Illinois Supreme Court’s Most Recent BIPA Decision Exponentially Increases Potential Exposure for Businesses

In what is becoming a pattern, the Illinois Supreme Court recently issued another decision interpreting the Biometric Information Privacy Act (“BIPA”) to expand potential liability for businesses. The court held in Cothron v. White Castle that each time a business collects or discloses an individual’s biometric data without first obtaining BIPA-compliant consent, a separate claim accrues under BIPA. BIPA authorizes statutory damages of $1,000 for “each violation” of the statute—and $5,000 if the violation is found to be intentional or reckless. Even before this decision, companies with many customers or employees faced massive potential exposure under BIPA—often in the millions and sometimes billions of dollars. But under Cothron, that threatened exposure is multiplied many times over given that a new claim can accrue with each repeated collection or disclosure (for example, each time an employee clocks in and out of work using a fingerprint timekeeping system). And Cothron follows on the heels of another recent Illinois Supreme Court decision, Tims v. Black Horse Carriers, that declared that a 5-year statute of limitations applies to all BIPA claims.

Together, these decisions sound a six-alarm fire for businesses with customers or employees in Illinois. Those businesses—most of which have long been painfully aware of BIPA—must now take the threat of BIPA litigation even more seriously and should consider a number of options in response, including:

• Reviewing any existing BIPA disclosures and consent mechanisms to ensure that they are airtight and considering whether to expand those compliance measures to cover additional products and services that might draw the attention of the plaintiffs’ bar;
• Considering whether to make certain products or services available in Illinois at all;
• To the extent feasible, exploring technological solutions aimed at ensuring that any data arguably regulated by BIPA is processed and stored locally on devices owned and controlled by users rather than on company servers; and
• Approaching the Illinois legislature about possible amendments to BIPA.

BIPA defendants may also be able to use Cothron in support of certain defenses in appropriate circumstances, including:

• That Federal Rule of Civil Procedure 23(b)(3)’s superiority requirement is not satisfied in federal BIPA class actions to the extent that each putative class member may be capable of suing individually to recover a substantial amount;
• That under section 20 of BIPA, damages are expressly discretionary and courts presiding over BIPA class actions must exercise that discretion and consider principles of equity before awarding damages; and
• That any uncapped damages award would violate due process because it would be highly unreasonable and wholly disproportionate to the conduct at issue.

DISCUSSION

Cothron’s Factual and Procedural Background

In 2018, plaintiff Latrina Cothron sued her long-time employer White Castle System, Inc. (“White Castle”) under BIPA. She alleged that White Castle violated sections 15(b) and 15(d) of the statute—the collection and disclosure provisions—each time she clocked into work by collecting a fingerprint from her and disclosing it to a third-party vendor without first obtaining her consent. White Castle moved for judgment on the pleadings, arguing that Cothron’s claim was untimely. White Castle contended that Cothron’s BIPA claim accrued in 2008, the first time it scanned her fingerprint after BIPA’s enactment. Because the only violation occurred back in 2008, White Castle argued, the limitations period for BIPA claims had long since expired by the time Cothron filed suit in 2018.¹

The district court disagreed. It held that “each time an entity” collects or discloses biometric data without consent “it violates the statute.”² Recognizing the importance and debatable nature of its holding, the district court certified that legal question to the Seventh Circuit under 28 U.S.C. § 1292(b). The Seventh Circuit likewise acknowledged the “novelty and uncertainty” of the issue and certified the following question to the Illinois Supreme Court: “Do section 15(b) and 15(d) [BIPA] claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”³

The Illinois Supreme Court’s Decision

The Illinois Supreme Court ruled 4-3 that a distinct claim arises under sections 15(b) and 15(d) of BIPA each time an entity collects or discloses an individual’s biometric identifiers or biometric information. The court pointed to the statutory language—which prohibits a private entity from “collect[ing] . . . a person’s . . . biometric identifier or biometric information, unless it first” provides certain disclosures and obtains consent—and “disagreed . . . that [unlawful collection] can happen only once.” Rather, it held that based on BIPA’s text, “[a] party violates Section 15(b) when it collects . . . a person’s biometric information with informed consent” and that “this is true the first time an entity . . . collects biometric information, but it is no less true with each subsequent scan or collection.” For similar reasons, the court concluded that a private entity likewise violates section 15(d) (which contains similar operative language) each time it discloses a person’s biometric data to a third party.

