United States: A White Castle Post-Mortem: The Prospect Of "Annihilative" Damages Under The Illinois Biometric Privacy Act Has Galvanized The Plaintiffs' Bar, But Avoiding Liability Is Manageable

In another explosive year for Illinois Biometric Privacy Act ("BIPA") litigation, the Illinois Supreme Court handed down a new interpretation of BIPA that multiplied the already high cost of damages in BIPA cases to business-breaking levels. In Cothron v. White Castle, the Court's new system of calculating BIPA damages allowed for a potential cost total to White Castle surpassing $17 billion, a reality that caused a sharp increase in the number of BIPA class actions filed in Illinois.

As the Illinois Supreme Court continues to further interpret the Act, the cost of violating BIPA has only grown, with this most recent decision delivering the most staggering potential sums yet. To be clear, if your organization collects biometric identifiers—generally retina or eye scans, fingerprints, voiceprints, or scans of hand or face geometry—of your employees or other individuals in Illinois, your organization could be at risk of significant liability if minimum compliance requirements under BIPA are not met. Similarly, if you invest in an organization that collects biometric identifiers, ensuring compliance is critical to preserving and protecting that investment.

Though initially a trailblazer when passed in 2008 as the first state privacy law to specifically regulate the collection, use, and storage of biometric data, BIPA was interpreted in 2019 by the Illinois Supreme Court to be a strict liability statute. In other words, the Illinois Supreme Court ruled that an aggrieved person can bring suit under BIPA regardless of whether the violation itself caused actual harm (e.g., a mere technical violation is sufficient).

In simplest terms, the Act requires entities to implement and provide notice and obtain written consent prior to collecting individuals' biometric identifiers. If there is no policy and no notice or consent, a violation has occurred. To make matters worse, violations accrue per instance, meaning every collection or scan of a person's fingerprint or other identifier constitutes an individual violation, with a damage cost of $1,000-$5,000 per violation.

Such were the facts in the aforementioned White Castle case, detailed here, in which the total cost of violations for every employee clocking in and out for their shifts while White Castle was noncompliant with BIPA resulted in a potential damage award of over $17 billion. While White Castle argued that such a per-instance interpretation of the law could result in "annihilative" damages, the Court held that reforming the law to decrease the potential for such damages was for the Illinois Legislature, not the courts.

With this controlling interpretation, violations—and associated damages—can accumulate quickly. Previous BIPA judgments were already reaching the hundreds of millions—such as the $228 million judgment against BNSF Railway for scanning fingerprints of employed truckers, reported on here. While the BNSF judgment recently settled after being remanded in light of the White Castle decision, the new "per instance" damages calculation could result in even larger judgments depending on the volume of scans. Though the Court is given "discretion" in determining the cost of damages, no case has had a final judgment issued under the new "per-scan" interpretation.

While it is certainly dangerous to run afoul of BIPA, developing compliance with the Act is a relatively straightforward process. Except in very specific, limited scenarios, if an entity is collecting the biometric identifiers of employees or consumers, the Act requires a written and publicly available policy explaining the entity's practices surrounding its collection, retention, and destruction of such identifiers. Entities must also obtain informed, written consent prior to collecting such identifiers. Lastly, entities must protect the identifiers and are prohibited from selling, leasing, trading, otherwise profiting, or collecting identifiers without consent. With a simple policy and notice and consent process, compliance can be reasonably easy to achieve.

Though BIPA litigation is still evolving, it is clear that the strict liability nature of BIPA violations combined with the private right of action and statutory damages have created windfalls for plaintiffs and a dangerous landscape for entities that have legitimate business interests in collecting biometric data. Considering the straightforward path to compliance and the potentially crippling costs of violations, an ounce of prevention is worth a pound of cure. Providing compliant notice and obtaining written consent before collecting any biometric information in Illinois can protect your business from drawn-out litigation and save millions—or even billions—in damages.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.