Analyzing the impact of the BIPA claim accrual decision
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
On February 17, 2023, the Illinois Supreme Court definitively resolved the issue of claim accrual in Illinois Biometric Information Privacy Act (“BIPA”) class action litigation with its decision in Cothron v. White Castle Sys., Inc., 2023 IL 128004, allowing plaintiffs to recover statutory damages for each instance of BIPA non-compliance, as opposed to only the first violation.
Cothron is a watershed moment in BIPA litigation and one that will have a long-lasting impact in this space for years to come. Notably, the decision paves the way for truly astronomical damages in BIPA class actions, immediately spikes the value of BIPA claims exponentially, and will also likely lead to a further significant increase in the volume of class actions filed for mere technical violations of Illinois’s biometrics law.
Shortly after commencing her employment with White Castle in 2004, Plaintiff Linda Cothron began using a system that required her and other employees to scan their fingerprints to access their pay stubs and computers. A third-party vendor then verified each scan and authorized the employee’s access. However, the plaintiff’s employer allegedly failed to obtain consent to collect her fingerprint biometric data until 2018, more than a decade after BIPA took effect.
The plaintiff sued White Castle, alleging that her employer unlawfully collected and disclosed her biometric data in violation of BIPA Sections 15(b) and 15(d) for a number of years. White Castle moved for judgment on the pleadings, arguing that the action was barred by the statute of limitations because the plaintiff’s claim accrued in 2008, when White Castle first obtained her biometric data after BIPA’s effective date.
The district court denied the motion, finding that a new claim accrued each time the plaintiff scanned her fingerprints and White Castle sent her biometric data to its third-party authenticator, rendering her action timely. On intermediate interlocutory appeal, the Seventh Circuit Court of Appeals found the parties’ competing interpretations of claim accrual reasonable under Illinois law, prompting the Seventh Circuit to certify the question to the Illinois Supreme Court.
The Cothron decision
The Cothron Court was tasked with answering the following certified question: Do Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric data and each time a private entity transmits that scan to a third party, or only upon the first scan and first transmission?
The Court answered that question in the affirmative, holding that a separate claim accrues under BIPA each time an individual’s biometric data is scanned or transmitted in violation of Sections 15(b) or 15(d).
The Court reasoned that “[a] party violates Section 15(b) when it collects, captures, or otherwise obtains a person’s biometric information without prior informed consent. This is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection.” Similarly, the Court reasoned that the meaning of “disclose” and “otherwise disseminate” — both contained in the statutory language of Section 15(d) — were broad enough to encompass repeated transmissions to the same party.
The Court found significant support for its holding in its prior 2019 opinion in Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, which recognized that BIPA operates to codify an individual’s right to privacy in and control over his or her biometric data. Importantly, the Rosenbach Court held that a person is “aggrieved,” or injured, under BIPA “when a private entity fails to comply with one of section 15’s requirements.” Moreover, in Rosenbach the Court also held that “[w]hen a private entity fails to comply with one of [S]ection 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the [violation].” At bottom, the Court concluded, Rosenbach recognizes that the statutory violation itself is the “injury” for purposes of a claim under BIPA, making application of the continuing violation theory of claim accrual to BIPA claims appropriate in the dispute involving White Castle.
The Court also directly addressed White Castle’s argument cautioning against adopting the continuing violation theory, as doing so would allow for multiple or repeated accruals of claims by one individual. In turn, this could potentially result in punitive and “astronomical” damages awards that would constitute “annihilative liability” not contemplated by the legislature and which was also possibly unconstitutional. As an example, White Castle estimated that under the continuing violation theory, the class of approximately 9,500 employees could potentially result in class-wide damages exceeding $17 billion.
The Court gave short shrift to this argument, finding it was bound to adhere to the statutory language of BIPA’s text, “even though the consequences may be harsh, unjust, absurd, or unwise.” In so doing, the Court highlighted the fact that it had repeatedly found no issue with the potential for significant damages awards under BIPA, which aligned with the legislature’s intent to subject private entities that fail to follow the statute’s requirements to substantial potential liability.
Moreover, any policy-based concerns about potentially excessive damage awards under BIPA were — in the Court’s view — best addressed by the legislature. As such, the Court called on the Illinois General Assembly to review these policy concerns and make clear the legislature’s intent regarding the assessment of damages under Illinois’s biometrics statute.
Analysis and takeaways
There are several immediate, significant takeaways from the Cothron opinion.
