Authors: Peter Donati, Becky Canary-King
Illinois employers that use biometric timeclocks (such as finger, face, hand, or retina scan timeclocks or entry devices) or collect other biometric information should take action immediately to confirm they are in compliance with Illinois’s Biometric Privacy Act (BIPA). Although BIPA has been in effect in Illinois since 2008, its requirements continue to catch businesses off guard – most recently with the Illinois Supreme Court’s decision in Cothron v. White Castle, issued on February 17, 2023.
The case centered on White Castle’s use of fingerprint scans when employees logged onto their computers. White Castle argued that a BIPA violation only occurred the first time the law was violated by collecting employee biometric information. The plaintiff, on the other hand, argued that a separate violation occurred each time she and fellow employees logged onto their computers with their fingerprint scans. The Illinois Supreme Court agreed with the plaintiff.
For employers using biometric timeclocks, this means that it is a separate violation—and potentially a separate penalty—for each time an employee clocks in and clocks out. With penalties of $1,000 for negligent violations and $5,000 for intentional or reckless violations, liability for companies could be astronomical. As penalties compound, even small employers could face seven-figure damages awards if they have used a biometric timeclock for a number of years.
In White Castle, the Court found that the company had repeatedly scanned fingerprints of nearly 9,500 employees. With each instance deemed a separate violation, the company estimates the penalties could be as much as $17 billion. The Court rejected the company’s argument that assessment of penalties for each scan would be “annihilative liability” for employers, noting that damages are not mandatory under the language of the statute and that lower courts will still have the discretion to fashion remedies that do not bankrupt defendants. The Court also suggested that it is up to the Illinois legislature to reform the statute if it intended a different outcome. However, these aspects of the ruling may be of limited comfort for employers seeking to negotiate settlements with plaintiffs’ attorneys armed with this decision.
The White Castle decision follows another major BIPA decision, in which the Illinois Supreme Court held in Tims v. Black Horse Carriers Inc. that the statute of limitations for BIPA claims is five years, rejecting the one-year limitations period advocated by the defendant.
These decisions will have significant implications for Illinois employers that use biometric information. If your company uses – or previously used – biometric information (such as finger, face, hand, or retina scan timeclocks or entry devices), it’s critical that you confirm that you are complying with BIPA’s requirements.
Attorneys from our Employment & Executive Compensation Group and Cybersecurity Team are available to help you ensure that your business is compliant with BIPA and help mitigate exposure from past violations.