In what is becoming a pattern, the Illinois Supreme Court recently issued another decision interpreting the Biometric Information Privacy Act (“BIPA”) to expand potential liability for businesses. The court held in Cothron v. White Castle that each time a business collects or discloses an individual’s biometric data without first obtaining BIPA-compliant consent, a separate claim accrues under BIPA. BIPA authorizes statutory damages of $1,000 for “each violation” of the statute—and $5,000 if the violation is found to be intentional or reckless. Even before this decision, companies with many customers or employees faced massive potential exposure under BIPA—often in the millions and sometimes billions of dollars. But under Cothron, that threatened exposure is multiplied many times over given that a new claim can accrue with each repeated collection or disclosure (for example, each time an employee clocks in and out of work using a fingerprint timekeeping system). And Cothron follows on the heels of another recent Illinois Supreme Court decision, Tims v. Black Horse Carriers, that declared that a 5-year statute of limitations applies to all BIPA claims.
Inside Cybersecurity & Privacy Law
Exploring the evolution of cybersecurity and privacy law