Every Scan Counts: Illinois Supreme Court Decides Claim Accrual Under BIPA

February 21, 2023

In a split decision, the Illinois Supreme Court recently clarified that a new claim accrues under Illinois’ Biometric Information and Privacy Act (BIPA) with each scan or transmission that violates BIPA. This long-awaited decision significantly increases employers’ exposure for BIPA violations.


BIPA, enacted in 2008, requires private entities to follow certain consent, notice, and disclosure procedures when collecting, storing, or using individuals’ biometric data.

In Cothron v. White Castle System, Inc., the plaintiff sued White Castle for alleged violations of BIPA Sections 15(b) and 15(d). Under Section 15(b), “[n]o private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s” biometric information without informed consent in writing. Section 15(d) prohibits disclosing, redisclosing, or otherwise disseminating a person’s biometric information without informed consent in writing.

White Castle argued that claims under Sections 15(b) and 15(d) of BIPA accrue only once—when the biometric data is first collected or disclosed. The district court, however, ruled that a new claim accrues each time the plaintiff scanned her fingerprint. The district court then certified its order for immediate interlocutory appeal.

Illinois Supreme Court Decision

On appeal, the 7thU.S. Circuit Court of Appeals certified this question to the Illinois Supreme Court: “Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?” The Illinois Supreme Court held the former: separate claims accrue under BIPA each time a private entity violates Sections 15(b) and 15(d), not just the first time.

The court relied on the statutory language of BIPA and found that White Castle did not show how its biometrics system could work without “collect[ing]” or “captur[ing]” the fingerprint each time an employee needed to access paystubs. Each time the system captured or collected the plaintiff’s information, with no informed consent, a new claim accrued under 15(b).

The court similarly held that the plain language of Section 15(d) captures repeated transmission to the same party. Webster’s Third New International Dictionary defines “disclose” as to “expose to view” and provides an example of something happening more than once: “the curtain rises to [disclose] once again the lobby.” And the catchall language’s use of “disseminate” also supports this conclusion.

The court also found that Illinois caselaw on BIPA—cited by White Castle—illustrated that an injury under Section 15 should not be limited to the first time that a private entity scans or discloses a party’s biometric information.

The court largely dismissed White Castle and its amici’s concerns about astronomical damages. The court found that when statutory language is clear, as it is in the case of BIPA, the language must be given effect, even if the consequences are harsh, unjust, absurd or otherwise. Additionally, the court held that without substantial penalties, private entities would have little incentive to comply if subsequent violations carried no legal consequence.

However, the court included a saving grace—it clarified that damages under BIPA are discretionary. Under BIPA, a prevailing party may recover for each violation. As such, employers should maintain extensive records related to compliance with BIPA. If an employer can show the steps it took to comply with BIPA or that the plaintiff(s) suffered no harm, the court may decide to limit damages. In short, the trial court presiding over a class action possesses the discretion to fashion a damage award that “include[s] an amount designed to deter future violations, without destroying defendant’s business.”

The court also seemingly cued the Illinois Legislature to act on BIPA should it feel that the court’s ruling is incorrect: “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature.” The court suggested that the legislature review “these policy concerns and make clear its intent regarding the assessment of damages under the Act.”

In addition to those slight carve-outs from the court regarding damages, three Justices dissented. They noted that the potential for “punitive, crippling liability on business could not have been a goal of the Act,” and “nothing in the Act” reflects that the Legislature intended to impose excessive liability on corporations for multiple scans of the same biometric information. Rather, the dissent reasoned, BIPA was intended to promote the use of biometric information, not discourage it.

Takeaways for Employers

Illinois employers are cautioned that, in light of the Cothron decision, a new claim accrues with each scan that violates BIPA, not just the first scan. Not only does this create an opportunity for plaintiffs to claim and receive more damages, but it also restarts the statute of limitations with each violation. This renders BIPA compliance more essential than ever before. Employers should correct violations regardless of when they notice them. While a course correction may be expensive, it will be substantially less costly than the potential damages stemming from a BIPA class action.

For further information on or questions about BIPA’s requirements or the topics covered in this legal alert, please contact the authors, your McGuireWoods contact, or a member of the firm’s labor and employment team.