Illinois Supreme Court Poised To Decide BIPA Claim Accrual Question
By Morgan A. Dilbeck and Mitchel D. Torrence
Today, most people are concerned about identity theft and wanting to ensure that their unique identifiers stay private. The Illinois legislature sought to address these concerns with the Biometric Information Privacy Act (“the Act”). 740 ILCS 14 et seq. The Act sets strict requirements for entities that capture a person’s biometric identifiers and information in Illinois. Although the statute was unanimously enacted in 2008, it has only recently become a popular source of complaints in Illinois, often pled as class actions. A central issue in one such case, Cothron v. White Castle Sys., 20 F.4th 1156 (7th Cir. 2021), is claim accrual, and the damages resulting from such accrual. Calling BIPA claim accrual “novel,” the Seventh Circuit stated it was “genuinely uncertain” about the issue, and that the Illinois Supreme Court could side with either Cothron or White Castle. Consequently, the Seventh Circuit certified the question on December 20, 2021. The Illinois Supreme Court accepted the certified question three days later.
1. White Castle’s Position: Single Accrual
Defendant-Appellant White Castle argues that existing case law and legislative intent make clear that the Act protects an individual’s power to say no to the collection of biometrics by preventing problems before they occur. As such, the Act’s intent is to safeguard biometric data by requiring valid notice and knowing consent. A BIPA injury is the loss of control over and secrecy in one’s biometrics without consent.
White Castle identifies three key legal principles which are determinative of when BIPA claims accrue: (1) where there is a single overt act from which subsequent damages may flow, a claim accrues on the date the defendant invaded the plaintiff’s interest and inflicted injury; (2) BIPA claims are, at bottom, claims for the loss of the right to control one’s biometric information, and once that control is lost, it cannot be recreated and any confidentiality right is lost as well; and (3) any invasion of the statutory rights conferred by the Act creates, in and of itself, a real and significant injury that is immediately actionable. White Castle concludes from these principles that claims accrue on the first loss of the right to control one’s biometric information, not continually.
White Castle also asserts that a single-accrual rule is consistent with the remedial nature of the Act. If BIPA claims accrued with each scan of biometric information, the damages would be catastrophic for business, which was not the intent of the legislature. This would turn the Act from a supplemental enforcement aid into a harshly punitive measure. BIPA Section 15(b) and 15(d) claims therefore accrue upon the first unauthorized scan or the first unauthorized disclosure or transmission of biometric information.
Several organizations filed amicus briefs in support of White Castle. These organizations represent the interests of Illinois businesses concerned about the Court interpreting the Act in a way that would expose them to exponential damages and threaten their existence. A “per-scan” theory of accrual or liability would lead to absurd results that could bankrupt many Illinois businesses. The Illinois Chamber of Commerce and Chamber of Commerce for the United States’ brief provided a specific numerical example:
Suppose an employee works 5 days a week for 48 weeks a year and clocks in and out of work via a fingerprint scanner once each day. Over just a single year, a “per-scan” accrual rule would imply 480 violations of Section 15(b), and a “per-disclosure” accrual rule would imply another 480 violations of Section 15(d). That would result in a statutory award of $960,000 to $4,800,000 in liquidated damages for one plaintiff in one year—before considering any awards for absent class members. Moreover, depending on the applicable statute of limitations . . . damages could extend for up to five years, producing a potential award of roughly $5 to $25 million for a single employee. If the employee similarly clocked in and out for lunch or other breaks, that amount could easily double or triple.
The amici further assert that the purpose of the Act is best served by a “first scan” theory because it encourages claimants to act quickly to seek redress and enjoin violations which serves the Act’s aims to head off the risks posed by the use of biometric data before they occur. They also argue that a per scan theory which results in “staggeringly high and uncapped liquidated damages exposure for a BIPA defendant, even absent harm,” raises due process concerns, and runs afoul of U.S. Supreme Court precedent against unlimited punitive damages.
2. Cothron’s Position: Per Scan Accrual
Cothron primarily argues that a claim accrues under the Act at each and every collection or dissemination of biometric information and that the appellate court found as much in Watson v. Legacy Healthcare Fin. Servs., LLC. The plain text of Sections 15(b) and (c) necessitate accrual upon each collection or dissemination; in support thereof, the Watson court found that the term “first” within Section 15(b) modifies the words “informs” and “receives,” not “collect” or “capture”. The Act’s requirements accordingly apply to each and every collection or capture of biometric information. Further, although Section 15(d) lacks the term “first,” the use of the term “unless” achieves the same effect of “prohibiting an entity from disclosing an individual’s biometrics until it obtained consent … which, logically, must occur before disclosure.” Accordingly, an entity like White Castle may not disclose or redisclose biometric data until it has secured consent.
