Introduction

The case Cothron v. White Castle System, Inc., adjudicated by the Supreme Court of Illinois on February 17, 2023, marks a significant development in the interpretation and application of the Biometric Information Privacy Act (BIPA). This case revolves around the allegations that White Castle System, Inc., an employer, violated BIPA by repeatedly collecting and disclosing employee biometric data without obtaining proper consent. Latrina Cothron, the plaintiff, filed a class action representing current and former employees, challenging White Castle's biometric data practices.

The central issues in this case pertain to the accrual of claims under BIPA's sections 15(b) and 15(d). Specifically, the court was tasked with determining whether a separate claim arises each time an employer collects or transmits an employee's biometric data without consent, or if a single claim suffices for the first instance of such violations.

Summary of the Judgment

The Supreme Court of Illinois, through Justice Rochford's majority opinion, ruled that under BIPA, a separate claim accrues each time a private entity unlawfully scans or transmits an individual's biometric information without prior informed consent. This interpretation emphasizes that violations of sections 15(b) and 15(d) are actionable every instance they occur, rather than being limited to the initial violation.

The court disagreed with the appellant, White Castle System, Inc., which argued that the accrual of claims should be limited to the first instance of biometric data collection or transmission. The dissenting justices, led by Justice Overstreet, contended that multiple claims for each unauthorized scan or transmission would lead to punitive and disproportionate damages, which they believe was not the legislature's intent.

Analysis

Precedents Cited

The majority opinion extensively referenced prior Illinois cases to ground its interpretation of BIPA. Notably:

• Watson v. Legacy Healthcare Financial Services, LLC: Influenced the understanding of claim accrual under BIPA, supporting the idea that each unauthorized biometric data use constitutes a separate violation.
• Rosenbach v. Six Flags Entertainment Corp.: Established that a violation of BIPA constitutes the injury necessary for a cause of action, not requiring proof of additional damages.
• West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc. and McDonald v. Symphony Bronzeville Park, LLC: Reinforced the interpretation that BIPA protects an individual's right to privacy and control over their biometric information.

The majority emphasized that these precedents collectively support the interpretation that each instance of unauthorized biometric data handling warrants a separate claim, thereby enhancing the protective scope of BIPA.

Legal Reasoning

The court's legal reasoning centered on the plain language of BIPA, particularly sections 15(b) and 15(d), which prohibit private entities from collecting or disclosing biometric data without consent. The majority reasoned that terms like "collect," "capture," "disclose," and "redisclose" are broad and action-oriented, implying that each act of collection or disclosure without consent constitutes a separate violation.

The court further highlighted the legislative intent behind BIPA—to provide robust protection for individuals' biometric information and to incentivize compliance by imposing significant potential liabilities on violators. By allowing claims to accrue with each unauthorized act, the court aimed to ensure that entities remain vigilant in adhering to consent requirements.

Impact

This judgment has profound implications for employers and other private entities that handle biometric data. By establishing that each unauthorized collection or transmission is a separate violation, the ruling intensifies the legal and financial risks associated with non-compliance. Organizations must ensure rigorous compliance frameworks to avoid multiple claims and substantial cumulative damages.

Additionally, this decision sets a precedent for future BIPA-related cases, potentially expanding the scope of individual and class-action lawsuits. It also underscores the judiciary's commitment to upholding stringent privacy protections in the digital age, where biometric data usage is becoming increasingly pervasive.

Complex Concepts Simplified

Biometric Information Privacy Act (BIPA)

BIPA is Illinois legislation designed to protect individuals' biometric data, such as fingerprints and facial recognition information. It requires private entities to obtain informed consent before collecting or disclosing biometric information and imposes penalties for non-compliance.

Sections 15(b) and 15(d)

Section 15(b): Prohibits private entities from collecting biometric data without first informing the individual in writing and obtaining their written consent.

Section 15(d): Restricts the disclosure of biometric data to third parties unless the individual has given prior consent.

Claim Accrual

Claim accrual refers to the point in time when a legal claim becomes valid and actionable. In this context, the court determined that claims under BIPA accrue each time there is an unauthorized collection or disclosure of biometric data.

Conclusion

The Supreme Court of Illinois' decision in Cothron v. White Castle System, Inc. reinforces the protective framework of BIPA by affirming that each unauthorized collection or transmission of biometric data constitutes a separate violation. This ruling not only enhances the enforceability of privacy protections but also elevates the accountability of private entities in handling sensitive biometric information.

Organizations must proactively implement comprehensive consent and data protection measures to mitigate the risk of multiple claims and substantial damages. Moreover, this case underscores the judiciary's role in upholding individuals' privacy rights in an era where biometric data plays a critical role in personal and professional domains.

Ultimately, Cothron v. White Castle System, Inc. sets a robust precedent that underscores the necessity for stringent compliance with biometric data privacy laws, thereby contributing to the broader landscape of data protection and privacy rights.