A state supreme court has expanded its state’s Biometric Information Privacy Act (BIPA) by ruling that each violation of the BIPA constitutes a separate injury each carrying a penalty of $1,000.00 or $5,000.00 per violation. In so doing, the court adopted a presumption of harm for consumers, rather than requiring proof of actual harm, and permitted multiple damages claims for successive violations. This expansion of BIPA protections increases the risks for companies that do not carefully safeguard private biometric information or repeatedly violate the BIPA.
Each BIPA Violation Is Actionable
In Cothron v. White Castle, an employee of White Castle filed a proposed class action on behalf of herself and other similarly situated employees for violation of the BIPA. The BIPA is an Illinois statute that regulates the collection, use, and handling of biometric identifiers and information. Texas and Washington have similar biometric privacy laws, but neither is as stringent as the BIPA. And other states characterize biometric information as “sensitive” for purposes of their comprehensive privacy laws.
In Cothron, the thrust of the plaintiff’s argument was that White Castle violated the BIPA by collecting employee fingerprints and disclosing them to a third party without consent. She also advanced the novel argument that the repeated collection of her biometric data resulted in repeated violations of the BIPA.
Successive Violations Create New Limitations Periods
White Castle moved for judgment on the pleadings on the grounds that the plaintiff’s claims were untimely because they were 10 years old. The plaintiff countered that a new claim accrued each time she scanned her fingerprints, and the statute of limitations had not yet run as to such claims. The district court agreed with the plaintiff and denied the motion.
However, due to substantial disagreement on controlling law, the district court certified the order for immediate interlocutory appeal. The U.S. Court of Appeals for the Seventh Circuit accepted the certification and considered each sides’ statute of limitation arguments. The Seventh Circuit court found that the plaintiff had Article III standing but certified the question of claims accrual to the Illinois Supreme Court.
The Illinois Supreme Court held that a separate claim accrues each time a private entity scans or transmits an individual’s biometric information in violation of BIPA sections 15(b) and 15(d). The court, interpreting the BIPA’s language, held that the penalties exist to encourage compliance. Although the court understood that its ruling could result in a $17 billion judgment against White Castle, it nevertheless reasoned that the legislature should review the policy concerns raised by the ruling and clear up its intent regarding the amount of penalties.
Statutory Presumption of Harm
The court’s holding that each scan of an employee’s fingerprint constitutes a separate violation of BIPA greatly increases the potential liability for companies that use biometric data. A plaintiff need not show much to collect $1,000 or $5,000 per violation because the injury is presumed. This low threshold for presumed injury could greatly increase the number of suits filed by consumers.
“Cothron raises the question of whether a state legislature is able to create a presumption of harm in order to confer Article III standing,” observes Mark A. Romance, Miami, FL, cochair of the ABA Litigation Section’s Commercial & Business Litigation Committee. “Courts around the country have recently been evaluating what harm is enough to satisfy Article III standing in consumer class action cases,” he adds.
Best Practices for Biometric Data Collection
With careful planning, businesses may be able to reduce the risk of liability by implementing a data collection security program. “An ounce of prevention is worth $17 billion pounds of cure,” counsels Ian H. Fisher, Chicago, IL, cochair of the Litigation Section’s Class Action Committee. “Getting a business into compliance is relatively easy if you consult a lawyer, get releases, make disclosures, and follow safeguards,” Fisher details.
Companies also need to develop written policies for the retention and destruction of biometric data, as well as to obtain written consent before disclosing biometric data to third parties. Otherwise, claimants might take advantage of the BIPA’s structure. “The [Cothron] majority failed to recognize the goal of the statute. This creates a ‘perverse incentive’ for plaintiffs to sit quietly on violations of BIPA,” Fisher warns.
Hashtags: #DataProtection; #ConsumerPrivacy; #PrivacyRights; #MultibillionDollarJudgment
- Starr Drum, “The Four Ps of Privacy,” Privacy & Data Sec. (Dec. 16, 2020).
- Lynda Grant, “The Illinois Supreme Court Issues Two Major BIPA Rulings” Privacy & Data Sec. (Mar. 6, 2023).
- Michélle Jacqueline Du Plessis, “Consumers and Data Compliance Officers Navigating Privacy Compliance Management in an Evolving Landscape,” Bus. L. Comm. (Mar. 25, 2022).
Copyright © 2023, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).