction. Id. ¶ 60. First, under the majority’s rule, plaintiffs would be incentivized to delay bringing their claims as long as possible, since “If every scan is a separate, actionable violation, qualifying for an award of liquidated damages, then it is in a plaintiff’s interest to delay bringing suit as long as possible to keep racking up damages.” Id. Second, the Dissent noted that, “the majority’s construction of the Act could easily lead to annihilative liability for businesses.” Id. at ¶ 61.
In sum, the Dissent commented that, “Imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm. Id. ¶ 63. To this point, the Dissent opined that, “nothing in the Act indicating that the legislature intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier. The legislature’s intent was to ensure the safe use of biometric information, not to discourage its use altogether.”
Implications For Employers
Following the Illinois Supreme Court’s similar pro-plaintiff ruling in Tims v. Black Horse Carriers, 2023 IL 127801 (Ill. Feb. 2, 2023), which applied a five-year statute of limitations to the BIPA instead of a one-year statute of limitations, the well is beginning to dry for businesses in terms of potential BIPA class action defenses. While employers can still explore novel exemptions, such as information captured from a patient in a health care setting, most companies caught in the crosshairs of BIPA class actions will be facing monumental amounts of potential damages.
Businesses confronted with BIPA class actions may need to explore alternative potential defenses, such as the constitutionality of the overbearing damages thresholds. Companies will also likely push for legislative changes. Nonetheless, given the bleak outlook of the law as it stands, it is imperative for businesses to immediately ensure they are compliant with the BIPA.