Illinois Supreme Court Holds That BIPA Claims Accrue with Each Scan

by Mitchel D. Torrence

Today the Illinois Supreme Court, in a 4-3 opinion, held that claims under the Biometric Information Privacy Act (“BIPA”) accrue “each time a private entity scans or transmits” biometric information in violation of Sections 15(b) or 15(d).  Cothron v. White Castle System, Inc., Docket No. 128004, Feb. 17, 2003.  The case came to the Illinois Supreme Court on a certified question by the United States Court of Appeals for the Seventh Circuit in Cothron v. White Castle System, Inc., 20 F.4th 1156, 1167 (7th Cir. 2021). 

In reaching this decision, the Court stated that the plain language of Sections 15(b) and 15(d) of BIPA supports the conclusion that each scan of biometric identifier constitutes the accrual of a claim. As to Section 15(b), the majority found that the collection or capturing of a party’s biometric information does not happen only once but each time a scan is taken; in doing so it agreed with the federal district court’s findings in Cothron v. White Castle System, Inc., 477 F. Supp. 3d 723 (N.D. Ill. 2020), and the Illinois appellate court’s opinion in Watson v. Legacy Healthcare Financial Services, LLC, 2021 IL App (1st) 210279. Similarly, the majority found that the plain language of the statute supports the conclusion that an entity violates Section 15(d) each time it “disclose[s], redisclose[s], or otherwise disseminate[s]” biometric information without first obtaining informed consent. In reaching this conclusion, the Court again agreed with the Northern District’s finding that an entity violates its obligations under Section 15(d) “the moment that, absent consent, it discloses or otherwise disseminates a person’s biometric information to a third party.”

Beyond the plain language of the statute, the Court specifically rejected White Castle’s non-textual arguments in favor of a single-accrual theory. The Court relied on its prior decisions in Rosenbach, West Bend Mutual Insurance Co., and McDonald in determining that there is no language within BIPA which would limit a claim to the first instance a private entity scans or transmits a party’s biometric information. Further, the Court rejected White Castle and amici’s arguments regarding the potential disastrous financial impact of holding that a claim accrues upon each scan or transmission of biometric information, ultimately finding that these concerns are best addressed by the legislature.

The dissent, written by Justice Overstreet and joined by Chief Justice Thies, argued that the plain language of the statute supports a single-accrual theory, and that a plaintiff’s injury under Sections 15(b) and (d) occurs when their biometrics are first obtained and disclosed without their consent and that there is no continuing harm. Further, the dissent acknowledged the potential for massive damages and argued that the legislature did not intend “to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier. The legislature’s intent was to ensure the safe use of biometric information, not to discourage its use altogether.”

We will continue to report on the impact of this important decision.