That’s A Lotta Sliders

The Illinois Supreme Court’s Feb. 20 decision in Cothron v. White Castle Systems exposes companies that violate the Illinois Biometric Information Privacy Act to potentially enormous judgments. White Castle argued that claims under the Act should only accrue at the first scan or transmission of an individual’s biometric information without consent and that imposing liability for hundreds or thousands of statutory violations “could potentially result in punitive and astronomical damages awards.” Had the Court accepted that interpretation, a plaintiff would be limited to a single award of damages no matter how many times their biometric data was used without consent. Instead, the Court applied a “per violation” interpretation, meaning damages are due each time the data is used. BIPA, enacted in 2008, provides for statutory damages of $1,000 per negligent violation and $5,000 per intentional/reckless violation, or actual damages plus attorney’s fees and costs, with no showing of harm required. It is the only biometric law in the US with a private right of action. Companies can take heart from some of the language in the ruling, however. The Court stated that it “appears that the General Assembly chose to make damages discretionary rather than mandatory, and “generally agreed” that “a trial court presiding over a class action—a creation of equity—would certainly possess the discretion to fashion a damage award that fairly compensated claim class members and included an amount designed to deter future violations, without destroying defendant’s business.”