Businesses are Bound to get Beat-up by BIPA

The Illinois Supreme Court recently issued two major and highly-anticipated decisions regarding the Illinois Biometric Information Privacy Act (“BIPA”).  Specifically, these two decisions determined that the statute of limitations for all BIPA claims is five years, and determined that each scan or disclosure of biometric information constitutes a separate claim under BIPA.  As discussed below, these decisions may have grave consequences for businesses operating in Illinois.

BIPA

BIPA places certain requirements on entities that utilize “biometric identifiers” (such as eye scans, fingerprints, voiceprints, and scans of hand or face geometry) and “biometric information” (information generated from biometric identifiers).  Specifically, such businesses must:

1. Disclose how long biometric identifiers or information will be retained and when they will be destroyed;
2. Provide notice and obtain written consent from an individual prior to collecting, obtaining, or receiving an individual’s biometric identifiers and/or information;
3. Not sell or profit from an individual’s biometric identifiers and/or information;
4. Obtain an individual’s consent to share this or her biometric identifiers and/or information with a third-party; and
5. Safely store and protect an individual’s biometric identifiers and/or information considering the industry’s standard of care and the business’ own protections for its confidential and sensitive information.

A violation of any of these requirements is actionable under BIPA.  A prevailing plaintiff may be able to recover either actual damages or between $1,000 to $5,000 in statutory damages, as well as attorney’s fees, and injunctive relief. 

Tims v. Black Horse Carriers, Inc.

On February 2, 2023, the Illinois Supreme Court released its decision in Tims v. Black Horse Carriers, Inc.  The case determined the statute of limitations applicable to all claims under BIPA.

Tims brought a class action claiming that Black Horse’s requirement of fingerprint scans to clock in and out violated three provisions of BIPA: (a) no publicly available policy for the retention and destruction of biometric data, (b) no notice and consent when collecting employees’ biometric information, and (c) sharing employees’ biometric information without consent.  Black Horse argued that Tims’ claims were barred because a one-year statute of limitations applied.  Tims argued that Illinois’ five-year statute of limitations controlled.

In a unanimous opinion, the Illinois Supreme Court determined that the five-year statute of limitations applies to all claims under BIPA.

Cothron v. White Castle System, Inc.

Just two weeks after issuing its decision in Tims, the Illinois Supreme Court dropped the other shoe when it issued its decision in Cothron v. White Castle System, Inc. That case determined whether a BIPA violation occurred only the first time information is collected or disclosed, or whether there is a violation upon each collection or disclosure.

Latrina Cothron, asserted, on behalf of a class of employees, that White Castle violated BIPA by (a) requiring employees to scan their fingerprint to access pay stubs and computers, and (b) disclosing employee biometric data to a third-party to verify access, both without the proper notice and consent.

White Castle argued that a BIPA violation occurs only the first time biometric information is collected or disclosed, and therefore Cothron’s claims were time barred because they accrued well beyond any statute of limitations.  Cothron argued, conversely, that a BIPA violation occurs each time biometric data is scanned or disclosed to a third-party.

In a narrow 4-3 opinion, the Illinois Supreme Court held that each scan or transmission of biometric data without the requisite notice and/or consent is a separate violation of BIPA. 

Why Are These Decisions Important to Businesses in Illinois?

The expanded statute of limitations – five years – allows plaintiffs an extended time frame to bring actions.  Additionally, the longer statute of limitations expands the number of potential class members in a class action to include every employee in the preceding five years.

The ruling that every scan or disclosure without the proper notice or consent also increases potential liability.  Given a claim can accrue each time an employee scans biometric data, businesses have no safe harbor from new violations until an employee leaves (and then still have a five-year wait until the business is safe from suit).  Moreover, given that employees may need to scan biometric data multiple times a day – for example to access their computers as in the Cothron case – and each violation can result in between $1,000 and $5,000 in statutory damages, a business could be liable for tens of thousands of dollars per day for just one employee.  As the Cothron dissent pointed out, this could lead to “annihilative liability,” for an employer.  Indeed, the Cothron dissent noted that the damages in that case could be over $17 billion

What Can Businesses Do?

Businesses should contact their legal advisors and ensure that if they use biometric data, their current policies and practices relating to that data are up to date, accurately reflect actual practice, and, most importantly, comply with BIPA.

Businesses should also review their insurance policies to understand whether BIPA claims are covered, and, if so, the extent of that coverage. FVLD is interested in learning about businesses’ uses of biometric data.  Please click here to participate in our LinkedIn poll (available until March 14).