Last Fall, an Illinois Court saw the first class action lawsuit brought under the Illinois Biometric Information Privacy Act, an Illinois statute that allows individuals to make a claim against private entities that collect biometric data without first creating a publicly available policy on the data’s retention and destruction, obtaining the individual’s consent, and using reasonable care to protect the information gathered.
Rasmussen Dickey Moore attorneys RoseAnn Sorce and Nathan Lindsey have been following developments in BIPA litigation and the potential effects on Illinois businesses. Nate provided an overview of Illinois’ BIPA statute when it was enacted, and RoseAnn continued with a recap of Rogers vs. BNSF Ry. Co., the first BIPA class action lawsuit.
After the jury found for the plaintiff class in Rogers v. BNSF Ry. Co., legal experts expected the $228 million dollar verdict to lead to a flood of BIPA litigation. All eyes then turned to Cothron v. White Castle System, Inc., which would answer the question of whether each and every scan or transmission of biometric data constitutes a separate violation of BIPA.
Last month, the Illinois Supreme Court answered “yes” to this question, adding yet another notch in plaintiffs’ belts.
Cothron v. White Castle System, Inc.
On behalf of a class of White Castle employees, White Castle manager Latrina Cothron claimed the fast-food giant violated BIPA when it disclosed employees’ fingerprint scans (obtained in order to grant employees access to their paystubs) to a third-party vendor. In response, White Castle argued that Cothron’s claims were untimely as they accrued in 2008, the very first time she scanned her finger and White Castle obtained her biometric data. White Castle further claimed that a BIPA violation could only accrue once—the first time the biometric data is collected or disclosed—while Cothron argued a new claim accrues each time biometric data is collected or disclosed. The District Court agreed with the Plaintiff, but certified White Castle’s order for immediate interlocutory appeal, moving the case to the Seventh Circuit Court of Appeals. The Seventh Circuit agreed that “the novelty and uncertainty of the claim-accrual question” warranted certification to the Illinois Supreme Court.
In deciding when a BIPA violation accrues, the Illinois Supreme Court focused on the plain and ordinary meaning of the language of BIPA. The Court looked at the statute’s use of the terms “collect” and “capture” and found that the definitions of these terms do not limit the actions to occurring only once. Therefore, the Court decided that each and every collection and subsequent disclosure is a separate violation of BIPA, a decision that has the potential to turn million-dollar claims into billion-dollar claims.
BIPA’s Effects on Illinois Businesses
Cothron v. White Castle’s effect on damage awards is clear. While the Illinois Supreme Court noted that damages are “discretionary rather than mandatory under the Act” and “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” the Court provided no guidance to lower courts on how to exercise this discretion. Instead, it called on the legislature to “review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” However, legislative action to amend BIPA may be unlikely, as previous BIPA reform bills never even made it to a vote.
Additionally, the White Castle decision makes it more difficult for defendants to assert a statute of limitations defense. Now, defendants must look to the last collection or use of a plaintiff’s biometric data rather than to the first. In White Castle, this brought Cothron’s claims within the statute of limitations, despite the fact that White Castle first violated BIPA in 2008.
Protecting Your Business from Future BIPA Claims
With catastrophic damage awards made possible by the Court’s decision in Cothron v. White Castle, some Illinois entities may be dissuaded from using biometric data at all. For businesses that already do collect biometric data, whether for timekeeping or security access, there is no need to stop these practices altogether. Rather, these entities should make a plan to periodically revisit their biometric data collection policies to ensure that they are in compliance with BIPA as it continues to evolve.
Make sure your business has a plan in place. RDM’s Employment and Labor Law Team can review your company policies and help your business ensure compliance with BIPA and other applicable employment laws. Contact us today to discuss how we can help protect your business and your employees from complex and costly litigation.