In a February 17, 2023 opinion in Cothron v White Castle System, Inc., a narrow 4-3 decision of the Illinois Supreme Court held that the plaintiff was entitled to a separate cause of action for each and every time the use of her biometric data was used in violation of the Illinois Biometric Information Privacy Act, 740 ILCS 14 et seq. (the “BIPA”).[1] The decision paves the way for potentially record-setting damages and presents significant exposure to private entities that collect, use and disclose biometric data such as fingerprints, facial recognition and retina scans to manage employees or in the course of business. The White Castle decision also underscores the importance for private entities doing business in Illinois to ensure compliance with BIPA.
Enacted in 2008, the BIPA is one of the most comprehensive laws in the U.S. regarding the security and protection of biometric data collected and maintained by businesses. Key features of the BIPA are:
- Informed consent requirement prior to collection of biometric data;[2]
- Prohibition on selling, trading or profiting from biometric data;[3] and
- Limitations on disclosure of biometric data to third parties.[4]
The BIPA also extends a private right of action to victims of a BIPA violation in addition to statutory liquidated damages for negligent and reckless violations.[5] BIPA has created a litany of private action suits seeking damages, most notably involving Facebook, where it was accused of unlawfully collecting and using biometric data in violation of BIPA. Plaintiffs in the consolidated suits alleged that Facebook’s use of facial recognition to suggest “tags” for user-uploaded photos on the platform was violation of the BIPA.[6] The resulting case In re Facebook Biometric Info. Privacy Litig., in 2022, produced a landmark $650 million dollar settlement between Facebook and consumers in the affected class.
The plaintiff in White Castle, Latrisha Cothron, was a manager at a White Castle restaurant where her fingerprint was scanned each time she accessed her pay stubs or utilized her employer’s computer system. The data was then disclosed to a third-party vendor to verify her identity using a stored fingerprint. Cothron claimed that she never consented to the collection or disclosure of her biometric data in violation of sections 15(b) and 15(d) of the BIPA. Although defendant White Castle argued that her claims were untimely since the first violation had occurred in 2008, Cothron argued – and the court agreed – that a new claim accrued, respectively, each time she scanned her fingerprint and the collected biometric data was disclosed to a third party.[7]
In its majority opinion, the White Castle court pointed to the notice requirement under the BIPA which requires that the subject be informed of the retention period for the data as evidence that the “legislature contemplated collection as being something that would happen more than once.”[8] Rejecting White Castle’s arguments that the loss of an individual’s right to control over biometric data is a “single overt act” resulting in only a single claim under the BIPA, the court held that in light of its decision in Rosenbach v Six Flags Entm’t Corp – which establishes that each statutory violation is itself an injury under the BIPA – each violation of the statute gives rise to a separate claim.[9]
Addressing the huge impact on damages this decision might have (White Castle estimated class-wide exposure of $17 billion given its 9,500 employees), the court’s majority clarified that damages were discretionary under the BIPA and were not intended by the legislature to “authorize a damage award that would result in the financial destruction of a business.”
Where an entity routinely collects and utilizes biometric data, the White Castle decision would create significant risk and exposure given the statutory damages permitted under the BIPA, even where such damages are discretionary. While the court acknowledged the potential catastrophic implications of the decision for businesses collecting biometric data, the court takes a hands-tied approach to its application of the statute and defers to the legislature to address “policy-based concerns about potentially excessive damage awards…”.[10] This decision underscores the risk for companies collecting biometric data in Illinois. It is important that businesses operating in Illinois carefully examine their collection, use and disclosure of biometric data.
If you have any questions or would like an attorney to review your company’s privacy practices, please contact a member of Varnum’s Data Privacy and Cybersecurity Team.
[1] Cothron v. White Castle Sys., Inc., 2023 IL 128004 (February 17, 2023).
[2] 740 ILCS 14/15(b).
[3] 740 ILCS 14/15(c).
[4] 740 ILCS 14/15(d).
[5] 740 ILCS 14/20 (provides liquidated damages up to $1,000 for negligent violations and up to $5,000 for intentional or reckless violations)
[6] See e.g. Pezen v Facebook Inc., 1:15-cv-03484 (N.D. Ill. Apr. 21, 2015); Licata v Facebook Inc., 1:15-cv-04022 (N.D. Ill. May 5, 2015); Patel v Facebook Inc., 1:15-cv-04265 (N.D. Ill. May 14, 2015) (collectively, In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155, (N.D. Cal. 2016)). See also Gullen v Facebook Inc., 1:15-cv-07861 (N.D. Ill. Aug. 31, 2015) (dismissed for lack of personal jurisdiction).
[7] Id. at ¶ 30.
[8] Id. at ¶ 23.
[9] Id. at ¶ 37; see Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, 129 N.E.3d 1197.
[10] White Castle, supra note1at ¶ 43.