The court then addressed what it called White Castle’s “nontextual” argument that the per-scan interpretation would lead to ruinous damages awards and therefore is inconsistent with legislative intent. To bolster this argument, White Castle estimated that if it were found liable for statutory damages “per-scan,” class-wide damages for its approximately 9,500 past and present employees would exceed $17 billion. Despite this astronomical figure, the court remained unpersuaded and held that “where statutory language is clear, it must be given effect, even though the consequences may be harsh, unjust, absurd.”

The court also expressed doubt that such crippling awards would actually be imposed, citing language in section 20 of BIPA, which provides that a prevailing party “may recover [statutory damages] for each violation.” Based on this language, the court stated: “It … appears that the General Assembly chose to make damages discretionary rather than mandatory under the Act” (emphasis added). The court also pointed out that there is “no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” The court nevertheless acknowledged the risk that BIPA could give rise to “excessive damages awards” and called for the legislature to “review these policy concerns” and “make clear its intent” regarding the proper scope of damages under BIPA.

In a dissenting opinion, three justices expressed the view that subsequent scans of the same person’s biometric data do not constitute separate violations of BIPA. The dissent explained that the “precise harm” that BIPA sought to prevent “was an individual’s loss of the right to maintain biometric privacy.” And that harm is fully realized the first time an entity collects biometric data without consent. Additional scans of the same finger, eye, or face do no additional harm to an individual, the dissent reasoned, because “[w]ith subsequent authentication scans, the private entity is not obtaining anything it does not already have.” Therefore, in the dissent’s view, an entity such as White Castle could violate each sub-section of BIPA only once: at the time of the initial collection or disclosure. Because those events occurred in 2008, Cothron’s claims were time-barred.

The dissent also sharply criticized the majority for interpreting BIPA in a way that will lead to “consequences that the legislature could not have intended.” According to the dissent, when a statute is susceptible of multiple interpretations, courts should “assume that the legislature did not intend to produce an absurd or unjust result.” The dissent then identified three such consequences of the majority’s interpretation.

• First, the majority’s per-scan approach gives plaintiffs an incentive to wait for as long as possible to assert their claims so that the number of violations and corresponding damages continue “racking up.”
• Second, the per-scan rule exposes businesses that use ubiquitous technologies such as fingerprint timekeeping systems without following all of BIPA’s technical requirements to astronomically greater liability than a nefarious actor who sells consumers’ biometric data without their consent, as the former violates BIPA multiple times per plaintiff while the latter does so only once.
• Third, the majority’s interpretation “could easily lead to annihilative liability for businesses.” Citing White Castle’s $17 billion liability estimate, the dissent lamented that the per-scan approach could “[i]mpos[e] punitive, crippling liability on businesses,” a result that is irreconcilable with BIPA’s legislative findings. Indeed, those findings make clear that the legislature “recognized the utility of biometric technology and wanted to facilitate its safe use,” not to “discourage its use altogether.”

IMPLICATIONS OF COTHRON AND STEPS FORWARD

The Cothron decision is the latest of several decisions that have consistently expanded the scope of potential liability under BIPA. It is the most significant since Rosenbach v. Six Flags, which held that a plaintiff is “aggrieved” for the purposes of BIPA whenever a private entity fails to comply with one of BIPA’s requirements in connection with the plaintiff’s data—regardless of whether the plaintiff could show any concrete, real-world harm.⁴ Rosenbach flung wide open the floodgates to BIPA lawsuits. These lawsuits have been proliferating; nearly 2,000 class actions have reportedly been filed since 2017 alone, and federal class actions under BIPA increased nearly six-fold between 2018 and 2020.⁵ Cothron makes matters worse, encouraging plaintiffs to argue for hundreds or even thousands of statutory damages awards per class member in cases where the alleged collection or disclosure of biometric data occurred repeatedly.

Given this development, businesses should take the opportunity to reassess their approaches to identifying and mitigating BIPA risk, including the risk of litigation.

Considerations for Businesses Operating In Illinois

In the wake of Cothron, businesses that utilize fingerprint scanners or other biometric identification systems in Illinois should review their BIPA disclosures and consent regimes to ensure that they are rock-solid. Furthermore, companies that use other technologies that are not generally considered “biometric” but have nonetheless been the target of recent BIPA lawsuits—virtual try-on technology, for example⁶—should consider implementing BIPA-compliant consent procedures, retention policies, and public-facing disclosures to discourage distracting and potentially costly BIPA litigation.

Next, some companies may wish to remove themselves from BIPA’s reach altogether by not launching certain products and features in Illinois. Even before Cothron, some companies may have reached this conclusion. For example, in 2018, it was reported that Google withheld a popular feature on one of its apps that compared user-uploaded selfies to faces appearing in famous works of art from users in Illinois reportedly due to concerns about over-reaching BIPA lawsuits.⁷ Companies that offer similar products and services enjoyed by consumers will need to consider now whether making them available in Illinois is worth the risk.

