Introduction: Two new BIPA Cases

Two Illinois Supreme Court decisions recently released,  Tims v. Black Horse Carriers, Inc., 2023 IL 127801 and Cothron v. White Castle Sys., Inc., 2023 IL 128004, have clarified the statute of limitations and the actionable number of violations for suits under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 ff. (BIPA) This article describes the holdings and suggests ways to limit liability exposure which may result from the BIPA.


In Tims v. Black Horse Carriers, Inc., 2023 IL 127801, the Court held that the five year statute of limitations in 735 ILCS 5/13-205 applies to actions for breach of the BIPA rules for collection, retention, disclosure, and destruction of biometric identifiers and biometric information in 740 ILCS 14/15 (a), (b), (c), (d), and (e).


In Cothron v. White Castle Sys., Inc., 2023 IL 128004, the Court ruled that a separate violation of 740 ILCS 14/15 (b) or (d) occurs every time that a private entity collects biometric identifier information, and each time that biometric information is transmitted to a third party, not just when the information is first scanned or transmitted.


Court Discretion To Limit Damages Amounts


The court rejected defendant’s argument that liquidated damages of $1,000 per violation under 740 ILCS 14/20 could result in over $17 billion in damages for multiple years of employee fingerprint time clock scans without permission, along with injunctions, litigation expenses, and attorney’s fees for each violation. It noted that there is no language in the Act suggesting a legislative intent to authorize a damages award that would result in the financial destruction of a business, since Section 20 of the BIPA says that the damages amounts are specified as those that a prevailing party may recover, so the amount a court could award would therefore be discretionary. The Supreme Court also said it agreed with the appellate court in Central Mutual Insurance Co. v. Tracy’s Treasures, Inc., 2014 IL App (1st) 123339, ¶ 72, 385 Ill.Dec. 904, 19 N.E.3d 1100, which had held that “[a] trial court presiding over a class action – a creature of equity — would certainly possess the discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying defendant’s business.”


Relevant Biometric Information Defined


A ”biometric identifier” whose collection and transmission requires a written release under the BIPA is defined as “”a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 ILCS 14/10 Definitions (Illinois Compiled Statutes (2023 Edition)) Health care information is excluded. Note, however, the federal regulations under the Health Information Portability and Accountability Act (HIPAA), and regulations under same (see generally Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, as amended by the Health Information and Technology for Economic and Clinical Health Act of 2009, Public Law 111-05) , which regulate health care information collection and transmission.

Release Required

A “written release” is defined as “”informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.” 740 ILCS 14/10 Definitions (Illinois Compiled Statutes (2023 Edition)) 740 ILCS 14/15(b) requires prior information to the subject or their legal representative whose biometric identifier or information is being collected and the purpose and length of term for which such identifier or information is collected, and also receipt of the written release from the subject or legal representative at or before collection of such information. ADP published a sample employee consent form for time entries, with explanation, designed to meet BIPA standards, at (accessed 3/7/2023.)

Additional BIPA Requirements

Additional provisions of 740 ILCS 14/15 require biometric information policies (15(a)), limit sale or trade or other profit from collection or dissemination of biometric identifiers (15(c)), limit disclosure or redisclosure without consent or a legal requirement or a warrant or subpoena (15(d)),  and requires storage and transmission by any private entity of such information in at least as secure a manner as the party uses to protect other confidential and sensitive information.

Class Action And Individual Standing To Sue: No Additional Injury Required

The Black Horse decision cited the Court’s 2019 decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 20, 432 Ill.Dec. 654, 129 N.E.3d 1197 recognizing a right of action under Section 20 the BIPA for violations of 740 ILCS 14/15. The Court in Rosenbach allowed a class action for a plaintiff and similarly situated individuals with no injuries apart from specified BIPA statutory violations.

Workers Compensation Act Does Not Bar BIPA Suits

In the employment context, the Court has also held that the Workers Compensation Act does not bar a separate employee action under the BIPA, McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, 193 N.E.3d 1253, 456 Ill.Dec. 845 (Ill. 2022).

Existing Litigation Settlements May Prevent Further Damages Exposure

In evaluating your client’s potential exposure to new litigation as a result of the Tims v. Black Horse Carriers, Inc. and the Cothron v. White Castle Sys., Inc. decisions, counsel should note the many cases already brought against major companies under this and other biometric privacy laws which have already been the subject of settlements (see generally, accessed 3/7/2023) and the many Illinois state court class actions already brought under the Act. (See, accessed 3/7/2023.) If your client uses one of the major time keeping services or most biometric information collecting company’s equipment, it may already have been served with notice in one or more of these class actions, and may have already settled (or may still be able to settle) all employee claims under settlement terms already approved by the relevant court, with a claims site already established at the cost of defendants in such actions.

Retrospective Release of BIPA Claims

In addition, of course, a person injured by a BIPA violation may be able to waive liability claims. (Cf. reference to the lack of a release in McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, at paragraph 4, 193 N.E.3d 1253, at 1258, 456 Ill.Dec. 845, at 850 (Ill. 2022).) The Illinois Code of Civil Procedure permits dismissal of a case where the “section 2–619(a)(6) (permitting dismissal where the “claim set forth in the plaintiff’s pleading has been released, satisfied of record, or discharged in bankruptcy” (735 ILCS 5/2–619(a)(6) (West 2010)…, cited in Gadson v. Among Friends Adult Day Care, Inc., 39 N.E.3d 168 (Ill. App. 2015).)

A valid release may, thus, remove employees and others with possible claims for prior violations of the Biometric Information Privacy Act from possible classes able to bring suit under same. A release, like any other contract, may require consideration to be effective, and should be specific as to what injuries and what parties are covered by the form of the release. (Cf. Davis v. American Optical Corp., 899 N.E.2d 506, at 511, 386 Ill. App. 3d 866 (Ill. App. 2008).)

Conclusion: Action Needed To Limit Client Exposure

Lawyers, accountants and their clients should take action to:

  1. Assure current and future compliance with 740 ILCS 14/15 mandates concerning biometric identifiers information
  2. Evaluate litigation exposure (or lack of same) based on existing and possible cases and damage amounts possible and client, customer, employees, and other classes of potential plaintiffs.
  3. Obtain releases or verify that appropriate limits on liability (or at least adequate errors and omissions policy coverages) are present or could be arranged to limit future BIPA penalties and costs of litigation.

The post New Illinois Supreme Court Decisions Clarify Biometric Information Privacy Act appeared first on GrowthLaw.