By Matthew D. Provance, a partner, and Jed W. Glickstein, counsel, with Mayer Brown LLP in the firm’s Chicago, IL office.

When Illinois enacted its Biometric Information Privacy Act (“BIPA”) in 2008, it became the first—and, to date, only—state to create a private right of action for statutory damages for the breach of so-called “biometric privacy” rights. BIPA gives Illinois consumers a right to recover up to $5,000 for violations of BIPA’s various obligations related to the collection and storage of certain types of biometric data—a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”1 With significant statutory damages available for violations, BIPA has become a windfall for class action plaintiffs.

In 2019, the Illinois Supreme Court decided Rosenbach v. Six Flags Entertainment Corp., which held that plaintiffs are “aggrieved” within the meaning of BIPA (and therefore able to seek statutory damages) “based solely on defendants’ failure to comply with the statute’s requirements.”2 After Rosenbach eliminated the need to show any actual, real-world injury—such as misuse of a plaintiff’s data or a data breach—BIPA litigation skyrocketed. Annual filings in federal court have increased roughly six-fold, and overall nearly 2,000 BIPA lawsuits have been filed in the last five years, an average of more than one new lawsuit a day.3

The situation was therefore already plenty challenging for businesses in Illinois that found themselves facing class actions seeking statutory damages under BIPA. But in February 2023, the Illinois Supreme Court issued two decisions that will send no-injury BIPA litigation into overdrive.

The Decisions

The first decision, Tims v. Black Horse Carriers, addressed the statute of limitations for BIPA claims, holding that such claims are subject to Illinois’ five-year “catch-all” limitations period.4 This was a particularly disappointing result for businesses because, in an earlier case about insurance coverage, the Illinois Supreme Court had characterized the “injury” caused by BIPA violations as “a nonbodily personal injury” stemming from a violation of the “right to privacy” concerning biometric data.5 Consistent with that reasoning, the two-year limitations period for personal injury claims seems like a natural fit for BIPA. But in Tims, the court did not consider whether Illinois’ two-year limitations period for “an injury to the person” applied.6

Only a few weeks later, the court issued a decision in Cothron v. White Castle, which addressed the related issue of when a claim under BIPA accrues.7 Combined with Tims and Rosenbach, Cothron further paves the way for plaintiffs to demand astronomical statutory damages for no-injury BIPA violations. Indeed, the majority acknowledged that statutory damages might exceed $17 billion in Cothron alone.8

The facts of Cothron mirror a typical BIPA lawsuit brought by an employee against her employer over the use of a fingerprint-based identification system. Cothron did not allege, nor could she, that she was forced to use the system, which was voluntary for employees. Nor did she allege that she was unaware that the system worked by scanning and collecting her fingerprint. After all, such functionality was obvious to the user. Instead, Cothron alleged that White Castle did not technically comply with BIPA’s consent requirements, and that the use of a third-party vendor to maintain White Castle’s timekeeping equipment resulted in an unauthorized “disclosure” of Cothron’s biometric data to the vendor each time she used the system.9 At issue in the appeal was whether BIPA’s five-year deadline to file suit on these claims began to run upon Cothron’s first use of the timekeeping system in 2008—in which case her lawsuit would have been untimely—or whether a new claim accrued with each subsequent use of the system.

In a 4-3 decision, the Illinois Supreme Court agreed with Cothron that a distinct claim arises under BIPA each time an entity collects or discloses an individual’s biometric data. The court pointed to statutory language in BIPA—which prohibits a private entity from “collect[ing]” a person’s biometric identifier or biometric information “unless it first” provides certain disclosures and obtains consent—and “disagreed . . . that [unlawful collection] can happen only once.”10 Rather, it held that based on BIPA’s plain text, “[a] party violates [the statute] when it collects . . . a person’s biometric information without prior informed consent” and that “this is true the first time an entity . . . collects biometric information, but it is no less true with each subsequent scan or collection.”11 For similar reasons, the court concluded that a private entity violates BIPA again after each data collection if the data is made available to a third-party equipment vendor.12

The court acknowledged that its interpretation of BIPA would allow Cothron to seek statutory damages for every alleged fingerprint “scan” on behalf of approximately 9,500 past and current White Castle employees, resulting in billions in potential damages. But the court concluded that putting businesses at risk of annihilation was not a relevant consideration, because “where statutory language is clear, it must be given effect, even though the consequences may be harsh, unjust, absurd.”13 The court’s decision to adopt a “per-scan” rule for purposes of both claim accrual and damages awards under BIPA came as a shock to many following the case. The certified question to the court only asked it to address claim accrual, and at oral argument Cothron’s counsel disavowed any theory of “per-scan” damages under BIPA as unreasonable.14

The Implications

Tims and Cothron create a vicious one-two punch for defendants facing BIPA litigation. Take the typical example of a biometric timekeeping system used by a small or medium-sized business. Employees may use the system a minimum of four times each day to punch in and out, assuming just one break during their shift (though in practice, use could be much more frequent). Under Tims, that could easily result in up to 5,200 scans for each employee during the limitations period (1,040 fingerprint scans per year, assuming 260 working days, for five years).

