By Chuck Ragan

The Illinois Supreme Court, in a split 4-3 decision, has resolved, for now, the question of when a claim accrues under the state’s Biometric Information Privacy Act (BIPA or the Act).  In its February 2023 decision, the court held that a separate claim accrues each time a private entity scans, or transmits, an individual’s biometric identifier, or information, in violation of the Act and not simply upon the first such instance.  Cothron v. White Castle System, Inc., 2023 WL 2052410 (Ill. Sup. Ct. February 17, 2023).^[1] 

The determination of this question was pivotal for the case: If defendant had prevailed, the case would have been resolved on limitations grounds; with plaintiff prevailing, the case will continue and, as the dissent pointed out, the damages for the putative class of 9500 past and current employees could theoretically reach $17 billion.  The decision also has implications well beyond the instant case, as many employers now use biometrics for a variety of functions.  Indeed, at least six other actions were stayed pending a decision in the case.^[2]

The decision comes hard on the heels of the same court’s decision in Tims v. Black Horse Carriers, Inc.,^[3] which held that a single five-year statute of limitations applies for all BIPA private actions.  Thus, the Illinois law is now settled as to when a claim accrues and the period of time for which damages may be collected.

The Underlying Facts in Cothron Were Commonplace

The alleged violations of the BIPA stemmed from simple facts:  In 2004, shortly after plaintiff began to work at White Castle and four years before the enactment of the BIPA, White Castle instituted a system requiring employees as a condition of continued employment to scan their fingerprints to access pay stubs and company computers.  White Castle, according to the complaint in the matter, did not until October 2018 seek to obtain plaintiff’s consent to take the scan or transmit it to its vendor. 

Plaintiff filed suit in December 2018, alleging that White Castle violated the Act each time after the Act became effective that White Castle collected her biometric fingerprints and each time it disclosed them to its third-party vendor for verification. 

White Castle, supported by more than a dozen amici curiae representing retail, restaurant, manufacturing, health, chemical, and trucking associations, argued that claims arose only the first time Cothron scanned her fingerprint into the system after the law took effect in 2008 and the first time White Castle transmitted that scan to its third-party vendor.  That was more than 10 years before plaintiff sued, which would make her suit untimely under the longest possible limitations period.

The BIPA Sections In Issue and Labyrinthian Path of the Case to the Supreme Court

Two of the Act’s provisions were involved in the case: Section 15(b) provides that a private entity may not “collect, capture, purchase, receive through trade, or otherwise obtain” a person's biometric data without first providing notice to and receiving consent from the person.  Section 15(d) provides that a private entity may not “disclose, redisclose, or otherwise disseminate” biometric data without consent.

Plaintiff filed her complaint originally in the circuit court for Cook County, Illinois.  Defendants removed the case to federal court under the Class Action Fairness Act of 2005.  After the district court sua sponte determined that Article III standing was secure, White Castle moved for judgment on the pleadings on the basis of untimeliness.  The trial court agreed with plaintiff’s position and denied the motion but determined that the claims-accrual issue was a controlling question of law on which there was substantial ground for disagreement and certified the question for appeal to the Seventh Circuit.  After evaluating the arguments of the parties as well as six amici curiae, the Seventh Circuit concluded: “All told, the practical implications of either side's interpretation, to the extent that Illinois courts would weigh them, do not decisively tilt one way or the other,” and certified the following questions to the Illinois Supreme Court:

Do Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?

The Illinois Supreme Court chose to answer the questions in the opinion discussed here.

The Analyses Reflected in the Court’s Opinions

The majority and dissenting opinions in the Illinois Supreme Court had one thing in common: each purported to rely on the plain meaning of the words in the statute to support its positions.  But they reached diametrically opposed conclusions on virtually every point.

The majority noted that, once White Castle obtained a scan of an employee’s fingerprints, each time the employee sought to view their pay stub or access their work computer, they would use their fingerprints.  After quoting dictionary definitions of “collect” and “capture,” the majority agreed with plaintiff and the federal trial court, stating:

Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.  As the district court explained, “[e]ach time an employee scans her fingerprint to access the system, the system must capture her biometric information and compare that newly captured information to the original scan (stored in an off-site database by one of the third-parties with which White Castle contracted).”  Cothron v. White Castle System, Inc., 477 F. Supp. 3d 723, at *732 (N.D. Ill. 2020).

The dissent on the other hand argued that the Act sought to protect the control and secrecy of the biometric identifier, which was lost once and only once with the initial scan.  The majority rejected this argument relying on the court’s 2019 decision in Rosenbach v. Six Flags Entertainment Corp,^[4] and holding that a person is aggrieved or injured, and a claim accrues, each time a private entity fails to comply with one of Section 15’s requirements, such as notifying an individual or obtaining their consent.

With respect to Section 15(d) of the Act, the majority relied on the word “redisclose” and held that “Section 15(d) applies to every transmission to a third party” such as the vendor used for authentication.  Relying on the loss of control point, the dissent reasoned that, after the initial transmission to White Castle’s vendor, “[t]here is no further loss of control, privacy, or secrecy with subsequent provision of the identical biometric information to the same party.”

Addressing the apocalyptic $17 billion argument mentioned above, the majority noted that a trial court had discretion with respect to damages, both under the Act and under equitable class action principles and, in any event, “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”

What the Future Holds

Given the vigor with which the case has been litigated thus far, and the nonfinality of the opinion (see above fn. 1), further developments concerning this decision are theoretically possible.  In the absence of such action – or action of the Illinois legislature – the claims accrual question now has been settled for Illinois.  Creative lawyers may nonetheless seek to distinguish the facts of the case in other matters stayed pending this decision. 

To date, no other state allows a private right of action for violation of a biometric privacy law, but several states have such measures under consideration, and one may anticipate the arguments made in Cothron to be repeated when and as such laws take effect.

The lessons for private entities from Cothron seem clear: Illinois courts have continued the trend of siding with individuals on BIPA matters.  Employers subject to the BIPA should therefore shore up their BIPA compliance efforts or prepare for the prospect of harsh statutory penalties.  See generally, “Now Playing: The Palmistry of Biometric Data Privacy Law.”

For additional information on this topic, please contact Martin Tully at mtully@redgravellp.com.