The first pertains to the controlling role played by BIPA’s legislative intent in determining the outcome of this weighty dispute. Just weeks before the Cothron decision, the Illinois Supreme Court issued its opinion in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, holding that all claims asserted under BIPA are subject to a five-year statute of limitations period — and allowing for plaintiffs to fashion the largest putative class sizes in BIPA class actions permitted under Illinois law.
In very similar fashion to Tims, the Cothron Court relied heavily on the Illinois General Assembly’s legislative intent to carry the day in deciding yet another monumental issue in BIPA class action litigation.
In Illinois, the cardinal rule of statutory construction is to ascertain and give effect to the intention of the legislature, with the best indicator of legislative intent coming from the statutory language itself, given its plain and ordinary meaning. In Cothron, the Court gave significant weight to legislature’s intent in enacting BIPA — which was to codify an individual’s right to privacy in and control over his or her biometric data — and used this as the primary basis for its application of the continuing violation theory of claim accrual to BIPA causes of action. Similarly, the legislature’s intent in subjecting private entities that fail to follow the statute’s requirements to substantial potential liability served not only as support for the Court’s underlying holding, but also to refute White Castle’s contention that rejection of the “one and done” theory could impose unfair and crippling damages awards on private entities that fail to comply with the law.
Litigants and their counsel should take note of the weight given by the Court to BIPA’s legislative intent — and the role that it played in determining the outcome of both Tims and Cothron — as this issue will likely be a reoccurring one seen frequently in BIPA disputes moving forward.
Second, Cothron illustrates how courts routinely tend to favor plaintiff-friendly, expansive interpretations of BIPA, often reasoning that these interpretations align with the stated intent of the Illinois legislature in enacting its biometric privacy law. More than that, plaintiff’s attorneys will almost certainly leverage the Illinois Supreme Court’s reliance on legislative intent in both Tims and Cothron in future attempts to advocate for the application of a more expansive interpretation of other key aspects of BIPA’s statutory text. This argument has been a difficult hurdle for defendants to overcome in BIPA class actions to date, and will only become a more daunting challenge after Tims and Cothron — making strict compliance with the law even more critical.
Overall impact on BIPA class action landscape
In terms of its overall impact on BIPA litigation and the greater biometric privacy legal landscape as a whole, Cothron may ultimately have an even more monumental impact on the trajectory of class actions in this space vis-à-vis the Court’s seminal BIPA decision in Rosenbach, as Cothron completely changes the game for BIPA litigation from this point forward in several notable respects.
First, Cothron’s holding that every discrete failure to comply with BIPA amounts to a separate, independent violation of the statute immediately spikes the value of BIPA claims exponentially, with companies that once faced millions of dollars in liability exposure now finding themselves potentially subject to 10-figure damages awards under BIPA’s continuing violation theory of claim accrual.
Second, plaintiff’s counsel will undoubtedly use the continuing violation theory of claim accrual as support for significantly inflated settlement demand figures. After Cothron, non-compliance over an extended period of time may cause plaintiff’s attorneys to view BIPA class actions as garnering nine-figure demands, even for classes of less than one thousand members.
Third, Cothron will likely fuel a significant increase in the already high volume of BIPA claims filed for mere technical alleged violations of the law, as the prospect of exponentially-higher damage awards will no doubt further incentivize plaintiff’s attorneys—who already possessed sky-high motivation to pursue BIPA claims due to the low bar for establishing liability — to take advantage of every opportunity that arises to file suit for purported BIPA missteps, even where the merits of such claims are tenuous at best.
Ultimately, the one-two punch provided by the Illinois Supreme Court in Cothron and Tims substantially increases the already-outsized legal risks and liability exposure created by BIPA for companies that leverage the benefits of biometrics in their day-to-day operations. At the same time, Cothron and Tims also provide plaintiffs with robust arguments to support their aggressive attempts to further expand the contours of Illinois’s biometrics statute in future BIPA disputes.
What to do now
In the wake of Cothron and Tims, companies must refocus their compliance efforts in order to mitigate applicable litigation risks. To guard against the prospect of having to defend against bet-the-company BIPA class action claims — now accompanied by potentially astronomical and catastrophic damages — it is imperative that companies work closely with experienced biometric privacy compliance counsel to review their compliance programs and remediate any gaps to achieve strict compliance with the law, as doing so now can significantly reduce the likelihood of being hit with a BIPA class claims in the future — claims that will be orders costlier following Cothron, and which will only continue to trend further upwards.
About the Author
David J. Oberly is an attorney in the Cincinnati office of Squire Patton Boggs LLP and a member of the firm’s global Data Privacy, Cybersecurity & Digital Assets practice. David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. He can be reached at email@example.com. You can also follow David on Twitter at @DavidJOberly.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.