Cothron argues that White Castle’s accrual theory is contrary to the Act’s text and the Illinois Supreme Court’s holding in Rosenbach v. Six Flags Entm’t Corp. and that its “loss of control theory” should accordingly be rejected. Cothron distinguishes Section 15(d) violations from publication-based privacy statutes because the heart of the Act is the securing of informed consent as opposed to defamation and related torts which are about damage done to a person’s reputation by information publicized to the public. As noted, the Act does not provide “redress for harms that occur as a result of individual’s biometrics being actually compromised.” Cothron notes there is no risk of endless tolling of the statute of limitations, which would necessitate White Castle’s proposed “one and done” rule, because a defendant’s compliance with the Act’s consent requirements are within defendant’s control. Cothron also argues that White Castle and its amici’s arguments regarding future damages awards and other “practicalities” are insufficient to invalidate the statutory text and that White Castle should not be free from its obligations under the Act because of “unsubstantiated” threats of “annihilative liability.”
Several organizations filed amicus briefs in support of Cothron. The common theme was that the continuing violation doctrine should be applicable to BIPA claim because BIPA violations are comprised of “continuing unlawful acts and conduct” and therefore the statute of limitations “begins on ‘the date of the last injury suffered or when the tortious acts cease.” Each time White Castle took Cothron’s fingerprints constituted a new BIPA violation, because the Act distinguishes between “collection” and “storage”, and these constitute an ongoing failure to “perform its duties under BIPA.”
The amici also argue that the constitutional issue regarding damages is not before the Illinois Supreme Court, and that the Act’s damages are not constitutionally vulnerable because they are statutory, not punitive. These damages do not run afoul of St. Louis, I.M. & S. Rc. Co v. Williams and do not exceed Illinois Due Process Limits. BIPA’s damages are statutory in nature because they “enable a plaintiff to recover when ‘it might otherwise be difficult or impossible to prove the existence or amount of plaintiff’s actual damages [,]” in contrast to punitive damages which are awarded against defendants to “punish [them] for [their] outrageous conduct and deter [them] and others like [them] from similar conduct in the future.” The Act’s damages are not wholly disproportioned to the offense because the “harm of a loss of privacy is ‘real and significant’ which can be connected to both economic and ‘dignitary harm.’” The Act does not run afoul of Illinois Due Process concerns because the Act’s damages clear the “low bar” of not being “in contravention of the express intent of the legislature” and are “rationally related to a legitimate goal.”
Finally, the amici argue that the purpose of the Act is to give individuals the right to control their biometric data and give them an opportunity to “say no.” An individual’s right to control their own biometric data does not cease to exist the first time a company collects or discloses biometric data without consent. If a cause of action accrued only at the first collection or disclosure of biometric data, companies that systemically violate the Act would avoid liability if the first offense occurred outside the statute of limitations.
3. Oral Argument Before the Illinois Supreme Court
At argument, White Castle stressed prior cases provide guidance that accrual occurs when the privacy right is first invaded because that is when the loss of control occurs. White Castle noted that it has continuing duties to Cothron and that any disclosure to other parties or any different collection not subject to prior consent would result in a new claim accruing. White Castle also reiterated its textual argument that accrual should focus on loss of control. Finally, White Castle stressed that the issue of damages is necessarily intertwined with the issue of accrual and encouraged the Court to weigh the consequences of holding that accrual occurs at each collection. On rebuttal, White Castle argued that while Plaintiffs disclaimed the idea of per-scan damages, the only safeguard against future plaintiffs seeking the same are Due Process concerns and the possibility that lower courts may not find such large awards appropriate. As such, Cothron seeks to both continually toll any statute of limitations by accruing new claims and avoiding concerns regarding the logical outcome of such a theory.
Cothron conversely stressed the plain text of the statute makes clear that the term “first” modifies a defendant’s duties to inform and receive consent as opposed to applying only to the first instance of collection and/or dissemination. Cothron cited Rosenbach’s holding that a plaintiff is injured at each collection without consent. Cothron also argued that a single accrual theory only works if a plaintiff loses all their rights at the first collection/dissemination, which is not the case under the statute, and that loss of control is not the nature of the injury. Rather, it is the taking of biometrics in conjunction with the failure to obtain informed consent, which is true even if the purpose of the statute is to prevent the risks associated with the disclosure of biometrics that do not dissipate after the first collection. Cothron claimed that White Castle’s view would obviate the need of potential defendants to course correct and would avoid consequences for existing issues, regardless of their continuing duties. Cothron further maintained that damages are separate from the issue of disclosure but conceded that the Court may spell out how damages should be determined. Cothron noted that they are not seeking per-scan damages and are unaware of any plaintiffs who have done so. However, Cothron conceded that anyone could seek such damages and argued that Due Process concerns would provide the necessary safeguards against such risks.
Learning Points: It remains to be seen how the Illinois Supreme Court will decide the accrual issue. The implications of a per-scan theory of accrual are potentially devastating to the business community. Such a theory could cost collectors of biometric information millions of dollars while encouraging employees to delay redress in an effort to pursue greater damages. While to date plaintiffs have not sought such damages, it is possible that the only safeguard against such damages would be Due Process concerns. The opposite is true for a plaintiff under a theory of first loss of control; namely, plaintiffs would likely be able to recover less in damages and be encouraged to act more quickly to seek redress.