Two momentous decisions regarding the Illinois Biometric Information Privacy Act (BIPA) recently came down from the Illinois Supreme Court. First, the Court recently ruled in Cothron v. White Castle System Inc. that a BIPA violation occurs with every scan or transmission of biometric data, i.e. a new violation accrues every time an employee uses a biometric time clock, potentially several times per work shift. Many BIPA cases have previously been resolved on the premise that an individual could only accrue one BIPA violation and the damages would be limited to the first time a biometric marker is collected in violation of the statute. Going forward, however, the law of the land has changed and the potential damages are exponentially higher.
BIPA provides statutory damages of $1,000 per violation for negligent violations of the Act and $5,000 for willful or reckless violations. This remains true even if no biometric data was lost, sold, or compromised. The mere violation of BIPA is sufficient for liability. After Cothran, an employee who uses a biometric-based time clock twice per shift (once to clock in and out, not including unpaid breaks) and works all 260 weekdays per year, would rack up $520,000 in damages for negligent violations, plus attorneys’ fees. If the employee clocks out and back in again for lunch each shift, the damages double to $1,040,000 based on the additional use of the biometric time clock. The employer’s liability further expands if a class of employees bring a BIPA lawsuit.
The Court explicitly placed the ball back in the Illinois General Assembly’s court to clarify the legislature’s intentions under the Act if the Court’s interpretation of the legislature’s intent is incorrect. Although several attempts have been made over the years, the state legislature has not successfully enacted any amendments to BIPA, first enacted in 2008, to reduce the draconian statutory penalties. Businesses with an Illinois presence hope that changes, and soon.
In short, the Court’s ruling in Cothron has drastically increased employers’ potential exposure by many multiples and will be fertile ground for litigation. This is especially true when coupled with the Illinois Supreme Court’s confirmation that BIPA claims may be brought up to five years after an alleged violation in Tims v. Black Horse Carriers, Inc. In Tims, the Illinois Supreme Court addressed the statute of limitations (i.e. the time limit to bring a legal claim) for a BIPA claim and declared that a claim may be filed within five years of the alleged violation. Parties to BIPA litigation have questioned the applicable statute of limitations since the law’s enactment in 2008. The Tims holding overturns a lower court ruling that applied varying statutes of limitation to different sections of BIPA – including limitations as short as one year for violations of privacy rights but applying a longer, five-year period for claims under other provisions of the statute.
The Court held “that applying two different limitations periods or time-bar standards to different subsections of section 15 of the Act would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.” The five-year statute of limitations is Illinois’ “catch-all” limitations period and many claims in the state are subject to shorter limitations periods, including one year for violations of privacy rights and two years for injury claims. BIPA Defendants have argued that these shorter periods applied to foreclose claims and limit damages that already appear punitive.
These decisions continue to bring clarity regarding the requirements and limitations of BIPA, but the trend has been unfavorable to employers leveraging biometric technologies. Please refer to our recent BIPA publication for discussion of the first ever jury trial in a BIPA lawsuit and third-party liability under BIPA.
BIPA and the case law interpreting it continues to favor employees and creates significant exposure for employers even in the context of negligent non-compliance. This exposure exists even when no biometric data is lost or compromised and the plaintiffs are unable to show actual injury. Given the evolving application of BIPA, pressure on the Illinois General Assembly will increase to make the potential damages proportional to violations. Businesses of all sizes argue that the application of BIPA remains “inconvenient” and “unworkable” for those employers working to comply with BIPA while leveraging a growing array of technologies that utilize biometric data for accurate time-keeping and security.
The full opinion in Tims v. Black Horse Carriers, Inc. may be found here and Cothron v. White Castle System Inc. may be found here.
 Including state and federal courts nationwide who are interpreting BIPA in various jurisdictions.
 This is the section providing for a private right of action and outlining damages.