While the Illinois Biometric Information Privacy Act (“BIPA”) is “of 2008,” only in the past few years has BIPA litigation exploded at a pace likely to continue.  BIPA generally requires companies that collect biometric information or identifiers in Illinois to adhere to certain practices, including providing a public privacy policy; obtaining written consent before collection; abstaining from the sale of, or other profiting from, biometric data; disclosing biometric data only with prior consent; and maintaining security measures to protect biometric data.  The growing wave of BIPA litigation has helped clarify certain aspects of the Act while bringing others into question, as amendments may further alter the legal landscape. 

Case Developments

This year saw noteworthy cases that redefined the stakes for BIPA litigation.

Tims v. Black Horse Carriers, Inc.

On February 2, 2023, the Illinois Supreme Court held that the five-year catch-all statute of limitations period included in the Illinois Code of Civil Procedure applies to all claims brought under Section 15 of BIPA, as the Act does not contain an explicit statute of limitations period.  The appellate court had held that the one-year statute of limitations imposed by the Code of Civil Procedure on actions for “publication of matter violating the right of privacy,” slander, and libel applied to actions under sections 15(c) and 15(d) of BIPA, and the catch-all five-year period applied to actions under sections 15(a), 15(b), and 15(e).  The decision extends the statute of limitations to five years for actions under section 15(c), prohibiting sale, leasing, and other profiting from biometric data, and under section 15(d), which prohibits disclosure of biometric data without consent.

Cothron v. White Castle System, Inc.

 Not three weeks after its decision in Tims, on February 17, 2023, the Illinois Supreme Court held, answering a certified question from the Seventh Circuit, that claims under sections 15(b) and 15(d) accrue on a per-scan basis, such that “a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information.”  Plaintiffs alleged—and the holding appears to agree—that every time an employee in the fast food restaurant used biometric data to “clock in,” damages accrued. Based on this holding, White Castle could technically face a damages award of approximately $17 billion. A request for rehearing was denied on July 18, 2023. 

Rogers v. BNSF Ry. Co.

On June 30, 2023, the U.S. District Court for the Northern District of Illinois granted BNSF’s motion for a new trial, finding that damage awards under BIPA are discretionary; a $228 million judgment against BNSF was vacated and a new trial was set for October 2023.  However, while these motions were pending, the White Castle case was decided, drastically altering the potential damages.  As such, BNSF settled the case in September 2023, before the retrial, under undisclosed terms.

Walton v. Roosevelt University

While perhaps less well-known than the aforementioned cases, the Illinois Supreme Court’s decision in Walton v. Roosevelt University carries significance in the employment context.  On March 23, 2023, the Court held that BIPA claims are preempted by federal labor law when an employee-plaintiff is covered by a collective bargaining agreement that includes a broad management clause, preventing such employees from bringing BIPA actions.

Lewis v. Maverick Transportation

In another lesser-known BIPA case, Lewis v. Maverick Transportation, the District Court for the Southern District of Illinois denied the defendant’s motion to dismiss, allowing the complaint to move forward without showing that biometric data collected in violation of BIPA was used for identification purposes. While the district court decision is not binding on other courts, it has the potential to reduce the pleading burden on BIPA plaintiffs if other courts follow suit.  This could create a compliance risk for entities using cameras that have object recognition technology, which may inadvertently detect an individual’s facial geometry (e.g., a retailer’s use of cameras for inventory management and asset protection).

Mosby v. Ingalls Memorial Hospital

Most recently, on November 30, 2023, the Illinois Supreme Court issued a decision that drastically narrows the applicability of BIPA to health care workers.  The Court held that BIPA “excludes from its protections the biometric information of health care workers where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by HIPAA.”  Thus, health care employers are not liable for would-be BIPA violations if employees’ biometric information is collected, used, and/or stored for purposes of health care treatment, payment, or operations, but biometric collection from health care workers in other contexts, such as for timekeeping purposes, may still fall within the Act’s purview.

Amendments

A number of BIPA amendments have been proposed by the Illinois Legislature, but none have yet been adopted.  A few examples are summarized below and reflect a trend of business-friendly reforms to BIPA.

Statute of Limitations

HB3204 would amend Section 20 of BIPA to shorten the statute of limitations to one year, requiring would-be plaintiffs to file an action within one year of either the date of alleged violation or date of discovery.  As of March 10, 2023, the bill had been re-referred to the House Rules Committee.

Written Consent

HB3199 would replace the defined term “written release” with “written consent,” defined as “informed written consent,” and explicitly allowing “[w]ritten consent [to] be obtained by electronic means.”  It would also require 15 days’ written notice of alleged violations to a private entity before a plaintiff can pursue a private right of action; further, if the private entity “actually cures” the violation and provides the would-be plaintiff with a written statement of cure and that it will engage in no further violations, no claim may be initiated.  Finally, the bill would require the Illinois Department of Labor to include BIPA in employer materials, including handbooks.  As of March 10, 2023, HB3199 had been re-referred to the House Rules Committee.

New Definitions and More

SB1506 would implement a number of changes, including to definitions, consent requirements, and exemptions.  If passed, the bill would amend the definition of “biometric identifiers” to exclude “information captured and converted to a mathematical representation” if such information “cannot be used to recreate the biometric identifier”; add definitions for “biometric lock” and “biometric time clock,” as well as “electronic signature,” “in writing,” and “security purpose”; and amend the definition “written release” to include electronic communications.  The amendment would also narrow BIPA’s consent and notification obligations, requiring notification and consent for biometrics collected for the same repeated process only during the initial collection.  Furthermore, SB1506 would provide an exemption from the requirements of Section 15(b) if biometric data is collected for a security purpose (with certain limitations) and would exclude biometric time clocks or mathematic representation that cannot be used to recreate biometrics from scope of Act.  As of March 10, 2023, the bill had been re-referred to Senate Assignments.

Trends and Takeaways

Liability and Settlements

In wake of the Cothron decision, a single full-time employee can potentially accrue about $1 million per year in BIPA damages if that employee scans their fingerprint four times per day to clock in and out—once in the morning, once in and once out for lunch, and once out in the evening.  Despite this, a sampling of recent cases shows plaintiffs are settling for a far smaller figure: $1,000 per class member or less, with many hovering around $500-$600 per class member, and some as low as $50 or $78. 

Compliance

Although the risk of litigation from noncompliance may loom as an enormous potential liability, BIPA compliance need not be a colossal undertaking and can be reasonably straightforward if you have a clear idea of where and how biometric data may be collected.  BIPA generally requires businesses to maintain a policy, obtain consent before collection, and take steps to protect such collected information, so it is important that legal and compliance is well connected with other business units, so that there is full visibility into any potential use of biometric data. With regard to safeguarding biometric data, the obligation involves practices many businesses are already taking: implementing information security measures to prevent data breaches and conducting due diligence on vendors storing the company’s data.

Looking Forward

While growing BIPA litigation and plaintiff-friendly decisions may be cause for concern for many companies, proposed amendments have leaned in businesses’ favor, and relatively simple steps can bring entities into compliance.  As 2023 comes to a close, companies may have more questions than answers on where BIPA is headed, but it certainly isn’t going away.