Illinois Supreme Court to Decide Biometric Data Case with Far-Reaching Implications for Employers
September 14, 2022
Update 9/14/2022: The case of Cothron v. White Castle was argued before the Illinois Supreme Court in May 2022, with a decision still pending. We will continue to monitor the case and provide an update when available.
Illinois’ Biometric Information Privacy Act (BIPA) continues to generate buzz and significant litigation. In 2020, ADP and Facebook each entered into multi-million dollar settlements to resolve claims that they violated the Act, and this year the Illinois Supreme Court will consider a case that centers around the notice and permission obligations of BIPA. While a few other states have statutes that protect biometric data, Illinois is the only state that gives employees a private right of action for violations.
BIPA has been the law in Illinois since 2008, but its requirements continue to surprise businesses. At its heart, BIPA is a law crafted to protect individuals’ biometric information – fingerprints, retina scans, face scans, and the like. Relevant to employers, BIPA requires that if an employer is going to use or store biometric information, it must first meet burdensome requirements, including obtaining written consent and posting policies on websites.
Employers that fail to meet these requirements face the following penalties:
- Negligent violations: $1,000 in liquidated damages or actual damages (whichever is greater)
- Intentional or reckless violations: $5,000 or actual damages (whichever is greater), along with attorneys’ fees/costs and any additional appropriate relief the court may decide.
However, what isn’t clear is what constitutes a violation – is the employer’s practice of using biometric information a single violation, or is it a separate violation each time an employee registers their finger or eye scan?
The Illinois Supreme Court is set to decide this question in Cothron v. White Castle, and its holding could have far-reaching implications for companies with Illinois employees. In the case, the plaintiff alleges that White Castle failed to take action when BIPA was enacted, and instead waited 10 years to meet the law’s notice and consent requirements. The plaintiff claims that every time she and fellow employees logged into their computer with their fingerprint scan over the course of those 10 years was a separate violation of BIPA. White Castle takes the position that the penalty should only be assessed once.
The decision is likely to have significant implications for Illinois employers who use biometric information. If the court rules that there was a single violation, penalties would be limited. If, on the other hand, the court decides that each instance is a separate violation, the damages could be staggering, opening the door to a new flurry of litigation.
If your company uses – or previously used – biometric information (such as finger, face, hand, or retina scan timeclocks or entry devices), it’s critical that you confirm that you are complying with BIPA’s requirements. You should also determine if there are ways to reduce any potential liability for past activities. Attorneys from our Labor & Employment Group and Cybersecurity Team continue to monitor legal developments regarding biometric data and are happy to assist with evaluating and updating processes to ensure compliance and mitigating exposure from past violations.