Since 2008, the Biometric Information Privacy Act (“BIPA”) has presented unique challenges to companies doing business in Illinois which collect biometric data, such as finger, face, hand, or retina scans, from employees or customers. Two recent opinions issued by the Illinois Supreme Court serve to underscore the potential for steep financial consequences from non-compliance with the statute.
In Tims v. Black Horse Carrier, the Illinois Supreme Court held that all claims asserted under BIPA are subject to a five (5) year statute of limitations, rejecting a lower court holding which limited certain BIPA violations to a one (1) year statute of limitations.
Only two weeks later, the Illinois Supreme Court handed down its decision in Cothron v. White Castle. There, White Castle argued its use of fingerprint scans to govern employee access to computers and payroll records could only trigger a BIPA violation at the time such biometric data was initially collected and saved without complying with the statutory consent requirements. The plaintiffs/employees, in contrast, argued that BIPA violations arose each and every time they submitted to a fingerprint scan in order to access their work computers or payroll data. The Illinois Supreme Court disagreed with White Castle, and held that every unauthorized scan or transmission of biometric data gave rise to separate violations of BIPA.
Read in concert, the Illinois Supreme Court’s recent pronouncements could expose a company regularly collecting or using biometric data in violation of BIPA to damage claims based on hundreds, or thousands of independent BIPA violations giving rise to statutory damages of $1,000 for each negligent violation or $5,000 for each intentional or reckless violation over a five year duration. In White Castle, the Illinois Supreme Court was not swayed by the employer’s apocalyptical warning that such an expansive interpretation would expose it to damage claims from its current or former employee pool of 9,500 persons in excess of $17 billion dollars. While the Illinois Supreme Court noted that BIPA vests a trial court with discretion in fixing a proper measure of damages, it made clear that any policy-based determinations concerning potentially excessive damage awards are to be addressed by the Illinois legislature and not the judiciary.
If your company gathers and uses biometric information, or is contemplating doing so, compliance with BIPA’s requirements is essential. The attorneys at Gozdecki, Del Giudice, Americus & Brocato LLP are available to help ensure your business is operating in compliance with BIPA.