In the aftermath of two recent appellate court decisions addressing when claims under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) accrue, it appears likely that the Illinois Supreme Court will need to provide clarity on this critical question. First, the Appellate Court of Illinois, First District, found in Watson v. Legacy Healthcare Financial Services, LLC, et al. that claims under sections 15(a) and (b) of the Act accrue with each and every capture and use of a plaintiff’s biometric identifier or information. Second, in Cothron v. White Castle System, Inc. the Seventh Circuit Court of Appeals declined to directly address the issue of when a claim under BIPA accrues, and instead has certified the question for review by the Illinois Supreme Court. While the holding in Watson provides some clarity as to when certain BIPA claims accrue, it leaves open critical questions regarding how to calculate: (i) the number of BIPA violations; and (ii) monetary damages under the Act.
The Watson v. Legacy Healthcare Financial Services, LLC, et al. Decision
Plaintiff Brandon Watson sued Legacy Healthcare Financial Services, LLC, Lincoln Park Skilled Nursing Facility, LLC, and South Loop Skilled Nursing Facility, LLC (collectively, the “Defendants”) in March 2019, alleging that the Defendants violated BIPA by scanning the fingers or hands of their respective employees, including plaintiff, for timekeeping purposes. Plaintiff alleged that the scanning violated sections 15(a) and (b) of the Act, which place both restrictions and affirmative obligations on private entities related to biometric identifiers (such as fingerprints, voiceprints, retinal scans and facial geometry) and biometric information (e.g., information based on biometric identifiers to the extent used to identify an individual):
- Private entities in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for destroying the information. 740 ILCS 14/15(a).
- Private entities which collect, capture, purchase, receive or otherwise obtain biometrics must first inform the subject of that fact in writing, as well as the specific purpose and length of time for which the information will be retained, and must obtain a written release executed by the subject. 740 ILCS 14/15(b).
Plaintiff alleged that he began working for at least one of the Defendants in December 2012. Because the Act contains no provision as to when claims accrue or the applicable limitations period, Defendants moved to dismiss, arguing that Plaintiff’s claims accrued on the first day the Defendants allegedly collected his biometric information and Plaintiff’s claims were thus time-barred. In response, Plaintiff argued that his suit was not time-barred because his claims accrued with each alleged capture of his biometric information that Defendants obtained without providing notice and obtaining consent. The trial court granted the Defendants’ motion to dismiss, finding that Plaintiff’s claims accrued with the initial scan of his finger or hand in December 2012. Thereafter, the trial court granted Plaintiff’s Rule 304(a) motion for an interlocutory appeal.
The Appellate Court reversed and remanded, finding that a claim under the Act accrues after “each and every capture and use of plaintiff’s fingerprint or hand scan.” In reaching this result the Appellate Court analyzed the plain language of the Act and the legislative history of the Act, and accepted as true that the Defendants captured Plaintiff’s biometric information twice per day when he clocked in and out of work.
The Cothron v. White Castle System, Inc. Decision
Plaintiff Latrina Cothron sued White Castle System, Inc. (“White Castle”) alleging that White Castle violated BIPA when it required plaintiff to scan her finger in order to access work computers. Moreover, plaintiff alleged that White Castle disclosed the scans of her fingers to its third-party vendor as part of process to authenticate the finger scan and ultimately grant access to the work computers. Based on these allegations, plaintiff asserted claims under sections 15(b) and (d) of the Act. In addition to the obligations of section 15(b), outlined above, section 15(d) prohibits a private entity from disclosing, redisclosing or otherwise disseminating biometric information without consent. 740 ILCS 14/15(d).
White Castle moved for judgment on the pleadings, arguing that the suit was untimely since plaintiff’s claims accrued in 2008 when BIPA was enacted. The trial court denied White Castle’s motion, but certified its order for immediate appeal to the Seventh Circuit. In turn, the Seventh Circuit examined the arguments of both parties and ultimately concluded that the question of when a claim accrues under BIPA is a novel question which has not yet been addressed by the Illinois Supreme Court. As a result, the Seventh Circuit stayed proceedings in the Cothron matter and certified the question of when claims accrue under BIPA to the Illinois Supreme Court.
The Rulings’ Impact on Your Business
It is likely that it will take a ruling from the Illinois Supreme Court to provide further clarity on when claims under the Act accrue. In the interim, the Watson decision will obviously impact early BIPA case evaluations. It also, however, raises at least two unrelated issues that will likely be the subject of debate and litigation going forward.
First, Watson was based on the allegations in the complaint, without the benefit of discovery and additional information regarding the operation of the finger/hand scanning device(s) utilized by the Defendants. Key to the decision is the Watson court’s conclusion that every use of the scanning device(s) results in the capture of Plaintiff’s biometric information, and the Court’s description of that capture as resulting in a permanent record. While that statement is likely based on allegations made in the complaint, it is possible, or even probable, that it is not factually accurate. Although variations exist, the scanning technology used in many biometric timekeeping devices creates only a single permanent record — from the very first scan of the individual’s finger or hand. Commonly, the later scans do not collect or store information, but only exist fleetingly as comparisons of the permanent, initial scan data. As a result, the applicability of the Watson decision may vary based on the actual operation of the scanning devices at issue in any single case.
Second, in response to Defendants’ concerns about the “ruinous” monetary damage awards that may result from the ruling in Watson, the Appellate Court went out of its way to note “that damages are discretionary[,] not mandatory” under BIPA. In so holding, the Appellate Court found that Section 20 of BIPA provides a list of possible damages, but notes that list constitutes what a “prevailing party may recover.” 740 ILCS 14/20 (emphasis added). The Appellate Court’s decision to highlight the discretionary nature of an award of monetary damages under BIPA stands in stark contrast to the position often taken by the plaintiffs’ bar. Indeed, the plaintiffs’ bar consistently asserts that the right to recover liquidated damages under BIPA is absolute given the Illinois Supreme Court’s 2019 decision in Rosenbach v. Six Flags Entm’t Corp. However, the Rosenbach decision merely found that once a plaintiff meets the basic statutory requirement of being “aggrieved,” he or she is merely “entitled to seek recovery” under Section 20. The Watson Court’s emphasis that monetary damages are discretionary under BIPA is likely to open new lines of discovery and argument regarding the calculation of damages, if any, sustained by a particular BIPA plaintiff and whether or not those damages justify the imposition of discretionary liquidated damages set forth in the Act.
Ultimately, every business should perform a critical analysis as to any business practice that potentially concerns biometrics (including employee timekeeping, identification procedures or security protocols). The failure to fully comply with BIPA, even when such a failure results in no actual injury to an individual, may lead to significant liability. Vedder Price attorneys are at the forefront in defending BIPA claims and counseling clients on BIPA-related policy and disclosure language.
