In the first quarter of 2023, the Illinois Supreme Court issued two rulings with broad implications for cases arising under the Illinois Biometric Protection Act, 740 ILCS 14/1, et seq., (BIPA). BIPA is one of the only state statutes providing individuals with a private right of action for the collection or possession of their biometric identifiers—such as fingerprints, voice prints, and iris and facial scans—without prior consent. Courts have experienced an explosion of BIPA litigation over the past several years, fueled in part by the increasing use of biometric technology.
This litigation has brought to the fore two crucial issues regarding the statute. The first is whether Illinois’ one-year limitations period for privacy claims or its five-year catchall provision for civil actions applies to BIPA. The second issue is whether a cause of action and the right to statutory damages accrues only when an individual’s biometric identifiers are first collected, or each time that the identifier is used. Much to the chagrin of many a corporation and its counsel, the court answered both of those questions with extremely pro-plaintiff decisions. Basing its findings on the statutory language and legislative intent behind the statute, in Tims v. Black Horse Carriers, Inc., Docket No. 127801, 2023 IL 127801(Feb. 2, 2023), the court found that the five-year catchall statute of limitations applies to all provisions of BIPA. In Cothron v. White Castle System, Inc., Docket No. 128004, 2023 Il 128004 (Feb. 17, 2023), the court found that given the legislative intent behind the statute, each use of an individual’s biometric identifier gives rise to statutory damages.
To understand the context for the Tims and Cothron rulings, it is important to understand the legislative intent and language of BIPA. In the early 2000s, major national corporations started using Chicago and other locations in Illinois to test “new [consumer] applications of biometric-facilitated financial transactions, including finger-scan technologies at grocery stores, gas stations, and school cafeterias.” 740 ILCS 14/5(b).
In late 2007, a biometrics company called Pay By Touch—which provided major retailers throughout the State of Illinois with fingerprint scanners to facilitate consumer transactions—filed for bankruptcy. That bankruptcy alarmed the Illinois legislature because it viewed the bankruptcy as a serious risk that millions of fingerprint records—which are unique biometric identifiers linked to people’s sensitive financial and personal data— could be sold, distributed, or otherwise shared through the bankruptcy proceedings without adequate protections for Illinois citizens.
Recognizing the “very serious need [for] protections for the citizens of Illinois when it [came to their] biometric information,” Illinois enacted BIPA in 2008. See Illinois House Transcript, 2008 Reg. Sess. No. 276; 740 ILCS 14/5. In enacting BIPA, the Illinois state legislature found that “biometrics . . . are biologically unique to the individual” and that “once compromised, the individual has no recourse.” 740 ILCS 14/5 (c) (g). Therefore, BIPA works by imposing safeguards to ensure that an individual’s privacy rights in their biometric identifiers or biometric information are properly protected. It does this by subjecting private entities who fail to follow the statute’s requirements to substantial liability, including liquidated damages, attorney fees, injunctive relief and statutory damages of $1,000 per violation if negligent or $5,000 per violation if intentional.
Specifically, BIPA imposes upon private entities that collect or are in possession of biometric identifiers or information the duties to:
(a) Develop a written policy establishing a retention schedule and guidelines for permanently destroying such biometric identifiers or information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first; (740 ILCS 14/15(a))
(b) Inform a person in writing that their biometric identifiers or information are being collected or stored, the purpose therefor, and the period that they will be stored or used, and obtain a written consent or release; (740 ILCS 14/15 (b))
(c) Not sell, lease, trade or otherwise profit from a person’s biometric identifier or information without consent; (740 ILCS 14/15(c))
(d) Not disclose, redisclose, or otherwise disseminate a person’s biometric identifier or information without consent; (740 ILCS 14/15(d))
(e) Store, transmit and protect from disclosure all biometric identifiers and use a reasonable standard of care, and protect them in a manner that is the same or more protective than the manner in which the private entity stores, transmits, and protects other confidential information. (740 ILCS 14/15 (e)).
740 ILCS 14/15 (West 2018).
In Tims, the Illinois Supreme Court held that a five-year statute of limitations found in Illinois’ catchall statute of limitations provision under 735 ILCS 5/13-205 is the applicable statute for all provisions of BIPA. In an effort to stem the tide of BIPA cases, corporate defendants had been arguing that a one-year provision found in Illinois’ privacy statute was the applicable provision. See 735 ILCS 5/13-201. Specifically, defendants argued that Section 13-201 was applicable because it governs the limitations for actions for “slander, libel and for publication of matter violating the right of privacy.” Id. They reasoned that Sections 15(c) (relating to the sale, lease, etc. of biometric information) and (d) (relating to the disclosure or redisclosure of biometric information), effectively require the publication of private information requiring the application of Section 13-205. The intermediate appellate court from which Tims was appealed agreed, holding that Sections 15(c) and (d) were governed by the one-year statute for privacy actions, while the remaining provisions were governed by the five-year catchall.
The Illinois Supreme Court rejected the holding that BIPA could be controlled by two different statutes of limitations. While the court admitted that Sections 15(c) and (d) could be interpreted as requiring publication, it found that such an interpretation would not fulfill the legislative intent behind the statute, which would be best served by application of the five-year statute. The court found this interpretation was also consistent with the terms of 735 ILCS 5/13-205, the catchall provision, which applies to all civil actions not otherwise containing a statute of limitations period, like BIPA. It found that shortening the time for bringing an action would thwart the legislative intent of lessening the risks attendant to the collection and disclosure of biometric information. It further reasoned that defamation torts, like libel and slander, were subject to the shorter statute of limitations period under Section 13-201 because an aggrieved individual would be expected to become quickly apprised of such an injury but the full ramifications of harms stemming from the misuse of biometric technology is unknown and it is unclear if or when an individual would discover evidence of the disclosure of his biometrics.
On February 17, the court issued Cothron. In Cothron, the court found that a BIPA cause of action accrues every time that a biometric identifier is used. Under Cothron, companies using fingerprint time clocks would be liable not only upon the collection of the initial baseline fingerprint but also each time an employee’s fingerprint is used to clock in and out of work. The implications of this holding for defendants subject to BIPA suits are devasting. Appellant White Castle, for instance, argued that its liability to a class of about 9,500 persons could be as much as $17 billion.
The court considered the admonitions from the defendant and various other business groups that such an interpretation could result in crippling liability for corporate defendants, many of whom are not large companies. It nonetheless held that the plain language of the statute supports the conclusion that a new cause of action accrues upon each transmission of a person’s biometric identifier or information without prior informed consent. Citing its prior decision in Rosenbach v. Six Flags Entertainment Corp., Docket No. 123186, 2019 IL 123186 ¶ 38 (Jan. 25, 2019), the court explained that, “Rosenbach clearly recognizes that the statutory violation is the ‘injury’ for purposes of a claim under the Act.” In response to White Castle’s and various amici’s concerns that such an interpretation would constitute “annihilative liability,” the court found that the statutory language was clear and must be given effect. Id. ¶ 40.
The argument, however, did not fall on deaf ears, as the court explained that the extensive liability resulting from its finding could be addressed by courts under 740 ILCS 14/20. Emphasizing the statute’s language that a “prevailing party may recover” the statutory damages set forth in Sections 20(1) and (2), the court interpreted that language as giving courts discretion as to how they award damages, and noted that the state legislature could address this issue in the future.
Originally published by the ABA, Privacy and Data Security Committee, Articles, March 6, 2023. The material in all ABA publications is copyrighted and may be reprinted by permission only.