Since its adoption in 2008, the Illinois Biometric Information Privacy Act, (“BIPA”), 740 ILCS 14/1, et seq., has imposed severe penalties—$1,000 per negligent violation and $5,000 per intentional or reckless violation—for businesses that collect fingerprints, face scans, voiceprints, or other biometric data without required consent. As we detail elsewhere in our blog, the number of consumer class actions asserting BIPA claims has exploded over the past three years, yielding verdicts and settlements in the hundreds of millions of dollars. (Stay tuned to tomorrow’s blog for an analysis). In its recent decision in Cothron v. White Castle Systems, Inc., No. 128004, 2023 IL 128004 (Ill. Feb. 17, 2023), the Illinois Supreme Court has vastly increased the already substantial risk of exposure in BIPA cases by construing BIPA to treat every distinct collection of biometric data as a separate violation. While the court further stated that BIPA’s statutory damages are not mandatory, it provided no guidance about the standards that trial courts might apply to decide whether to mitigate potentially ruinous damages awards. The increased stakes and resulting uncertainty underscore the critical importance that businesses subject to BIPA implement practices to comply with its notice and consent requirements.
The ruling in Cothron, though clearly opening the door for potentially excessive damage awards, focused primarily on answering a narrow question: whether BIPA claims accrue after each instance in which non-consented biometric information is collected. Since 2004, defendant White Castle had collected fingerprints from employees for purposes of allowing them to access company computers. BIPA was enacted in 2008, but White Castle never obtained employee consent to collect fingerprint data until 2018, when plaintiff Cothron brought a lawsuit on behalf of herself and a putative class of White Castle employees. White Castle argued that Cothron’s BIPA claim accrued in 2008, when BIPA took effect and White Castle first collected fingerprint data in violation of the statute and, as a result, her claim was time barred. Cothron responded that her claim was timely because every unconsented-to collection was a unique BIPA violation. A federal trial judge agreed with White Castle’s position and dismissed the case. On appeal, the Seventh Circuit found the question of when a BIPA claim accrues to be undecided under Illinois law, and certified the question to the Illinois Supreme Court. See Cothron v. White Castle System, Inc., 20 F.4th 1156 (7th Cir. 2021). A majority of the Illinois Supreme Court agreed with the plaintiff’s interpretation of BIPA, and determined that the plain language of both Sections 15(b) and 15(d) of the statute supported the conclusion that White Castle violated the statute each time it scanned and transmitted the plaintiff’s fingerprints for employment purposes.
In so ruling, the court did not directly address the issue of damages. Rather, White Castle argued that its construction of BIPA was supported by the fact that plaintiff’s position on what constitutes a violation of the statute would vastly multiply statutory damages, with potential damages against White Castle on a classwide basis of as much as $17 billion. White Castle contended that the Illinois legislature could not possibly have intended that the term “violation” should be construed in such a way that it would result in damages that would put companies out of business for violating BIPA.
The Illinois Supreme Court found this argument unpersuasive. The court acknowledges that its construction of the statute could result in class action awards that might soar into the hundreds of millions and billions of dollars. The court’s perfunctory response to this concern is for defendants to rely on the trial court’s discretion, since “[a] trial court presiding over a class action—a creature of equity—would certainly possess the discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying defendant’s business.” The court further observes that “the General Assembly chose to make damages discretionary rather than mandatory under the Act.” See 740 ILCS 14/20 (stating that a “prevailing party may recover” statutory damages for each violation) (emphasis added). Ultimately, the court suggests the Illinois legislature step forward to address concerns about potentially excessive damage awards, leaving much uncertainty for businesses facing claims under BIPA.
As a result of the Cothron decision, it is now clear that statutory damages under BIPA are available for each and every alleged violation, but that courts have discretion to award less than full statutory damages. This creates both risk and uncertainty. The risk of potential exposure in BIPA cases is now vastly larger, and while defendants are entitled to argue for mitigation of those damages, the standards that courts should apply when considering whether to mitigate damages under BIPA are as yet unknown. The only way to establish such standards would be for some defendant to bite the bullet and plunge forward to contest damages, knowing that an adverse decision could potentially bankrupt the company. Most defendants will be unwilling or unable to run that risk. Absent a legislative fix, the likely effect of Cothron will be to drive defendants to settle BIPA class actions if they cannot dispose of them on a motion to dismiss or at summary judgment.
If it wasn’t apparent before, it is clear now that being attentive to BIPA compliance is critical for businesses that are subject to the statute. BIPA requires businesses to inform a party, in writing, of how their biometric information will be used. Once informed, a party must give written consent before the business may proceed. Establishing practices and procedures to ensure that that a business meets those statutory requirements for is an essential step to avoid exposure to massive damages under BIPA. With a growing number of other states adopting their own statutes to regulate collection and use of biometric information, the need to do so is only that much more imperative.