Articles | Jul 20, 2023

Class Actions and Biometric Privacy Laws

ABA Commercial & Litigation Committee Newsletter

Read the Article
Biometric fingerprint
Written By: Jessica M. Senske

The Supreme Court of Illinois broadly interpreted the Illinois Biometric Information Privacy Act (BIPA) in two recent decisions, Cothron v. White Castle System, Inc., and Tims v. Black Horse Carriers, Inc. These decisions will affect class action lawsuits, particularly in the employment sector. Now class members might recover significant damages.

In Illinois, BIPA defines biometric information as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” 740 Ill. Comp. Stat. 14/10 (2022). In other words, biometric information is identifying information unique to a specific individual. Examples include retina or iris scans, fingerprints, voiceprints, and face or hand scans. Id.

In its recent decision in Cothron, the Supreme Court of Illinois specifically focused on two sections of BIPA—section 15(b) and section 15(d). Cothron v. White Castle Sys., Inc., 2023 IL
128004, ¶ 1 (Ill. 2023). Section 15(b) places restrictions on when a private entity can “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information.” 740 Ill. Comp. Stat. Ann. 14/15(b) (2022). Section 15(d) governs restrictions on when a private entity already in possession of biometric information “may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information.” Id. § 14/15(d). Thus, section 15(b) relates to when a private entity can take biometric information, whereas section 15(d) pertains to when a private entity can transmit biometric information.

In Cothron, an employee brought a putative class action against the employer, on behalf of all other employees, alleging that the employer’s fingerprint scanning and verification system violated BIPA. Cothron, 2023 IL 128004, ¶¶ 3–6. The action originally started in the U.S. District Court for the Northern District of Illinois and then moved to the U.S. Court of Appeals for the Seventh Circuit. See Cothron v. White Castle Sys., Inc., 477 F. Supp. 3d 723 (N.D. Ill. 2020); Cothron v. White Castle Sys., Inc., 20 F.4th 1156 (7th Cir. 2021). The Seventh Circuit subsequently certified the following question to the Supreme Court of Illinois: “Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” Cothron, 2023 IL 128004, ¶ 1 (quoting Cothron, 20 F.4th at 1167).

The defendant argued that BIPA violations, under sections 15(b) and 15(d), accrue only at the first transmission, but the plaintiff argued that the statute’s plain language indicates that a claim accrues each time biometric information is collected or disseminated. See id. ¶¶ 16–19. In its analysis, the Supreme Court of Illinois adopted the plaintiff’s broad interpretation. See id. ¶ 20 (“we focus on the language of the Act itself”).

The Supreme Court of Illinois first looked at section 15(b) and disagreed that the actions described by the phrases “collect” or “capture” can happen only once. Id. ¶ 23. The court justified this reasoning in explaining that each time an employee scans his or her fingerprint, the employee’s information is captured and then compared against the original scan, meaning that a BIPA claim under this section is not limited to the first occurrence. Id. ¶¶ 23–25. The court then looked at section 15(d), finding similarly that BIPA’s plain language applies to every transmission, not just the first one. Id. ¶¶ 27–30. Therefore, the court ultimately held that “a separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).” Id. ¶ 1.

The court did acknowledge the potential for excessive damages, stating that the trial court has discretion to fashion a damages award that fairly compensates the class, while also deterring future violations without destroying a defendant’s business. Id. ¶¶ 41–42. This is likely in anticipation of future due process concerns, which may become key arguments for defense counsel in trying to reduce damages. Yet, the court gave little guidance as to how to address the potential for excessive damages, stating that it is up to the legislature to change the law. See id. ¶ 43 (“[W]e continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”).

The Illinois legislature did, however, react to the court’s decision. Almost immediately, a bill to change BIPA’s language was proposed in the Illinois House. The bill seeks to reduce the damages a business may be subject to under BIPA. H.B. 3199, 103d Gen. Assemb., 1st Reg. Sess. (Ill. 2023). Specifically, it proposes to remove language that allows a party to recover for each BIPA violation. Id. It also provides businesses with 15 days to mitigate any alleged BIPA violations. Id.

Yet, in the meantime, the Cothron decision stands, providing a broad remedy for plaintiffs in class actions. Further, this decision, combined with another recent Illinois decision, Tims v. Black Horse Carriers, Inc., heightens the potential for damages under BIPA.

Shortly before the Cothron decision, the Supreme Court of Illinois interpreted the statute of limitations period under BIPA. Similar to Cothron, Tims also involved an employee bringing a class action for BIPA violations. See Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 1. The court looked at whether the statute is subject to the one-year statute of limitations period, which applies to privacy right violations in Illinois, or if Illinois’s five-year default statute of limitations period applies to BIPA claims. See id. ¶¶ 16–18. The court ultimately held that the five-year default period applies, id. ¶ 42, which means class members can bring claims for each BIPA violation for five years, rather than over the course of one year and rather than for just the first transmission or collection.

To put this into perspective, if an employee uses a biometric system to clock into work every day and if that system violates BIPA, the employee could have a claim for each time he or she clocked into work, over a five-year period. This, combined with a class action lawsuit, means damages could be significant.

While these two decisions focus on the Illinois biometric privacy law, they could have an impact on how other states may interpret their own statutes. Currently, Texas and Washington have specific biometric privacy statutes similar to Illinois’s. See Tex. Bus. & Com. Code Ann. § 503.001; Wash. Rev. Code Ann. §§ 19.375.010–19.375.900. Other states, such as California, Colorado, Utah, and Virginia, have passed consumer privacy laws that will govern biometric information once in full effect. “Is Biometric Information Protected by Privacy Laws?,” Bloomberg L., May 3, 2023.

Because other states may look to the Illinois decisions for guidance when interpreting their own statutes, practitioners should keep in mind when advising clients how to appropriately use biometric identifiers and what rights are available under the law.

Jessica M. Senske is an attorney at Phillips Lytle LLP in Buffalo, New York.

Related Insights

View All