On February 17, 2023, the Illinois Supreme Court issued its opinion in Cothron v. White Castle System, Inc., holding that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of the Act. Cothron is the latest decision in a slew of BIPA-related litigation, succeeding Rosenbach, West Bend Mutual Insurance Co., and McDonald, that has defined the landscape of Illinois privacy law in recent years. The holding confirms that companies who are found liable for ongoing BIPA violations may be liable for significant monetary damages.

In Cothron, the plaintiff was an employee White Castle restaurant since 2004. White Castle implemented a system that required its employees to scan their fingerprints to access their pay stubs and computers and utilized a third-party vendor to verify each scan. The plaintiff alleged that White Castle implemented this biometric-collection system without obtaining her consent in violation of the Act. The question that was certified to the Supreme Court was whether claims against private entities for the collection and dissemination of biometric data without notice and consent accrue each time a private entity scans and/or transmits a person’s biometric identifier, or only upon the first scan and first transmission. The Supreme Court held that a separate claim accrues under the Act with each scan and each transmission of biometric information.

With each claim that accrues, the Act provides that a prevailing party may recover liquidated damages of $1,000 or actual damages, whichever is greater, against a defendant that negligently violated the Act, and $5,000 or actual damages, whichever is greater, against a defendant that intentionally or recklessly violated the Act. For companies such as White Castle that were collecting and disseminating scans for more than a decade, the damages assessed could be astronomical.

The Illinois Supreme Court addressed the potentially severe damages that could be assessed for years of repeated violations, stating that “this court has repeatedly held that, where statutory language is clear, it must be given effect, “ ‘even though the consequences may be harsh, unjust, absurd or unwise.’ ”(quoting Peterson v. Wallach, 198 Ill. 2d 439, 447 (2002)). The court held that the legislature intended to subject violators to substantial potential liability to incentivize them to conform to the law and be proactive to prevent violations.

However, the court also noted that trial courts have discretion to fashion a damage award to accomplish these objectives without destroying a defendant’s business. Further, that the legislature apparently chose to make damages discretionary rather than mandatory under the Act. The court further recommended that the Illinois legislature address the policy concerns regarding excessive damages and clarify the language of the Act.

While Illinois biometric privacy law continues to be clarified and tested, it is more clear than ever that private entities should exercise the utmost caution when collection biometric information, or risk significant financial harm.

For more information please contact Audrey E. Gamble, Esquire or Robert D. Tepper, Esquire.