Now Cothron kicks in to authorize plaintiffs to seek up to $5,000 in statutory damages for each violation of BIPA that they allege for each scan. The plaintiff in Cothron alleged two types of violation—one related to the collection of her fingerprint, and another related to its alleged disclosure to White Castle’s equipment vendor. BIPA plaintiffs often allege up to five different types of violation, and sometimes more. But even with just two claimed types of violations, the potential liability under BIPA is staggering.

In the scenario discussed above, for example, a single employee claiming 5,200 unauthorized collections and disclosures of her fingerprint during the five-year limitations period could seek up to $52 million in statutory damages under BIPA. For a relatively small class of 100 employees, that number grows to $5.2 billion—almost certainly an annihilating sum for any small or medium-sized Illinois business. And a class of 1,000 employees could seek statutory damages totaling an unfathomable $52 billion—all without any showing of actual injury.15

In Cothron, the court tried to hedge against the implications of its ruling by expressing doubt that such annihilating damages awards would actually be imposed. The court cited language in BIPA providing that a prevailing party “may recover [statutory damages] for each violation,” reasoning that this language “appear[ed]” to show “that the General Assembly chose to make damages discretionary rather than mandatory under the Act.”16 The court also pointed out that there is “no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,”17 a curious observation to make in the course of finding that BIPA appears to authorize billions of dollars in statutory damages for no-injury violations.

Ultimately, however, the court recognized that its decision could give rise to “excessive damages awards” and called on the Illinois legislature to “review these policy concerns” and “make clear its intent” regarding how statutory damages should be assessed under BIPA.18 But whether the court’s invitation to the legislature to step in and fix this problem will actually gain traction remains unclear. In the meantime, judicial acknowledgment of the “policy concerns” that flow from Cothron‘s reading of the statute is cold comfort to the many Illinois businesses facing claims for statutory damages in ongoing BIPA litigation.

The Aftermath

To nobody’s surprise, new BIPA lawsuits are being filed at breakneck speed in the wake of Tims and Cothron. Two troubling patterns are already emerging.

First, plaintiffs are now targeting even smaller employers with BIPA lawsuits, seeking to recover astronomical and likely annihilating statutory damages. Recent targets include assisted living facilities,19 a community thrift store,20 and even two non-profit organizations that provide community mental health services and help people with disabilities find jobs.21 Whether these suits have any merit or not, they raise existential threats for businesses that may already be on the ropes from COVID, sustained inflation, and the recent economic downturn. While one or two small businesses shuttering their doors due to BIPA liability might be easier to ignore, suits like these are being filed at a rate of one or two per day.

Second, while almost all BIPA lawsuits were historically filed as proposed class actions, Cothron’s “per-scan” damages rule means that astronomical damages claims may become routine even in individual lawsuits. Unsurprisingly, such claims have now started to proliferate. For example, a former employee recently filed suit against Enterprise Rent-a-Car alleging 4,000 unlawful “scans” of her biometric information during the course of her employment.22 She seeks to recover up to $20 million in statutory damages on her claims alone.23 To put this number in context, it would exceed all but a few of the highest verdicts in personal injury cases tried in Illinois in recent years, which involved catastrophic injuries, permanent disabilities, unimaginable pain and suffering, and, in nearly all cases, death.24 That a plaintiff can seek comparable damages under BIPA for her voluntary use of a biometric timekeeping system without alleging any type of real-world harm or injury presents an extraordinary injustice—and an extraordinary risk for Illinois businesses.

The Future

White Castle has filed a motion for rehearing in Cothron, asking the Illinois Supreme Court to reconsider its decision or, in the alternative, provide further guidance to lower courts regarding their discretion to limit BIPA’s statutory damages.25 Guidance on the discretionary nature of BIPA’s statutory damages is urgently needed for the BIPA lawsuits pending in the lower courts. There are a number of factors that courts should consider when exercising their discretion to limit statutory damages awards under BIPA, consistent with Illinois and federal law:

  • First, BIPA is a remedial statute, not a punitive one.26 Therefore, courts should begin their analysis by asking what amount of damages is necessary to fairly compensate the plaintiff (or class) for their injuries resulting from the alleged BIPA violation. In many cases, this number will be low or even zero.
  • Second, courts should consider what damages award is necessary to meet BIPA’s “preventative and deterrent purposes.”27 In most class actions, a small fraction of the statutory damages theoretically authorized for the class will be sufficient to ensure that defendants will comply with BIPA going forward.
  • Third, courts should consider the level of reprehensibility of the defendant’s conduct. Statutory damages should be assessed differently for a defendant who secretly sells a plaintiff’s biometric data than for a defendant who collected the data for an appropriate purpose but without proper consent or a defendant who obtained consent but may not have complied with one of BIPA’s technical requirements.
  • Fourth, courts should look to civil and criminal penalties imposed in government enforcement actions related to the collection of biometric data from consumers, none of which have even approached $1,000 per affected individual (much less the $5,000 available under BIPA for reckless or intentional violations).
  • Fifth, as the Illinois Supreme Court recognized, BIPA is not designed to destroy businesses that use biometric technology.28 Courts therefore must ask whether the damages award will cause the defendant significant hardship or threaten its very existence. In particular, allowing annihilating damages to be levied against small and unsophisticated companies may be “manifestly unjust.”29

Once these factors are considered, few if any BIPA cases will justify an award of full statutory damages for each alleged “scan,” and many cases—particularly class actions—may not justify an award of $1,000 or $5,000 in statutory damages per person.

