Illinois court decisions acknowledge biometric privacy act's damages a potential business killer

April 17, 2023 - This year has already proven itself to be another explosive year for litigation surrounding the Illinois Biometric Information Privacy Act (BIPA). Enacted in 2008, BIPA has gained only more attention over the years as it has unleashed numerous class actions, as more businesses have deployed biometric security technology to obtain personally identifiable information — and then transmitted it to a third party for processing — without paying heed to obtaining the required consent.

BIPA is intended to protect individuals from the overreach of these technologies, but the specific design of the statute, which allows for damages to be awarded at the court's discretion, raises the specter of bankruptcy-inducing levels of damages for businesses that run afoul of its requirements.

In February, the Illinois Supreme Court issued two opinions that interpret the scope of BIPA. Those opinions, Tims v. Black Horse Carriers, Inc. and Cothron v. White Castle Sys., Inc., are sure to have long-lasting implications absent subsequent intervention by the Illinois Legislature. The decisions also point to issues that other states should weigh carefully as they consider adopting their own state data privacy statutes, as many are doing this year.

With the Tims decision, BIPA claims can reach back as far as five years from the filing of a BIPA claim. This limitations period, although not an uncommon measure for a statute of limitations, invariably increases the potential liability for non-compliant companies with the question becoming: When does a BIPA claim begin to accrue?

In Cothron, the 7th U.S. Circuit Court of Appeals certified the following question to the Illinois Supreme Court: Do section 15(b) and 15(d) claims accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits such a scan to a third party, or only upon the first scan and first transmission?

In a close 4-3 decision, the Illinois Supreme Court held that a separate claim accrues under the Act each time a private entity scans or transmits an individual's biometric identifier or information in violation of section 15(b) or 15(d). This counting means that each scan and transmission of any person's biometric information constitutes a violation — so if an employer requires such scans as part of a daily (or more frequent) practice by each employee, and then transmits the biometric data to a contractor to process it, then the numbers can obviously really add up with serious consequences with respect to the potential damages the business will face when sued.

An example of how this works in practice is set forth in Cothron's own facts, which involve a manager at a White Castle hamburger restaurant in Illinois. Each day, White Castle required its employees to scan their fingerprints to access their pay stubs and computers. To authorize each employee's access, a third-party vendor would verify each scan. In doing so, however, White Castle never gained its required employees' consent under BIPA.

Section 15(b) of the Act provides that a private entity may not "collect, capture, purchase, receive through trade, or otherwise obtain" a person's biometric data without first providing notice to and receiving consent from the person. Section 15(d) provides that a private entity may not "disclose, redisclose, or otherwise disseminate" biometric data without consent.

Because White Castle did not seek the manager's consent to acquire her biometric data until 2018 (with White Castle's biometric system having been implemented before BIPA), White Castle had been collecting her fingerprint for nearly a decade, every day, in violation of BIPA. However, whether White Castle actually violated BIPA depended on one question alone: When did the BIPA claim accrue — the very first time the manager scanned her fingerprint (which was before BIPA's enactment)? Or, did a new claim accrue on each new day she logged into her pay stub/computer?

The majority split vehemently with the dissent over this issue, finding that a new claim accrues every time the manager scanned the plaintiff employee's fingerprint. The majority found this interpretation consistent with the statutory language's plain meaning and the Legislature's intent to provide individuals with a meaningful and informed opportunity to decline the collection or dissemination of their biometrics. This interpretation also provides an incentive for private entities that collect biometric information to take action to mitigate their conduct if they neglected to comply at first.

By contrast, the dissent reasoned that with each subsequent authentication scan, the private entity is not obtaining anything that it does not already have, and therefore, the claim can accrue only in the first instance in which the person gives up their fingerprint — that is, when the individuals disclose their biometric data without proper consent. But subsequent scans do not collect any new information, so the dissent held that any subsequent scan does not impose upon individuals any additional loss of control over their biometric information.

In issuing its opinion, the majority itself acknowledged the impact of its ruling, stating that damages in this action alone may exceed $17 billion — a potentially ruinous amount to all but the largest businesses. However, the majority held that that threat is limited by the fact that the statute gives courts discretion in ordering damages, noting that BIPA authorizes the categories and amounts of damages that a "prevailing party may recover . . ." (emphasis added).

Recognizing the potentially catastrophic consequences of its opinion on businesses — that courts can still order astronomical damages — the court concluded by stating, while there is "no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business" (emphasis added), it is up to the Legislature to "review these policy concerns about potentially excessive damage awards" and "make clear its intent."

Whether or not the Illinois Legislature chooses to revisit the scope of BIPA damages, what is pertinent at this moment is that the opinion by the Illinois Supreme Court is presently binding. Businesses must be aware that, although damages are discretionary, financial destruction is a very real possibility under BIPA. If a business is using technology that collects biometric information, compliance with BIPA is imperative.

With damages like this at stake, it would behoove any company, obviously in Illinois but prudently in all jurisdictions given the rapidly shifting legal landscape and trends, to be as cautious as possible by following these best practices:

•Review the technology currently in place to pinpoint when/where biometric information is used;

•Update employee handbooks/policies to reflect how these technologies are being used in compliance with BIPA's requirements;

•Implement a system for obtaining appropriate consent every time biometric information is collected;

•Ensure that consent is properly documented and is aligned with the employee handbooks/policies;

•Review insurance policies for potential coverage gaps and issues regarding data privacy claims.

Even if the company is unsure about whether the technology it uses falls squarely within BIPA, that is something the law is still defining. Indeed, it remains unclear, for example, whether BIPA covers voice recognition or "voice prints," despite this technology's absence from the written act. The price that companies have had to pay to date seems hardly worth the risk, considering the massive settlements from 2022 that included Google paying $100 million (Rivera v. Google LLC, No. 2019 CH 990 (Ill. Cir. Ct. Cook Cnty.)), TikTok paying $92 million (In re: TikTok, Inc., Consumer Priv. Litig., No. 20 CV 4699 (N.D. Ill.)), and Snapchat paying $35 million (Boone v. Snap Inc., No. 2022 LA 708 (Ill. Cir. Ct. DuPage Cnty.)). And in 2021, Facebook agreed to a settlement of $650 million (In re Facebook Biometric Information Privacy Litigation, N.D. Cal.).

Currently, Illinois, Texas, and Washington are the only states with biometric-specific laws in place (along with New York City), with Illinois being the only state to provide individuals with a private right of action. On March 28, 2023, Iowa's Governor signed that state's consumer data protection act, the "Iowa Privacy Law," and since the start of the 2023 legislative session, at least 15 biometric privacy law proposals have emerged across 11 states (including Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont, and Washington), with the majority modeled on Illinois' BIPA.

With states considering data privacy protection legislation, 2023 stands out as a more important year than ever to ensure that your business is not at risk.

Fredric D. Bellamy is a regular contributing columnist on data privacy laws and litigation for Reuters Legal News and Westlaw Today.