In Cothron v. White Castle System, Inc., 2023 IL. 128004 (Feb. 17, 2023), the Illinois Supreme Court examined the question of whether claims under section 15(b) and(d) of the Illinois Biometric Information Privacy Act (the Act) accrue each time a piece of biometric data is scanned or transmitted. In a much-anticipated decision, the high court found that businesses will be liable for each and every infraction; not only the first instance. The impact of this case is far-reaching in assessing potential liability for businesses collecting biometric data in violation of BIPA.
Relevant Facts
Latrina Cothron filed a class action suit against White Castle, and a third party vendor who was later voluntarily dismissed. Cothron is a manager of a White Castle restaurant and has been an employee since 2004. As part of its operations, White Castle uses a system that requires employees to scan their fingerprints in order to access pay stubs as well as their work computers. The third party vendor would then verify each scan and authorize the employee's access. Cothron alleged that White Castle implemented this requirement without her consent in violation of the Act. Section 15(b) the Act states, "A private entity may not collect, capture, purchase, receive through trade, or otherwise obtain a person's biometric data without first providing notice to and receiving consent from the person." In addition in Section15(d) the Act provides that a private entity "may not disclose, redisclose, or otherwise disseminate biometric data without consent."
Cothron alleged that White Castle did not ask for her consent to use her fingerprint biometric data until 2018, which is approximately ten years after the statute was enacted. She claimed that collection of her fingerprint, and sharing it with a third party vendor for authentication, was in violation of her rights under the law. White Castle attempted a motion for a judgment on the pleadings asserting that Cothron's claim accrued in 2008, which was the first time White Castle obtained her fingerprint. Cothron rebutted arguing that a new violation occurred each and every time her fingerprint was used. White Castle argued to the court that Cothron's argument was untimely because their claim should have accrued in 2008 on the first occasion that White Castle collected her biometric data after the law went into effect. The district court found in favor of Cothron. Subsequently, the 7th Circuit certified an interlocutory appeal and certified a question to the Illinois Supreme Court. The high court found that a separate claim accrues each time a private entity scans or transmits an individual's biometric identifier or information.
Certified Question for the Illinois Supreme Court
Do section 15(b) and 15(d) claims accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits the scan to a third party, or only upon the first scan and first transmission?
The Act
Section 15(b) of the Act states, "No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:
- Informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
- Informs the subject or subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected. stored, and used; and
- Receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative." 740 ILCS 14/15(b) (West 2018).
Accordingly, Section 15(d) of the act provides, "No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person or customer's biometric identifier or biometric information unless:
- The subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure. Id.
The Act defines, "biometric identifier" as including a fingerprint and "biometric information" to include any information gathered base on a subject's biometric identifier used to identify that subject. White Castle argued that the statute should be interpreted to mean the first, initial and only the first, initial gathering of the biometric identifier or biometric information. Cothren disputed this reading and asserted that a violation occurs each time biometric identifiers or information are obtained without consent.
The Supreme Court Analysis of Legislative Intent Underlying the Act
The Supreme Court of Illinois first looked to the language and underlying intent of the legislature in the passage of the Act. "The best indicator of legislative intent is the statutory language itself, given its plain meaning and ordinary meaning." In re Hernandez, 2020 IL 124661. It agreed with Cothron's reading of the statute and found that the terms "collect", and "capture" are activities that can occur more than once by their plain meaning and use in the statute. Here, an employee must scan their fingerprint every time they want to access their pay stubs or use a White Castle computer. Each time the fingerprint data is collected, it is stored and sent to the third party vendor for verification. That new scan is compared to the initial scan each time a log in occurs. Each scan, therefore, constitutes a new collection and storage of biometric data.
In addition, White Castle defeated its own argument, in a sense, by claiming that it collected Cothron's fingerprint before the Act took effect, but the first and only violation was the first time the information was taken after the Act's enactment. Thus the first violation, according to White Castle's theory, was actually an authentication scan, which it otherwise argued doesn't count as a violation. "A party violates section 15(b) when it collects, captures, or otherwise obtains a person's biometric information without prior informed consent. This is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection." Cothron, 477 F.Supp.3d at 732.
The same is true of disclosure. Each time a scan was sent to the third party vendor for verification, a new disclosure as well as collection of biometric data took place. Disclosure is not something that can only happen once, as White Castle argues. The high court agree with the lower court findings and concluded that a violation clearly occurs with every scan or transmission.
Alternate Arguments Presented by White Castle
First, White Castle contends that "under Illinois law a claim accrues when a legal right is invaded and an injury inflicted." White Castle argues that because the Act discusses an individual's loss of the "right to control" their own biometric data, that implies that the loss of secrecy of biometric data is where the breach of the law occurs. Once secrecy is lost it cannot be regained so a violation may only feasibly occur once. Therefore, "when a party collects or discloses biometric information without complying with the Act's notice and consent requirements, an individual's rights have been invaded, an injury has occurred, and the plaintiff may immediately sue. In other words. the invasion and injury are one and the same." Rosenbach v. Six Flags Entertainment, 2019 IL 123186; McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511. An individual's right to control their biometrics is a "a single overt act." Feltmeier v. Feltmeier, 207 Il.2d 263, 279. White Castle relied on this precedent to support their argument that a cause of action only accrues the first time biometric identifiers or information are disclosed. The court again disagreed and found that White Castle mischaracterized this precedent.
On the contrary, the Supreme Court reasoned that Rosenbach stands for the proposition that, "When a private entity fails to comply with one of section 15's requirements, that violation constitutes an invasion, impairment, or denial of statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. Rosenbach clearly recognizes the statutory violation itself is the injury for purposes of a claim under the Act, which is entirely consistent with our decision here." Put simply, if there was a statutory violation, then an injury occurred and not only the first time a violation occurred, but rather, each time. Nowhere in the statute does it state directly or even imply that only the first infraction is a violation of the Act.
Opponents cautioned against allowing recovery for each instance as the statute calls for liquidated damages for each violation. Allowing recovery for multiple acts could result in "punitive and astronomical damage awards." If every White Castle employee sued for every instance of having their fingerprint scanned without written consent, the bill would tally up to over $17 billion. Despite this concern, the language of the Act is binding and it was clear that the Legislature intended to subject businesses failing to comply with serious liability. As the district court noted, "private entities would have little incentive to course correct and comply if subsequent violations carry no legal consequence." Cothron, 20 F.4th at 1165. With that said, the Supreme Court did recognize its responsibility to ensure that the damage award provided fair compensation to the plaintiff and deterred future violations while at the same time was not so excessive that it completely undermined or annihilated the defendants' business. Century Mutual Insurance Co., v. Tracy's Treasures, Inc., 2014 IL App (1st) 1239. The court concluded that the worry regarding excessive damage awards under the Act was a question more properly suited for the Legislature rather than the judiciary.
In conclusion, the high court ruled that businesses will be liable for every instance of sharing of biometric identifiers or information without prior consent. The impact of this case will reveal itself as more cases of its kind land before courts of Illinois as well as states across the nation. The team at WSHB is available to answer any questions you may have moving forward.