Even though reconsideration or clarification of the Illinois Supreme Court’s ruling in Cothron is urgently needed, it is unlikely to be a panacea. Businesses facing enormous damages claims, particularly small businesses, will still be hard-pressed to rely on judicial discretion. Accordingly, the Illinois legislature must accept the court’s invitation to amend BIPA if there is to be a real solution to this problem. An amendment to the statute was recently proposed that would eliminate the pernicious language authorizing statutory damages “for each violation” and afford businesses a fifteen-day period to cure alleged violations before private lawsuits can be initiated.30 These changes would go far towards fixing the problems that BIPA, as construed by the courts, has created, and all of us should impress upon our elected representatives the urgent need for a legislative solution.

Notes

  1. 740 ILCS 14/10.
  2. Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, ¶ 22.
  3. https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-biometrics-privacy-class-actions-increase-this-year (examining federal court filings); https://www.reuters.com/legal/white-castle-could-face-multibillion-dollar-judgment-illinois-privacy-lawsuit-2023-02-17/.
  4. Tims v. Black Horse Carriers, Inc., 2023 IL 127801.
  5. W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, ¶ 62.
  6. The court also declined to hear another appeal where the two-year limitations period had been directly raised by the defendant. See Marion v. Ring Container Techs., LLC, App. No. 128180.
  7. Cothron v. White Castle Sys., Inc., 2023 IL 128004.
  8. Id. at ¶ 40; see also id. at ¶ 61 (Overstreet, J., dissenting).
  9. Id. at ¶¶ 4-5.
  10. Id. at ¶¶ 22-25.
  11. Id. at ¶ 24.
  12. Id. at ¶¶ 27-30.
  13. Id. at ¶ 40.
  14. Id. at ¶ 12; Law360, BIPA Claims Don’t Mean Ruinous Damages, Ill. Justices Hear.
  15. In Cothron, White Castle estimated its potential liability under a per-scan rule at approximately $17.1 billion, but its estimate is actually very conservative because White Castle assumed only 1,500 total scans per employee and only $1,000 in statutory damages for negligent violations of BIPA as opposed to enhanced damages of $5,000 available for reckless or intentional violations.
  16. Id. at ¶ 42 (emphasis added).
  17. Id. at ¶ 42.
  18. Id. at ¶ 43.
  19. Martinez v. Silverado St. Charles LLC d/b/a Silverado St. Charles Memory Care Community, No. 2023-CH-41 (Kane Cnty., Ill. Cir. Court), filed March 8, 2023; Diaz v. Manorcare Health Services LLC d/b/a Promedica Skilled Nursing and Rehabilitation, No. 2023-CH-2727 (Cook Cnty., Ill. Cir. Court), filed March 21, 2023.
  20. Gutierrez v. Dundee Thrift, Inc., No. 2023-CH-93 (Kane Cnty, Ill. Cir. Court), filed March 8, 2023.
  21. Thomas v. Cornerstone Services, Inc., No. 2023-L-157 (Will Cnty., Ill. Cir. Court), filed March 3, 2023; Villanueva v. Pilsen Little Village Community Mental Health Center, Inc., No. 2023-CH-03329 (Cook Cnty., Ill. Cir. Court), filed April 6, 2023.
  22. York v. Enterprise Holdings, Inc. et al., No. 1:23-cv-01666 (N.D. Ill.), filed March 16, 2023.
  23. Id., Dkt. 1 at ¶ 7, n.1.
  24. https://topverdict.com/lists/2021/illinois/top-10-verdicts.
  25. White Castle’s petition is supported by several amici, including the Illinois Chamber of Commerce and the U.S. Chamber of Commerce, which are represented by Mayer Brown LLP.
  26. See Burlinski v. Top Golf USA Inc., 2020 WL 5253150, at *7 (N.D. Ill. Sept. 3, 2020); Meegan v. NFI Indus., Inc., 2020 WL 3000281, at *4 (N.D. Ill. June 4, 2020); Chavez v. Temperature Equip. Corp., No. 2019-CH-02538, at 8 (Ill. Cir. Ct. Sept. 11, 2019).
  27. Rosenbach, 2019 IL 123186, ¶ 37.
  28. Cothron, 2023 IL 128004, ¶ 42.
  29. Central Mut. Ins. Co. v. Tracy’s Treasures, Inc., 2014 IL App (1st) 123339, ¶ 72.
  30. Ill. H.B. 3199.