Compliance tips in advance of Cothron Illinois Supreme Court BIPA claim accrual ruling
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
Illinois Supreme Court’s much-anticipated opinion in Cothron v. White Castle Sys., which will definitively resolve the currently unsettled issue of claim accrual in Illinois Biometric Information Privacy Act (“BIPA”) class action litigation. Depending on how the court answers the question of whether every discrete failure to comply with BIPA’s requirements amounts to a separate, independent violation of the statute, the scope of liability exposure and damages underlying BIPA class actions may soon skyrocket even higher for those companies that leverage the benefits of biometric technology in their day-to-day operations.
Claim Accrual in BIPA Class Action Litigation
At this time, the most significant unsettled issue in BIPA litigation is—far and away—the issue of claim accrual. As a general matter, the Illinois Supreme Court has explained that a claim accrues and “a limitations period begins to run when facts exist that authorize one party to maintain an action against another.” However, under the “continuing tort” or “continuing violation” exception to the general rule governing accrual, “where a tort involves a continuing or repeated injury, the limitations period does not begin to run until the date of the last injury or the date the tortious acts cease.”
In the specific context of BIPA class actions, accrual can serve as the basis for a statute of limitations defense, which, if successful, may require dismissal. But the issue is even more consequential in the context of damages and determining the overall value of biometric privacy class actions. If continuing BIPA violations constitute separate, independent claims, then the associated statutory negligent damages of $1,000 per violation and intentional/reckless damages of $5,000 per violation would compound for each subsequent violation of BIPA. And because the law provides for liquidated damages for each violation, a ruling that claims accrue each time a defendant runs afoul of the law’s requirements could expand BIPA liability exponentially.
The operative question at issue in Cothron is whether alleged BIPA violations accrue only the first time Section 15 is violated (for example, the first time an employee scans his or her fingerprint) or, alternatively, whether each subsequent, separate violation constitutes a distinct and separately actionable violation (i.e., each subsequent fingerprint scan). Put another way, does a claim accrue only on the date of the first biometric scan, or does a claim accrue separately for each scan? Stated in broader terms, the disagreement is whether BIPA should be treated like a junk-fax statute for which a claim accrues for each unsolicited fax, or instead like certain privacy and reputational torts that accrue only at the initial publication of defamatory material.[1]
Current Legal Landscape
At the end of 2021, two developments laid the groundwork for a definitive resolution of the claim accrual question. First, in mid-December 2021, an Illinois appellate panel in Watson v. Legacy Healthcare Financial Services, LLP, held that BIPA claims accrue each and every time a defendant collects biometric information in violation of the statute, as opposed to only at the first instance of collection.
Just a few days after Watson, the Seventh Circuit Court of Appeals issued its decision in Cothron. But rather than decide when a BIPA claim accrues, and after acknowledging the existence of Watson, the Cothron court certified the question to the Illinois Supreme Court to provide definitive guidance, given that “[w]hether a claim accrues only once or repeatedly is an important and recurring question of Illinois law implicating state accrual principles as applied to this novel state statute. It requires authoritative guidance only the state’s highest court can provide.”
While neither opinion provides a conclusive answer, this weighty issue is now set to be definitively decided by Illinois’s highest court.
What to Do Now: Practical Compliance Tips
Fortunately, the forthcoming Cothron opinion will offer much-needed clarity regarding the scope of statutory damages at issue for purported BIPA violations. On the other hand, if Illinois Supreme Court rejects a ‘one and done’ theory of accrual, and instead applies the continuing violation theory to BIPA claims, the overall scope of potential damages—which is already extremely broad at this time—will further expand exponentially.
Because the ruling could result in a drastic, overnight shift in the biometric privacy legal landscape, in the interim companies should work closely with experienced biometric privacy counsel to review and conduct a thorough audit of their current compliance practices to identity and remediate any gaps in advance of the Cothron decision and any resulting expansion in liability exposure. In particular, companies should assess their current compliance programs to ensure they encompass the following practices:
- Maintain a Public Privacy Policy: Maintain a publicly-available privacy policy which, at a minimum, establishes a retention schedule and guidelines for permanently destroying biometric data when the initial purpose for collecting or obtaining such data has been satisfied.
- Permanently Destroy Biometric Data in a Timely Manner: Maintain practices and protocols to ensure that biometric data is permanently destroyed within BIPA’s mandated timeframes. As a general rule of thumb, biometric data should be permanently destroyed when it is no longer needed for the initial purpose for which it was originally collected (even where compliance with BIPA is not required).
- Supply Pre-Collection Notice: Provide notice to all individuals prior to the time biometric data is collected which, at a minimum, informs the individual: (1) that biometric data is being collected/stored; (2) the specific purpose for collecting the individual’s biometric data; and (3) the period of time over which the company will use and store such biometric data before it is permanently destroyed.
- Obtain Pre-Collection Consent: Obtain consent from all individuals prior to the time biometric data is collected allowing the company to collect, use, and store their biometric data, as well as permitting the company to share/disclose such data with the company’s vendors and service providers.
- Maintain Security Measures to Safeguard Biometric Data: Store, transmit, and safeguard biometric data using reasonable security measures designed to prevent unauthorized access, disclosure, or acquisition of such data. Two security protocols that all companies should consider implementing whenever feasible are encryption and multi-factor authentication (“MFA”), both of which are extremely effective in safeguarding all types of sensitive personal information. At the same time, only those individuals with a business need for biometric data should be afforded access to such data.
- Strictly Prohibit Sales and Any Other Form of Profiting from Biometric Data: Strictly bar employees and vendors from selling or otherwise profiting from biometric data, which can be accomplished through the implementation and enforcement of an internal biometric data policy.
- Vendor Compliance: Ensure that all of the company’s vendors and service providers are also fully compliant with the mandates of Illinois’s biometric privacy statute.
[1] Cothron v. White Castle Sys., 20 F.4th 1156, 1162 (7th Cir. 2021).
About the author
David J. Oberly is an attorney in the Cincinnati office of Squire Patton Boggs LLP and a member of the firm’s global Data Privacy, Cybersecurity & Digital Assets practice. David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. He can be reached at david.oberly@squirepb.com.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
Article Topics
biometric data | Biometric Information Privacy Act (BIPA) | biometrics | data protection | David Oberly | lawsuits | time and attendance
Comments