Recent Illinois Biometric Information Privacy Act Decision Could Have a “Crippling” Impact on Businesses

After recent multi-million dollar settlements by Google, Snapchat, Facebook, and TikTok involving claims for alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”) (as highlighted in our recent blog post on the issue), and the first jury verdict of $228m under BIPA (as discussed in a subsequent blog post), the perils of BIPA continue to increase with the Illinois Supreme Court’s February 17, 2023 decision in Cothron v. White Castle System, Inc., 2023 IL 128004, which held that a claim under BIPA accrues each time biometric information is collected and disclosed rather than accruing on the first collection or disclosure of such information. This could mean that each separate collection of biometric data between the same parties constitutes a separate violation of BIPA, which allows damages of $1000-$5000 per violation.

In the case at issue, White Castle estimated that damages on behalf of its 9500 current and former employees who scanned their fingerprints multiple times per shift could exceed $17 billion. Although the Court recognized “the potential for significant damages” under its ruling, it stated that “the legislature intended to subject private entities who fail to follow the statute’s requirements to substantial potential liability.”

The dissent argued that the claim should only accrue on the first collection or disclosure of the information, as a person’s biometrics can only be obtained once, and that “imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.”

In light of the recent large settlements, the even larger jury verdict, and the Illinois Supreme Court’s ruling in the White Castle case, companies doing business in Illinois should expect more BIPA suits with even higher settlement demands and should closely monitor any biometric information that may be collected from residents of Illinois (by the company or its vendors) to ensure that any such collection complies with BIPA. It is also critical to ensure that contracts with vendors that may collect biometric information from residents of Illinois contain appropriate assurances that the vendor will comply with BIPA, audit rights to verify compliance, and indemnification rights for any violations of BIPA by the vendor.