Illinois Supreme Court Rules BIPA Violations Occur With Each Scan, Swipe, or Transmission
On February 17th, 2023, the Illinois Supreme Court issued the opinion in Cothron v White Castle Systems, ruling that the Illinois Biometric Information Privacy Act (BIPA) defines violations as each time a private entity scans or transmits data that violates BIPA.
The Illinois Biometric Information Privacy Act
BIPA, passed in 2008, is an Illinois law requiring biometric data be collected only after written notice regarding the collection and use of the data, and written approval from the user. Biometric data includes fingerprints, retina scans, facial recognition, and other data used to identify a specific person. Examples of biometric data use include the data recorded by a time keeping system that uses fingerprints to identity which hourly worker is punching in or out.
BIPA assesses penalties for misuse of biometric data, or collection without proper consent. The Illinois Supreme Court offered its opinion on section 15(b) and section 15(d) regarding penalties and how often they accrue.
How Often Do BIPA Violations Accrue?
From the IL Supreme Court opinion analysis: “The certified question asks: “Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”
The relevant portions of Section 15(b):
No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first:
- informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
- informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
- receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.”
The relevant portions of Section 15(d):
No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless: The subject of the biometric identifier or biometric information or the subject’s legally authorized representative consents to the disclosure or re-disclosure.
The Illinois Supreme Court concludes:
“To resolve the parties’ dispute and answer the certified question, we focus on the language of the Act itself. … The best indicator of legislative intent is the statutory language itself, given its plain and ordinary meaning. … Only if the statutory language is ambiguous may we look to other sources to ascertain the legislature’s intent.
We agree with the federal district court that “[a] party violates Section 15(b) when it collects, captures, or otherwise obtains a person’s biometric information without prior informed consent. This is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection.” Cothron, 477 F. Supp. 3d at 732.
As with section 15(b), we conclude that the plain language of section 15(d) applies to every transmission to a third party. “
Illinois BIPA Damages
With the clarity from the Illinois Supreme Court that BIPA violations occur each time biometric information is collected without consent or approval, the BIPA damages of $1000 ($5000 if “willful”) occur with each act. If an employee is scanned daily at work without prior consent or notification, that would be one violation per day for every day they worked. If a worker has biometric information collected multiple times a day, that is multiple BIPA violations per shift.
The state of limitations, according to the Illinois Supreme Court, is five years.
If you have a BIPA violation to report, our consumer protection attorneys at Schneider Wallace Cottrell Konecky LLP investigate BIPA violations along with other employment and consumer matters. Schneider Wallace can offer a free legal consultation. Please reach out to our team at 1-800-689-0024 or firstname.lastname@example.org.