New BIPA Rulings in Illinois

The Illinois Supreme Court recently issued a decision in Cothron v. White Castle System, Inc. which could have significant implications for the state’s litigation landscape and business environment. The case concerned an alleged violation of Illinois’ Biometric Information Privacy Act (BIPA) by White Castle, a fast-food restaurant chain, in connection with its use of fingerprint scanning technology for employee timekeeping purposes.

BIPA requires companies to obtain informed, written consent from individuals before collecting, using, or storing their biometric information, such as fingerprints or facial scans. In addition, the law imposes specific notice and data retention requirements, as well as a private right of action that allows individuals to sue for damages if their rights are violated.

In the Cothron case, the plaintiff alleged that White Castle violated BIPA by failing to provide proper notice and obtain consent before collecting and storing her fingerprint data. The trial court dismissed the case, but the appellate court reversed and remanded it for further proceedings. White Castle appealed the decision to the Illinois Supreme Court, which ultimately affirmed the appellate court’s ruling.

The Supreme Court’s decision covers many topics (i.e., plaintiff does not need to show actual harm or injury to bring a BIPA claim) while emphasizing the importance of complying with BIPA’s notice and consent requirements. The Court rejected White Castle’s argument that the plaintiff’s claim was moot because the company had provided proper notice and obtained consent after the lawsuit was filed. The Court held that the violation had already occurred when the data was collected without proper notice and consent and that the plaintiff was entitled to seek damages for that violation.

The most notable part of the decision was the Court’s confirmation of the law’s statutory damages provision. BIPA allows for damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation. The Court clarified that the “per violation” is every single capture. To put this into perspective, a time clock that uses fingerprint technology could capture biometric information 4 – 8 times per day per employee (every clock in and clock out).

While this decision could provide more protection for individuals’ biometric privacy, it may also have a chilling effect on businesses and technology operating in Illinois. The potential for significant damages based on every capture, along with the Tims v. Black Horse Carriers, Inc. decision that expanded liability for BIPA claims to a five-year statute of limitations, could incentivize plaintiffs’ attorneys to file more BIPA lawsuits – resulting in increased litigation costs for companies, and a more challenging business environment for this advanced technology. The question remains how this will be addressed on a federal level or by other states that we’ve yet to see legislate private rights of action.