New BIPA Rulings in Illinois

By Hunter McMahon

April 4, 2023

Fingerprint scan provides security access.

Hunter McMahon is the Chief Operating Officer for iDiscovery Solutions (iDS). He focuses on collaborating with a team of experts to provide industry-leading solutions for clients in need of data analytics for litigation, investigations, data privacy and compliance issues. He has served as a testifying and consulting expert to large and small corporations and works with Am Law 100 and boutique law firms. [email protected]

Originally published in Today’s General Counsel, April 2023

The Illinois Supreme Court recently issued a decision in Cothron v. White Castle System, Inc. which could have significant implications for the state’s litigation landscape and business environment. The case concerned an alleged violation of Illinois’ Biometric Information Privacy Act (BIPA) by White Castle, a fast-food restaurant chain, in connection with its use of fingerprint scanning technology for employee timekeeping purposes.

BIPA requires companies to obtain informed, written consent from individuals before collecting, using, or storing their biometric information, such as fingerprints or facial scans. In addition, the law imposes specific notice and data retention requirements, as well as a private right of action that allows individuals to sue for damages if their rights are violated.

In the Cothron case, the plaintiff alleged that White Castle violated BIPA by failing to provide proper notice and obtain consent before collecting and storing her fingerprint data. The trial court dismissed the case, but the appellate court reversed and remanded it for further proceedings. White Castle appealed the decision to the Illinois Supreme Court, which ultimately affirmed the appellate court’s ruling.

The Supreme Court’s decision covers many topics (i.e., plaintiff does not need to show actual harm or injury to bring a BIPA claim) while emphasizing the importance of complying with BIPA’s notice and consent requirements. The Court rejected White Castle’s argument that the plaintiff’s claim was moot because the company had provided proper notice and obtained consent after the lawsuit was filed. The Court held that the violation had already occurred when the data was collected without proper notice and consent and that the plaintiff was entitled to seek damages for that violation.

The most notable part of the decision was the Court’s confirmation of the law’s statutory damages provision. BIPA allows for damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation. The Court clarified that the “per violation” is every single capture. To put this into perspective, a time clock that uses fingerprint technology could capture biometric information 4 – 8 times per day per employee (every clock in and clock out).

While this decision could provide more protection for individuals’ biometric privacy, it may also have a chilling effect on businesses and technology operating in Illinois. The potential for significant damages based on every capture, along with the Tims v. Black Horse Carriers, Inc. decision that expanded liability for BIPA claims to a five-year statute of limitations, could incentivize plaintiffs’ attorneys to file more BIPA lawsuits – resulting in increased litigation costs for companies, and a more challenging business environment for this advanced technology. The question remains how this will be addressed on a federal level or by other states that we’ve yet to see legislate private rights of action.

Must read intelligence for general counsel

Subscribe to the Daily Updates newsletter to be at the forefront of best practices and the latest legal news.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top