Illinois Supreme Court: Each Biometric Scan of Employees Is a Separate Violation

Author: Emily Scace, XpertHR Legal Editor

February 24, 2023

The Illinois Supreme Court has held that employers commit a separate violation of the state's Biometric Information Privacy Act (BIPA) each time they scan an employee's biometric information without the required notice or consent. The decision has the potential to make BIPA missteps much more costly for employers.

Enacted in 2008, the BIPA requires Illinois employers that collect or maintain "biometric identifiers" such as fingerprints, iris scans or face scans to inform the affected individuals that:

  • Their information is being stored;
  • The purpose of the collection or use of the information, and
  • The length of time for which it will be stored.

The Illinois BIPA is the only state law of its kind in the US, though other states have considered similar measures. Individuals harmed by BIPA violations may be entitled to $1,000 per negligent violation, $5,000 per intentional or reckless violation, or actual damages, whichever is greater, in addition to attorney fees and other relief.

In the recent case, Cothron v. White Castle System, Inc., the plaintiff, a manager of a White Castle restaurant, brought a class action suit against White Castle, claiming the fast-food chain implemented a system that required employees to scan their fingerprints to access pay stubs and computers but did not seek consent until 2018, more than a decade after the BIPA took effect.

While White Castle attempted to have the case dismissed on the grounds that it was untimely, as the cause of action occurred in 2008, the plaintiff countered that each scan of her biometric data constituted a separate claim, bringing the alleged violations within the statute of limitations. The 7th Circuit Court of Appeals certified the question of which reading of the BIPA was correct to the Illinois Supreme Court, which sided with the plaintiff's interpretation.

Because the BIPA allows monetary damages for each violation, the court's ruling opens the door to costly consequences for employers that run afoul of its requirements. In the Cothron case itself, class-wide liability could ultimately exceed $17 billion if the plaintiff prevails and is allowed to bring claims on behalf of 9,500 current and former White Castle employees.

In addition to the increased monetary liability, the ruling also means that employers are exposed to BIPA claims for the duration of the time they collect biometric data, plus the five-year statute of limitations.