One can scarcely browse the internet without encountering a story on the use of Artificial Intelligence (AI) by businesses or websites. While recently most attention has focused on generative AI and the increasing use of chat bots to answer questions and write poems or prose on request, a narrower form of AI uses biometric data to authenticate individuals. For example, these AI systems can compare stored fingerprints to scans for clocking employees in and out of work or for accessing work computers or pay records, or for making voice comparisons when a consumer calls in to customer service.

While the need for more efficient and effective authentication processes drives demand for these services, state law restrictions on the collection and use of biometric data to enable these services may present significant legal risk for some companies developing or deploying these systems and have been recounted in the legal press for causing violations of state biometric law. On that point, two recent decisions by the Illinois Supreme Court this month could expose businesses that collect and use Illinois' residents' biometric data without prior informed consent to potentially "punitive, crippling … ruinous liability."

Biometric Information Privacy Act

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, is among the most strict and most litigated biometrics privacy laws in the United States. More than 2000 suits have been filed given that BIPA provides for a private right of action and provides for statutory damages of up to $1,000 per negligent violation and $5,000 per intentional or reckless violation.

BIPA prohibits, inter alia, the collection of biometric data and its disclosure without first providing specific notice and obtaining written consent from the biometric data subject. BIPA defines protected "biometric identifiers" to include an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, and "biometric information" derived from those identifiers that is used to identify an individual. Businesses that collect, possess, or disclose biometric identifiers or biometric information of Illinois residents must: (1) ensure the individual has provided informed consent prior to the collection, use, or disclosure of their biometric data, including notice of the "purpose and length of term for which" the data is being collected, stored, and used; (2) protect stored biometric data and only retain it for a limited period, and (3) and not "sell, lease, trade, or otherwise profit from" biometric data.[1]

Class actions on behalf of Illinois consumers and employees were enhanced by an Illinois Supreme Court ruling in 2019 holding that individuals were "aggrieved" and had standing to sue for damages under BIPA without any "actual injury or adverse effect, beyond violation of his or her rights under the Act." The court held that "no additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual's or customer's statutory cause of action." Rosenbach v. Six Flags.

Two Recent Illinois Supreme Court decisions under BIPA

On February 2, 2023, the Illinois Supreme Court held that the statute of limitations for claims under BIPA was five years, rejecting an argument it was only one year. The court found that "absent [BIPA]'s protections, it is unclear when or if an individual would discover evidence of the disclosure of his or her biometrics in violation of the Act. Moreover, a shorter limitations period would prejudice those whom the Act is intended to protect." Tims v. Black Horse.

On February 17, 2023, the Illinois Supreme Court issued another opinion that will make it easier to assert substantial statutory damage claims under BIPA because the court found that each and every use and/or disclosure of biometric data without advance notice and consent is a separate violation of BIPA, thus subjecting the entity that collected or disclosed the data without notice or consent to multiple and significant statutory damage claims by aggrieved Illinois residents within the applicable five year limitations period. Cothron v. White Castle.

The Cothron Proceedings in Federal Court

Plaintiff Cothron was employed by defendant White Castle in 2004. Three years later, White Castle introduced a fingerprint scanning system and required, as a condition of continued employment, that employees scan and register their fingerprints in order to access their computers and paystubs. White Castle collected and stored each employee's fingerprint and disclosed it to its vendor, which verified that each new scan matched the stored fingerprint in order to authorize employee access to his or her work computer and paystubs. White Castle continued the fingerprint process after BIPA was enacted in 2008, but did not provide the required notice or obtain consent to collection and disclosure until 2018, 10 years later.

Cothron sued White Castle and the fingerprint verification vendor in Cook County, Illinois state court in 2018, and defendants removed the action to federal district court in Chicago. Plaintiff voluntarily dismissed the vendor from the suit and proceeded against White Castle. White Castle moved to dismiss, arguing that plaintiff waived her rights and failed to plead White Castle's mental state, and that employees' BIPA claims were preempted by the Illinois Workers' Compensation Act. The district court denied White Castle's motion to dismiss. Thereafter White Castle answered and moved for judgment on the pleadings, arguing that plaintiff's claims were barred by the statute of limitations.

