The defendant argued that BIPA violations, under sections 15(b) and 15(d), accrue only at the first transmission, but the plaintiff argued that the statute’s plain language indicates that a claim accrues each time biometric information is collected or disseminated. See id. ¶¶ 16–19. In its analysis, the Supreme Court of Illinois adopted the plaintiff’s broad interpretation. See id. ¶ 20 (“we focus on the language of the Act itself”).
The Supreme Court of Illinois first looked at section 15(b) and disagreed that the actions described by the phrases “collect” or “capture” can happen only once. Id. ¶ 23. The court justified this reasoning in explaining that each time an employee scans his or her fingerprint, the employee’s information is captured and then compared against the original scan, meaning that a BIPA claim under this section is not limited to the first occurrence. Id. ¶¶ 23–25. The court then looked at section 15(d), finding similarly that BIPA’s plain language applies to every transmission, not just the first one. Id. ¶¶ 27–30. Therefore, the court ultimately held that “a separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).” Id. ¶ 1.
The court did acknowledge the potential for excessive damages, stating that the trial court has discretion to fashion a damages award that fairly compensates the class, while also deterring future violations without destroying a defendant’s business. Id. ¶¶ 41–42. This is likely in anticipation of future due process concerns, which may become key arguments for defense counsel in trying to reduce damages. Yet, the court gave little guidance as to how to address the potential for excessive damages, stating that it is up to the legislature to change the law. See id. ¶ 43 (“[W]e continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”).
The Illinois legislature did, however, react to the court’s decision. Almost immediately, a bill to change BIPA’s language was proposed in the Illinois House. The bill seeks to reduce the damages a business may be subject to under BIPA. H.B. 3199, 103d Gen. Assemb., 1st Reg. Sess. (Ill. 2023). Specifically, it proposes to remove language that allows a party to recover for each BIPA violation. Id. It also provides businesses with 15 days to mitigate any alleged BIPA violations. Id.
Yet, in the meantime, the Cothron decision stands, providing a broad remedy for plaintiffs in class actions. Further, this decision, combined with another recent Illinois decision, Tims v. Black Horse Carriers, Inc., heightens the potential for damages under BIPA.
Shortly before the Cothron decision, the Supreme Court of Illinois interpreted the statute of limitations period under BIPA. Similar to Cothron, Tims also involved an employee bringing a class action for BIPA violations. See Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 1. The court looked at whether the statute is subject to the one-year statute of limitations period, which applies to privacy right violations in Illinois, or if Illinois’s five-year default statute of limitations period applies to BIPA claims. See id. ¶¶ 16–18. The court ultimately held that the five-year default period applies, id. ¶ 42, which means class members can bring claims for each BIPA violation for five years, rather than over the course of one year and rather than for just the first transmission or collection.
To put this into perspective, if an employee uses a biometric system to clock into work every day and if that system violates BIPA, the employee could have a claim for each time he or she clocked into work, over a five-year period. This, combined with a class action lawsuit, means damages could be significant.
While these two decisions focus on the Illinois biometric privacy law, they could have an impact on how other states may interpret their own statutes. Currently, Texas and Washington have specific biometric privacy statutes similar to Illinois’s. See Tex. Bus. & Com. Code Ann. § 503.001; Wash. Rev. Code Ann. §§ 19.375.010–19.375.900. Other states, such as California, Colorado, Utah, and Virginia, have passed consumer privacy laws that will govern biometric information once in full effect. “Is Biometric Information Protected by Privacy Laws?,” Bloomberg L., May 3, 2023.
Because other states may look to the Illinois decisions for guidance when interpreting their own statutes, practitioners should keep in mind when advising clients how to appropriately use biometric identifiers and what rights are available under the law.