Alternatively, some companies may be able to explore product designs that exclusively use “on-device” processing and storage for any data potentially covered by BIPA. Because BIPA only applies to private entities that “possess[],” “collect,” “capture,” or “otherwise obtain” biometric data, local storage is a potentially effective risk mitigation strategy. Although a number of cases in which this defense has been raised remain pending, an Illinois appellate court recently affirmed dismissal of BIPA claims brought by a proposed class of iPhone users who used Apple’s Face ID feature because the plaintiffs did not “dispute that [their] biometric information is stored [only] on the user’s own device.”⁸

Finally, Cothron might present an opportunity for the business community to petition the Illinois legislature to intervene and clarify BIPA’s private right of action and damages provisions. Although prior initiatives to amend these aspects of the statute were unsuccessful, Cothron may galvanize the legislature to finally take action. The need for amendments to BIPA has become increasingly urgent for the business community: BIPA lawsuits continue to proliferate, and post-Cothron, the statutory damages that plaintiffs will seek under BIPA is likely to skyrocket. Furthermore, the Cothron majority itself called for the legislature to review and clarify BIPA’s scope. Congress’s 2008 amendments to the private right of action in the Fair and Accurate Credit Transactions Act (“FACTA”)—which followed an effective lobbying campaign mounted by affected businesses—could provide a model for a potential legislative solution: elimination of retrospective liability combined with giving businesses an opportunity to come into compliance with the law and thereby avoid the risks of future class action litigation.⁹

Cothron’s Impact on Legal Arguments Available to Defendants in BIPA Cases

Defendants in BIPA cases may also be able to raise new legal arguments based on Cothron.

First, BIPA defendants may be able to point to Cothron when opposing class certification in federal court. To the extent that Cothron appears to authorize substantial individual damages awards (especially where the plaintiff interacts with the defendant’s technology more than once), defendants have additional grounds to argue that Rule 23(b)(3)’s superiority requirement is not satisfied in BIPA cases. The Supreme Court has recognized that “[w]hile the text of Rule 23(b)(3) does not exclude from certification cases in which individual damages run high, the Advisory Committee [for Rule 23(b)(3)] had dominantly in mind vindication of the rights of groups of people who individually would be without effective strength to bring their opponents into court at all.”¹⁰ Following this guidance, courts have found that the superiority prong is not met in cases where individual plaintiffs stand to recover substantial amounts.¹¹ For example, the Ninth Circuit recently recognized that “even though the large damages awards the class members stand to gain are not sufficient on their own to overcome Rule 23(b)(3) certification, they support doing so.”¹² Defendants should be able to draw upon this case law when opposing class certification post-Cothron, although the case law is not uniform.

Second, defendants can leverage language from the Cothron majority opinion that emphasizes the discretion that courts possess when awarding damages under BIPA. Specifically, the majority offered a couple of reasons for why it was not convinced that the per-scan approach would inevitably lead to “possibly . . . unconstitutional” damages awards. First, it noted that the “General Assembly chose to make damages discretionary rather than mandatory,” citing section 20’s “may recover” language (emphasis in original). And second, it held that courts presiding over class actions should equitably fashion awards such that they do not “destroy[] [the] defendant’s business.” These passages will be helpful to any BIPA defendant arguing for a reduced damages award.

Third, BIPA defendants can pair this statutory interpretation argument with a constitutional one: if a court does not properly exercise its discretion to reduce class-wide damages, the resulting award could in many instances violate due process. Courts are increasingly accepting the argument that excessive statutory damages awards can violate due process. The Ninth Circuit recently vacated a statutory damages award of over $900 million in a Telephone Consumer Protection Act (TCPA) case on grounds that the district court failed to properly consider the due process implications of such an award (however, the panel also noted that reducing statutory damages awards should not be done lightly and “must be reserved for circumstances” in which the award is “gravely disproportionate to and unreasonably related to the legal violation committed”).¹³ The Eighth Circuit similarly affirmed a district court’s decision to reduce a $1.6 billion TCPA verdict to $32 million because the original award was “so severe and oppressive as to be wholly disproportioned to the offense and obviously unreasonable.”¹⁴ And while the Seventh Circuit ultimately affirmed a $280 million verdict in a TCPA case, it noted that the district court had only charged the defendant $4 per violation and that imposing the statutory maximum of $10,000 per violation “would be impossible to justify.”¹⁵ Defendants who find themselves on the wrong side of a massive BIPA award should be able to leverage these precedents in arguing for a reduction. An expected appeal of a $228 million verdict entered against BNSF Railway in the first BIPA case tried to a jury—though each class member in that case was only permitted to recover one statutory damages award—may provide additional guidance on how courts will approach due process arguments in BIPA litigation.¹⁶

CONCLUSION

Cothron represents yet another obstacle for defendants facing BIPA litigation. Businesses should not delay ensuring that they are complying with BIPA and should consider adopting creative litigation and compliance strategies such as the ones discussed in this Legal Update.

