Successive Violations Create New Limitations Periods
White Castle moved for judgment on the pleadings on the grounds that the plaintiff’s claims were untimely because they were 10 years old. The plaintiff countered that a new claim accrued each time she scanned her fingerprints, and the statute of limitations had not yet run as to such claims. The district court agreed with the plaintiff and denied the motion.
However, due to substantial disagreement on controlling law, the district court certified the order for immediate interlocutory appeal. The U.S. Court of Appeals for the Seventh Circuit accepted the certification and considered each sides’ statute of limitation arguments. The Seventh Circuit court found that the plaintiff had Article III standing but certified the question of claims accrual to the Illinois Supreme Court.
The Illinois Supreme Court held that a separate claim accrues each time a private entity scans or transmits an individual’s biometric information in violation of BIPA sections 15(b) and 15(d). The court, interpreting the BIPA’s language, held that the penalties exist to encourage compliance. Although the court understood that its ruling could result in a $17 billion judgment against White Castle, it nevertheless reasoned that the legislature should review the policy concerns raised by the ruling and clear up its intent regarding the amount of penalties.
Statutory Presumption of Harm
The court’s holding that each scan of an employee’s fingerprint constitutes a separate violation of BIPA greatly increases the potential liability for companies that use biometric data. A plaintiff need not show much to collect $1,000 or $5,000 per violation because the injury is presumed. This low threshold for presumed injury could greatly increase the number of suits filed by consumers.
“Cothron raises the question of whether a state legislature is able to create a presumption of harm in order to confer Article III standing,” observes Mark A. Romance, Miami, FL, cochair of the ABA Litigation Section’s Commercial & Business Litigation Committee. “Courts around the country have recently been evaluating what harm is enough to satisfy Article III standing in consumer class action cases,” he adds.
Best Practices for Biometric Data Collection
With careful planning, businesses may be able to reduce the risk of liability by implementing a data collection security program. “An ounce of prevention is worth $17 billion pounds of cure,” counsels Ian H. Fisher, Chicago, IL, cochair of the Litigation Section’s Class Action Committee. “Getting a business into compliance is relatively easy if you consult a lawyer, get releases, make disclosures, and follow safeguards,” Fisher details.
Companies also need to develop written policies for the retention and destruction of biometric data, as well as to obtain written consent before disclosing biometric data to third parties. Otherwise, claimants might take advantage of the BIPA’s structure. “The [Cothron] majority failed to recognize the goal of the statute. This creates a ‘perverse incentive’ for plaintiffs to sit quietly on violations of BIPA,” Fisher warns.