llinois Supreme Court Determines Every Biometric Scan or Transmission is a Separate BIPA Violation, Leading to an Estimated Maximum $17 Billion Fine.

Key Takeaways

Failure to comply with the requirements of BIPA could lead to potentially devastating fines and give class action lawyers significant leverage in forcing high-value settlements. It remains vital for companies to:

  • Review if and how biometric information is collected 
  • Update policies and procedures to comply with BIPA and other biometric laws
  • Ensure that appropriate retention periods are set and disclosed
  • Obtain informed consent for collection and processing of biometric information
  • Evaluate disclosure of biometric information to service providers and other third parties

On February 17, 2023, the Illinois Supreme Court issued a ruling in Latrina Cothron v. White Castle System, Inc., holding that a separate violation occurs – and separate claim accrues – every time biometric information or a biometric identifier is scanned or transmitted in violation of the Illinois Biometric Information Privacy Act (BIPA). The case arose from White Castle Systems, Inc. (White Castle), beginning before BIPA came into effect in 2008, requiring its employees to scan their fingerprints to access their pay stubs and computers; a third-party vendor (who was ultimately dismissed from the case), then verified each scan and authorized the employees' access. 

BIPA requires that companies obtain informed consent for the collection, storage, and use of biometric data. The law also requires disclosure of the retention period for the information and the specific purpose for the information's collection, storage, and use. 

In a 9,000-person class action lawsuit, the named plaintiff, a manager at White Castle, alleged improper collection of her biometric information based on the absence of the consent required by BIPA. White Castle moved for judgment on the pleadings, arguing that the action was untimely since the claim accrued in 2008 when White Castle first obtained the plaintiff's biometric data. The plaintiff argued that a new claim accrued each time she scanned her fingerprints and White Castle sent the data to the third-party authenticator, rendering the action timely.

In a 4-3 decision, the court found that each time an employee scanned their fingerprint, a new collection violation occurred, and a new disclosure violation occurred each time that collected data was transmitted to the third-party vendor. Since there were ongoing violations, it meant the suit was timely. The decision also meant that with statutory damages of up to $1,000 for each negligent violation and $5,000 for each willful violation, the violations by White Castle could lead to statutory damages up to approximately $17 billion. However, it is also important to note that the amount of the fine is discretionary, and the courts could impose significantly lower amounts.

This decision serves as a strong reminder to make sure that if you're collecting biometric information, BIPA fines aren't also on the menu. The plaintiff's team is likely congratulating themselves on a well-done job, while White Castle may be feeling rather steamed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.