Article

Resources

expect

Article

Insights

Illinois Supreme Court and Biometric Privacy Cases – The Newest Developments and the Reach Well Beyond Illinois

By: Alexander L. Turner, CIPP/US

Illinois has the strictest biometric privacy law in the country with the Biometric Information Privacy Act (“BIPA”). The BIPA requires employers who collect employees’ biometric data to follow a number of protocols. These protocols include (1) maintaining a written policy about the collection and storage of employee biometric data, (2) providing employees with written notice of that policy, and (3) obtaining informed consent from employees to collect biometric data. The BIPA also provides for a private right of action for individuals harmed by the BIPA violations, with statutory damages up to $1,000 for each negligent violation, and up to $5,000 for each intentional or reckless violation.
 
The question of what constitutes a separate violation was raised recently in Cothron v. White Castle Systems, Inc., 2023 IL 128004 (Feb. 17, 2023). Conthron involves claims brought by a White Castle restaurant manager on behalf of a putative class of White Castle employees regarding White Castle’s use of employee fingerprints to allow them to access their paystubs. Plaintiff alleges that White Castle violated the BIPA by unlawfully collecting employees’ biometric information and improperly disclosing their biometric data to White Castle’s third-party payroll vendor. White Castle argued that Plaintiff’s claims were barred by the statute of limitations because claims brought pursuant to sections 15(b) and 15(d) of the BIPA accrue only once when the biometric data is collected. Plaintiff disputed White Castle’s interpretation, and argued that a new claim under the BIPA accrued each time White Castle collected her biometric data and sent it to the third-party payroll vendor. In a 4-3 split decision, the Illinois Supreme Court sided with Plaintiff that a separate claim for damages arises each time a business fails to seek permission to gather biometric data from employees or consumers, or fails to disclose retention plans for that information. While this decision appears to be a huge victory not only for Plaintiff, but for the Illinois Plaintiff Bar, the Conthron court clarified that the award of damages is discretionary and not mandatory. So even if there is a finding of multiple violations of the BIPA for each biometric scan and subsequent transmittal, the court can decide to not award any damages. It is unclear what approach trial courts will take regarding the award of damages, so companies cannot base their biometric collection practices on the hope the trial courts will not award damages in the event of a finding of violations of the BIPA. What is known is that the Illinois courts are now going to be flooded with the BIPA litigations that were stayed pending the decision in Conthron
 
This ruling has significant impacts both inside and outside of Illinois. For employers who collect the biometric data of employees in Illinois, the statutory damages can quickly accumulate due to hundreds, if not thousands, of violations of the BIPA for just one employee. Multiply that by the total number of employees your company employs in Illinois, and one class action could be financially ruinous. Either your company invests in rigorous compliance with the BIPA, or avoids the issue altogether by eliminating the collection of employee biometric data. 
 
This decision also affects employers in other states because many states, such as Maryland, Mississippi, and New York, are looking to pass biometric privacy laws that allow for private rights of action. Because these pending legislation in these states closely resemble or are based on the BIPA, the ruling in Conthron may impact the judicial interpretation of these statutes, once passed. This decision also impacts companies that are outside of Illinois, but have employees and/or customers inside Illinois. A careful analysis of your company’s biometric data collection practices is needed if you do business in Illinois, or any other state that has a biometric privacy statute that allows for a private right of action. If you need assistance with compliance with the biometric privacy laws in the states in which you do business, then please contact Spilman’s Cybersecurity and Data Privacy Practice.