BIPA’s Per-Scan Damages May Create “Annihilative Liability”

By: Tyler G. Newby , Garner Kropp , Zachary Kalinowski

The Illinois Supreme Court recently clarified when a Biometric Information Privacy Act (BIPA) claim accrues: each time, and not just the first time, a person’s biometric information is collected without consent. BIPA requires a business to obtain written consent before it may “collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric information, and a violation of BIPA triggers $1,000 damages or $5,000 if the violation is willful. Under the Illinois Supreme Court’s interpretation in Cothron v. White Castle Sys., Inc., a business that collects biometric information, such as through a fingerprint reader time clock for employees, faces liability of up to $5,000 each time it collects a fingerprint scan from each employee without consent.

That is exactly the scenario the Illinois Supreme Court confronted in Cothron. The court held that “a claim accrues under [BIPA] with every scan or transmission of biometric identifiers or biometric information.” Unmoved that this interpretation could subject companies to “annihilative liability,” the Court reiterated the legislature’s intent to give private entities “the strongest possible incentive to conform to the law and prevent problems before they occur.” But the Court left the door ajar for defendants to escape crushing liability. It acknowledged that, while one claim accrues with each non-consensual collection of biometric information, this does not necessarily mean each claim is worth $1,000 or $5,000. Instead, courts have the discretion to award damages that fully compensate class members without destroying the defendant.

This holding may be challenged. The Illinois Supreme Court noted White Castle’s argument that these ruinous damages could be unconstitutional, but gave the point no further discussion. While skirting the constitutional question, the dissent would have found that potentially imposing damages of $17 billion dollars for White Castle’s fingerprint system is an “absurd result,” and part of the Court’s mandate when interpreting statutes is to avoid such a result. This may provide an avenue for a challenge that such crushing liability results in grossly excessive damages in violation of the Due Process Clause. While Illinois may have clarified BIPA for the moment, court-watchers and businesses in Illinois will keep their eye on White Castle’s next steps.

Steps to Reduce Risk of a Massive Damages Under BIPA

Regardless of the ultimate outcome in this particular case, Cothron serves as a reminder that businesses that collect biometric information must proceed with care. In addition to facing liability for biometric timeclocks, businesses have been sued for BIPA violations for virtual try-on technology, identity verification based on facial recognition and face tagging in social media. Businesses can take the following steps to help reduce their exposure:

  1. Conduct a Data Inventory. To reduce the risk of a biometrics lawsuit, businesses need to know what personal data they are collecting and how they are collecting it. When collecting a data inventory, businesses should determine whether they are collecting or using biometric information, such as fingerprints, retina scans, facial geometry scans and voice prints. Companies should eliminate unnecessary collection of biometric information and/or consider alternatives.
  2. Provide Notice. Prior to collecting biometric information, ensure that written notice is given to individuals. The notice should include (i) a disclosure that biometric information is being collected; (ii) the purpose for which biometric information is being collected; (iii) where applicable, language that states biometric information will be shared with service providers or other third parties; and (iv) a biometric information retention schedule and guidelines for permanently destroying such information. Companies should also make this policy publicly available, such as in a privacy policy or a biometric information policy.
  3. Get Written Consent. Obtain written consent before collecting biometric information. If collecting an electronic signature, ensure that the consent process satisfies state law requirements on contract formation.
  4. Develop Data Handling Procedures and Minimum Security Standards. Develop biometric information handling and security guidelines that align with BIPA’s requirements and industry best practice along the data life cycle for notice/consent, collection, access, use, sharing, storing, retention and destruction.
  5. Set a Retention Schedule. Automate the secure deletion of biometric information after there is no longer a business need for it, and no later than three years after the individual’s last interaction with the business.