Collecting Entity Liable for Each Scan of Biometric Information
(February 21, 2023) Entities that collect, store, or share biometric information without obtaining the person’s written permission in Illinois may be liable for damages for each scan or transmission of the individual’s information under a ruling by the Illinois Supreme Court.
Under the Biometric Information Privacy Act (“BIPA”), no private entity may collect, capture, receive, or disclose biometric information from a person without having informed the person that the information is being collected, what the specific purpose of the collection is, and how long the information will be retained. The collecting or disclosing entity also must receive a written release for the collection or distribution. Biometric information includes but is not limited to fingerprints. BIPA allows a party to sue to obtain statutory damages of $1,000 to $5,000 for each violation.
In the case before the Illinois Supreme Court, an employee of White Castle was required to scan her fingerprint to access her pay stubs and computers. A third-party vendor had access to the database. The Illinois Supreme Court was asked by the Seventh Circuit whether each scan or distribution was a separate cause of action or if damages were limited to when the fingerprint was first scanned into the database.
The plaintiff argued that a new cause of action accrued each time she scanned her fingerprints and each time White Castle sent her biometric data to the vendor. White Castle argued that, once it obtained the fingerprint, the biometric information was disclosed, so any subsequent scanning of the fingerprint was merely to validate her access and any invasion of her interest and injury occurred (and damages are appropriate) only related to the first scan.
The Illinois Supreme Court disagreed with White Castle, finding that a plain reading of the language of BIPA confirms that a party violates BIPA not only the first time an entity scans a fingerprint but also for each subsequent scan or collection.
White Castle further argued that to allow a cause of action for each violation could potentially result in “astronomical” damages. White Castle estimated that, if plaintiff is successful and allowed to bring claims as a class of as many as 9,500 current and former employees, class-wide damages may exceed $17 billion. The court said that subjecting private entities that fail to follow the statute’s requirements to substantial potential damages “is one of the principal means” that the Illinois legislature adopted to achieve BIPA’s objections of protecting biometric information. However, the Court observed that there is no language in BIPA suggesting that a damage award would result “in the financial destruction of a business.” To avoid such a result, the Court suggested the legislature review “these policy concerns and make clear its intent regarding the assessment of damages” under BIPA.
The dissent in the case argued that it was “axiomatic” that an entity may collect a person’s biometric information only once and that with subsequent authentication scans “the private entity is not obtaining anything it does not already have.” In other words, the dissent found, the subsequent scans did not collect any new information and the plaintiff “suffered no additional loss of control over her biometric information.”
Cothron v. White Castle System Inc., 2023 IL 128004, filed February 17, 2023.