The court rejected White Castle's claim that plaintiff's cause of action accrued in 2008 (and the statute of limitations began to run) when her biometric data was first obtained after BIPA became effective. Instead, the court held that each and every fingerprint scan and disclosure to the vendor constituted separate violations of BIPA, at least some of which occurred and thus accrued within the applicable limitations period, which was not yet resolved. At White Castle's request the district court certified its order denying White Castle's motion for judgment on the pleadings for immediate interlocutory appeal. The Seventh Circuit accepted the interlocutory appeal, found both plaintiff's and defendant's interpretations of claim accrual reasonable under Illinois law, warranting certification of the question to the Illinois Supreme Court. The Seventh Circuit certified the claim accrual question, specifically asking the Illinois Supreme Court to determine whether claims under BIPA "accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission."

The Illinois Supreme Court's Cothron Decision on Claim Accrual

The Illinois Supreme Court accepted the Cothron case and, after briefing and argument last May, issued its divided opinion on February 17, 2023, by a vote of 4-3. The majority agreed with the federal district court that "[a] party violates Section 15(b) when it collects, captures, or otherwise obtains a person's biometric information without prior informed consent. This is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection."

White Castle's disclosure of each scan was to the same vendor, so it argued that disclosing any aspect of the collected fingerprint to that vendor was a one-time act creating only one claim for liability. The majority disagreed and held "that the plain language of [BIPA] demonstrates that such violations occur with every scan or transmission" and that "an entity violates this obligation [not to disclose] the moment that, absent consent, it discloses or otherwise disseminates a person's biometric information to a third party," even if the disclosure is to the same party to whom the data was previously disclosed.

Given the court's holding that each and every scan of an employee's fingerprint, and each and every disclosure of that same employee's fingerprint to the same vendor, violated BIPA, White Castle could be subject to multiple statutory damage awards for every employee multiple times each day. On that calculation, White Castle alleged that it could face up to $17 billion in damages. While the majority did note that "there is no language in [BIPA] suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business," it "respectfully suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act." The majority also noted that damage awards are discretionary, not mandatory, and could be fashioned to compensate class members and "deter future violations, without destroying defendant's business."

The Dissent in Cothron

Three justices (including the Chief Justice) dissented and noted that potentially "punitive, crippling … ruinous liability" was being imposed on businesses under BIPA and that the decision "will lead to consequences that the legislature could not have intended." The dissenters reached the legislative intent issue itself, noting that "nothing in the Act indicat[ed] that the legislature intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier. The legislature's intent was to ensure the safe use of biometric information, not to discourage its use altogether."

On the substance, the dissenters agreed with White Castle that a violation of the prohibition on collecting biometrics "occurred, if at all, the first time that her biometrics were collected by White Castle without her consent, not each subsequent time that her finger was rescanned" and that "subsequent scans did not collect any new information from plaintiff, and she suffered no additional loss of control over her biometric information." The dissenters also agreed with White Castle that the prohibition on disclosure of biometrics was violated the first time the data was disclosed to a vendor and that the prohibition on redisclosure means "it must be to a different party [and] … '[r]epeated transmissions of the same biometric identifier to the same third party are not new revelations.' " The dissenters found that the consequences of the majority's decision were "harsh, unjust, absurd, or otherwise unwise" and that it would be in "plaintiff's interest to delay bringing suit as long as possible to keep racking up damages."

White Castle said that "it was reviewing its options for further judicial review, pointing to the dissent in the ruling." For the time being, however, commentators are noting that the decision in Cothron, along with the earlier decisions in Rosenbach and Tims, suggest possibly larger BIPA settlements. Other commentators find some solace in the majority's holding that damage awards under BIPA are discretionary (stressing the language in BIPA that a "prevailing party may recover" damages). Other commentators think it will be difficult for the legislature to address "potentially excessive damage awards" under BIPA, or "make clear its intent" regarding an assessment of damages that could financially destroy businesses using biometric technology, as also suggested in the majority opinion.

While there may be further judicial review, no class has been certified, no liability found, and any damages yet to be awarded, businesses covered by BIPA that develop or deploy AI to authenticate customers or employees should check and regularly test their compliance procedures given the massive liabilities that could result.

[1] BIPA has certain exemptions. For example, BIPA shall not be "deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm- Leach-Bliley Act of 1999 and the rules promulgated thereunder," and "shall not be construed to apply" to Illinois state agencies and local governments or their contractors, subcontractors, or agents. BIPA also provides that nothing in BIPA "shall be construed to conflict" with: (1) the "X-Ray Retention Act, the federal Health Insurance Portability and Accountability Act of 1996 and the rules promulgated under either Act," or (2) the "Private Detective, Private Alarm, Private Security, Fingerprint Vendor, and Locksmith Act of 2004 and the rules promulgated thereunder."