On February 17, 2023, the Illinois Supreme Court issued its decision in Cothron v. White Castle, 2023 IL 128004, which has far reaching impacts on Illinois Biometric Information Privacy Act (“BIPA”) litigation and on any Illinois employer who has used handprint, thumbprint, or other biometric scanning devices for its employees.
In Cothron, the plaintiff claimed that a separate violation of BIPA occurred every time she and fellow employees logged into their computer with their fingerprint scan. Defendant White Castle argued that the penalty should only be assessed once on the first instance an employee used the scanning device.
The Illinois Supreme Court addressed the issue on certified question from a federal district court. The majority agreed with the plaintiff’s position, finding each fingerprint scan without the proper BIPA disclosure or other violations of the statute amounts to a separate BIPA violation with separate statutory damages. The Court reasoned that the statutory language in BIPA does not distinguish between the “collection” or “disclosure” of biometric information and its subsequent “re-collection” or “re-disclosure.”
Therefore, each employee in a certified class could give rise to hundreds or thousands of separate violations. Even a relatively small class of several hundred current or former employees could give rise to hundreds of millions of dollars in liability.
The dissenting opinion, authored by Justice Overstreet, recognized the “severe” implications of the ruling, and also recognized that an employee whose biometric information is put at risk by violation of BIPA is not subjected to a separate or different risk by a subsequent violation.
The Cothron holding follows the Illinois Supreme Court’s other recent BIPA decision in Tims v. Black Horse Carriers, Inc., which determined BIPA is subject to a five-year statute of limitations, rather than the shorter one-, two-, or three-year limitations periods employers have argued for in the past.
If your company uses – or previously used – biometric information (such as finger, face, hand, or retina scan timeclocks or entry devices), it is critical that you confirm that you are complying with BIPA’s requirements. You should also determine if there are ways to reduce any potential liability for past activities. Attorneys from our Labor & Employment Team continue to monitor legal developments regarding biometric data and are happy to assist with evaluating and updating processes to ensure compliance and mitigating exposure from past violations.
