PH Privacy
New BIPA Ruling Could Bring Additional Liability
February 22, 2023
By Aaron Charfoos
& Jacqueline W. Cooney
Last week the Illinois Supreme Court issued its long awaited opinion in the Cothron v. White Castle System, Inc. In Cothron, the Seventh Circuit Court of Appeals had certified a question of Illinois law to the Illinois Supreme Court. The question was, under Illinois’ Biometric Information Privacy Act, whether a claim accrues each time a private entity scans or transmits a person’s biometric information/identifier or only upon the first scan or transmission. The Court unequivocally held that “a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).” (Para. 1) While the Court recognized that the intention of the Act was not for the “financial destruction of a business” (Para. 42), ultimately the Supreme Court stated that correction of these potentially excessive awards are “best addressed by the legislature.” (Para. 43).
The Court’s opinion follows another opinion just three weeks ago in Tims v. Black Horse Carriers, Inc. holding that BIPA claims were uniformly subject to a five-year statute of limitations period. Combined, these two cases could pose challenges for corporate defendants. Notably, however, Courts also appear to be expanding other exemptions under BIPA. For example, in two recent cases in the Northern District of Illinois, Svoboda v. Frames for America, Inc. and Warmack-Stillwell v. Christian Dior, Inc., the Courts dismissed the complaints using the general medical care exemption under BIPA. The cases dealt with virtual try on technology for both prescription glasses and nonprescription sunglasses. The Courts reasoned that because both are Class 1 Medical Devices, even if the usage wasn’t totally for medical purposes or in a clinical setting, that they fall under the exemption.
These cases are also being decided at a time when numerous other states are contemplating biometric privacy statutes. It is not immediately clear whether these decisions will lead to changes in those pending bills to correct some of the issue identified by the Cothron Court. In the meantime, companies collecting and using biometric information should closely review their biometric privacy disclosures, retention schedules and consent mechanisms to ensure that they are in compliance with the statute.
Paul Hastings has a group of experienced trial lawyers and advisors who are very familiar with BIPA litigation and compliance. Keep an eye out for an upcoming article we are working on that will lay out in more detail the current BIPA landscape and key takeaways for our clients.