The Seventh Circuit Court of Appeals requested that the Illinois Supreme Court (ILSC) weigh in on how claims accrue under the Illinois Biometric Information Privacy Act (BIPA). BIPA requires companies, often employers, to get express consent before the collection or processing of biometric information from an individual. BIPA is often at issue through use of fingerprint, retina, or facial recognition technology impacting Illinois residents. Significantly, BIPA provides a private right of action for violations of the Act with statutory damages of $1,000 per violation for negligent violations and $5,000 per violation for intentional or reckless violations.
In Cothron v. White Castle System, Inc., the question before the ILSC was:
Do section 15(b) and 15(d) [BIPA] claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?
In what many are viewing as a surprise, the ILSC held that a separate claim accrues each time biometric information is scanned or transmitted in violation of section 15(b) and 15(d). Thus, each time an employee uses a fingerprint to unlock a point of sale or clock in, a new violation of BIPA may accrue.
The ruling in Cothron comes on the heels of Tims v. Black Horse Carriers, Inc., finding BIPA claims are subject to a five-year statute of limitations period instead of the one-year period for other privacy rights violations, such as slander and libel. The ILSC’s ruling in Cothron will likely exponentially increase the possible damages, given employees may have scanned their fingerprint hundreds of times when clocking in and out of their shift. BIPA settlements could see 10x to 50x multipliers depending on the class at issue and the frequency with which biometrics were collected or used. In October 2022, the first BIPA case that went to trial resulted in a $228 million judgment (Richard Rogers v. BNSF Railway Company). This judgement may look miniscule in hindsight to the settlements and judgments we may see in 2023. Employers with operations in Illinois should carefully review their information systems to make sure they are in compliance with BIPA’s requirements.