On February 17, 2023, the exposure risk of a company found to be violating Illinois’ Biometric Information Privacy Act (BIPA) increased to a potentially crippling amount. What was previously commonly understood to entail a maximum of $1,000 per negligent (or $5,000 for reckless) violation per plaintiff now authorizes a $5,000 fine per instance of collection, turning—for example—the nonconsensual use of an employee’s fingerprint for clocking in and out of work multiple times per day to 1,040 violations of BIPA per year if a full-time employee clocks in and/or out just four times each day, potentially resulting in estimated damages of $1,040,000 for negligent violations or $5,200,000 for reckless violations
Passed in 2008, BIPA requires informed consent prior to the collection or disclosure of a person’s biometric identifiers—generally, this includes, fingerprints, voiceprints, retina scans, and scans of hand or face geometry. The ethos behind the act is that such “biometric identifiers” are unique to each individual but, unlike social security numbers, are completely unchangeable, leaving a person no recourse for correction if such information becomes compromised. As such, requiring informed consent in order to give individuals greater control over their biometric information is the cornerstone of the law.
While noble in intent, the courts have unmoored BIPA from its original purpose, with Friday’s decision only drifting its interpretation further into open waters. In 2019, the Illinois Supreme Court held that a plaintiff does not need to allege any actual injury or damages to collect under BIPA—that a violation of the act is enough to allow a plaintiff to collect under the statute—resulting in a cascade of BIPA lawsuits. In this most recent case, Cothron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court was asked by the Seventh Circuit to answer whether “claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission.”
The Court’s answer to the question is staggering, holding that “a separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information.” In essence, BIPA now assesses the numerosity of the same act of collection, no matter its degree of risk or the flagrancy of its violation, and not the danger of the initial act—meaning that a fingerprint scan to access a workplace identification system every day for which an employee has not signed a written release could render an astronomically greater liability than a single act of scanning a person’s facial geometry and selling such information to a third party without the person’s knowledge.
As the dissenting justices recognized, the “precise harm” that the Illinois legislature was addressing in passing BIPA was “an individual’s loss of the right to maintain biometric privacy.” As such, “[t]here is only one loss of control or privacy, and this happens when the information is first obtained”—subsequent scans of a fingerprint to confirm its likeness to a fingerprint already collected are scans for verification, not new “collections.” Unconvinced by this plain reading, the majority also dismissed the potential crippling liability of their interpretation. Acknowledging White Castle’s estimate that a class action based on the plaintiff’s claim could result in damages exceeding $17 billion, the Court found such “policy” considerations to be the responsibility of the legislature but does not grapple with the reality that such liability could not possibly have been the legislature’s intent. While the Court does clarify that damage awards in BIPA lawsuits are discretionary and not mandatory, a previously unanswered question, this is cold comfort to businesses when the extent of potential damages is essentially uncapped.
Regardless, the Court’s reasoning is now the standard and adds a new frontier and range of considerations for companies deploying biometric scanning technologies within the state of Illinois. As the past few years have demonstrated, BIPA actions are growing both in potential liability and in range of claim. We previously reported on the first BIPA case to proceed to trial, which resulted in a judgment against BNSF Railway Company for $228 million in damages. In that case, the U.S. District Court for the Northern District of Illinois instructed the jury to calculate how many times BNSF violated BIPA. The jury concluded that BNSF violated BIPA 45,600 times, which aligns with a defense expert’s estimate of the number of drivers whose fingerprints were registered in the database. While that judgment resulted in staggering damages, had Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill. 2022) been decided after Cothron, that judgment may have actually been multiples higher if the jury considered how many times each driver was scanned in total.
In this new landscape, companies must be especially vigilant that they are compliant with BIPA while also vetting ways in which they may not be compliant. Because the Cothron decision introduces perverse incentives for plaintiffs to not bring their claims upon first discovery—as the award can grow if the violations are allowed to continue and accrue for the five-year statutory limit—companies cannot equate an absence of claims to a lack of undisclosed, accruing violations. What previously could have been a single BIPA violation could now be the tip of an iceberg begging to be noticed too late—and below the surface, its size is large enough to sink even the supposedly unsinkable. Going forward, businesses must proceed with care and diligence, keeping an eye on the potential hazards on their own horizon so as to not be undone by this new interpretation.