¹ As noted above, earlier this month the Illinois Supreme Court ruled that BIPA claims are governed by a five-year statute of limitations period. See Tims, et al. v. Black Horse Carriers, Inc., Case No. 127801 (Ill. Feb. 2, 2023).

² Cothron v. White Castle System, Inc., 477 F. Supp. 3d 723, 733 (N.D. Ill. 2020).

³ See Cothron v. White Castle System, Inc., 20 F.4th 1156, 1167 (7th Cir. 2021).

⁴ Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, ¶ 29, 129 N.E.3d 1197, 1205.

⁵ See https://www.reuters.com/legal/white-castle-could-face-multibillion-dollar-judgment-illinois-privacy-lawsuit-2023-02-17/; https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-biometrics-privacy-class-actions-increase-this-year.

⁶ See https://news.bloomberglaw.com/privacy-and-data-security/as-virtual-try-on-fashion-technology-grows-so-do-legal-risks.

⁷ See https://www.illinoispolicy.org/privacy-law-prevents-illinoisans-from-using-google-apps-selfie-art-feature/.

⁸ See Barnett v. Apple Inc., 2022 IL App (1st) 220187, ¶¶ 3, 58.

⁹ FACTA required merchants to remove all but the last five digits of a consumer’s credit or debit card on electronically printed receipts as well as the card’s expiration date. See 15 U.S.C. § 1681c(g)(1). Like BIPA, FACTA permitted plaintiffs to recover substantial statutory damages for technical violations of its provisions and spurred a wave of class action lawsuits that sought crippling awards under the statute. After being approached by regulated parties—many of whom were actively defending FACTA class actions—Congress not only amended the statute but made that amendment apply retroactively to eliminate liability in certain circumstances.

¹⁰ Amchem Prods., Inc. v. Windsor, 521 U.S. 591, 617 (1997) (internal quotation marks omitted).

¹¹ See, e.g., Dent v. Nat’l Football League, 2021 WL 3885954, at *14 (N.D. Cal. Aug. 31, 2021) (“[W]here putative class members claim relatively large damages, this [superiority] factor weighs against class action.”); see also Parker v. Time Warner Ent. Co., L.P., 331 F.3d 13, 22 (2d Cir. 2003) (noting that the combination of “a statutory scheme that imposes minimum statutory damages awards on a per-consumer basis” and “the class action mechanism that aggregates many claims” may “raise due process concerns”). To be sure, Murray v. GMAC Mortgage Corporation—which found that the prospect of a massive aggregated statutory damages award does not preclude certification and instead should be considered only “after a class has been certified”—may make it more challenging to advance this argument at the class certification stage in the Seventh Circuit. See 434 F.3d 948, 953-54 (7th Cir. 2006). But in Murray, the maximum statutory damages award that the named plaintiff stood to recover was only $1,000—under Cothron, a single BIPA plaintiff could potentially seek millions. Id. at 953. And in any event, Murray does not preclude the post-trial assertion of a due process challenge to an outsized class-wide award of statutory damages.

¹² See Bowerman v. Field Asset Servs., Inc., --- F.4th ---, 2023 WL 2001967, at *9 n. 8 (9th Cir. Feb. 14, 2023).

¹³ See Wakefield v. ViSalus, Inc., 51 F.4th 1109, 1123 (9th Cir. 2022); see also Montera v. Premier Nutrition Corp., 2022 WL 3348573, at *6 (N.D. Cal. Aug. 12, 2022) (reducing statutory damages under New York’s General Business Law from $91 million to $8.3 million based on due process concerns).

¹⁴ See Golan v. FreeEats.com, Inc., 930 F.3d 950, 963 (8th Cir. 2019) (quoting St. Louis, I.M. & S. Ry. Co. v. Williams, 251 U.S. 63, 67 (1919)).

¹⁵ United States v. Dish Network L.L.C., 954 F.3d 970, 980 (7th Cir. 2020).

¹⁶ See https://news.bloomberglaw.com/privacy-and-data-security/biometric-privacy-perils-grow-after-bnsf-loses-landmark-verdict.