Skip to Main Content



Author: David E. Morrison

The Illinois Supreme Court issued a stunning 4-3 decision on February 17, 2023, holding that violations of the Illinois Biometric Information Privacy Act (BIPA) accrue with each scan or transmission rather than per person. The headline grabbing decision in Cothron v. White Castle System, Inc., 2023 IL 128004, has been heavily anticipated since the oral argument was held in May 2022, and comes just weeks after the Supreme Court expanded the scope of BIPA claims by holding in Tims v. Black Horse Carriers that a five-year statute of limitations period, not one year, applied to all BIPA causes of action.

Unlike in Tims, which was a unanimous Supreme Court decision, three Supreme Court justices vigorously dissented in White Castle, starkly painting the potentially disastrous consequences of the majority's opinion. The dissent reflected that, "[i]mposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm."

If none of the Court's prior BIPA opinions has grabbed the attention of the Illinois legislature and business community, this one surely will. The Supreme Court, in fact, directly appeals to the Illinois legislature to consider the policy implications resulting from its opinion. Perhaps of most significance, though, the Supreme Court also threw a potential life saver to the Illinois business community when it made clear that lower courts have discretion to fashion a damage award that is both fair and would not "destroy" the defendant business.

As we just summarized in our February 16, 2023, client alert, BIPA imposes what has appeared to be almost strict liability for violations. BIPA requires that before companies obtain a person's biometric identifier (fingerprint/retina scan, etc.), companies must first inform the person in writing that the information will be collected or stored; publish in writing the purpose and length of term for which the information is being collected or stored; and receive a written release and consent. 

The White Castle case provides a real-world example of the impact of the issue being considered by the Court. With statutory damages of $1,000 and $5,000 for each BIPA violation, and if a violation is measured every time biometric information is collected (e.g.,  a company scans a fingerprint), "violators face potentially crippling financial liability." White Castle, for instance, argued that with 9,500 current and former employees in the proposed class, statutory damages of $1,000 per person would amount to $9.5 million in class damages. But if the damages are awarded based on each scan, the class damage claim could exceed $17 billion. That is $1.8 million per employee

It will be critical to see courts exercise judicial discretion to give the business community a baseline of their realistic potential liability for violating BIPA, if for no other reason than to underwrite the value of potential claims.

Clearly aware that this type of damages calculation is unworkable, the majority did its best to limit the impact of its opinion. While the opinion professed not to weigh in on policy implications, it went out of its way to explain how an annihilative damages award could be avoided. 

First, the Supreme Court agreed with an earlier Illinois appellate court opinion that a class action was a "creature of equity," which permitted the trial court "discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying defendant's business." 

Second, the Supreme Court interpreted BIPA as explicitly adopting judicial discretion in fashioning appropriate relief: "the General Assembly chose to make damages discretionary rather than mandatory under the Act.  See 740 ILCS 14/20 (West 2018) (detailing the amounts and types of damages that a "prevailing party may recover")." 

Finally, the Supreme Court even appeared to walk back elements of its Rosenbach v. Six Flags Ent. Corp. opinion.  The White Castle court found that, even though the Rosenbach opinion foresaw "substantial potential liability" arising from BIPA violations, "there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business."

With these qualifications, the White Castle court has given a roadmap for trial courts to consider all relevant factors in fashioning relief – including what is fair, protective and would not result in financial disaster for the defendant company. Permitting judges to apply their individual discretion will likely result in uneven calculation of damages for at least the short term. 

Recall that in 2020, the California district court hearing the Facebook BIPA class action rejected Facebook's proposed $550 million settlement as inadequate before approving a $650 million settlement (which assumed a BIPA violation per person, not per scan). What would that settlement have looked like if the damages were calculated each time a user was tagged rather than by user? Will the courts use their discretion to assess damages so as to maintain effectively a $1,000 per person damages calculation despite the ability to award substantially more damages under White Castle?

It will be critical to see courts exercise judicial discretion to give the business community a baseline of their realistic potential liability for violating BIPA, if for no other reason than to underwrite the value of potential claims. Businesses rely on access to the credit market, and loan approvals require an effective underwriting process to accurately determine credit risk. Evaluating BIPA compliance and liability will surely become even more critical for lenders making loans to businesses with locations in Illinois.

Finally, will the legislature take the Supreme Court up on its direct invitation to weigh in on BIPA damages? In fact, the Illinois legislature attempted to amend BIPA in 2021. The House Judiciary-Civil Committee passed on a bi-partisan basis an amendment to BIPA (House Bill 559) that would have allowed companies a 30-day period to correct alleged BIPA violations, and permit only actual damages rather than the statutory liquidated damages. Debate on that bill ended on January 10, 2023, with the end of the two-year legislative session. 

It will be up to the new Illinois legislature and Governor Pritzker to renew the effort to legislatively address the manner in which BIPA violations should be enforced. If Illinois wants to retain business as well as entice new businesses to come to Illinois, then a legislative fix would appear essential.

With White Castle now controlling law, BIPA class actions have just become bet-the-company litigation. It is critical that businesses not only take steps to comply with BIPA, but to retain effective litigation counsel to minimize as much as possible the potential impact of such claims. 

If you have any questions on BIPA compliance or litigation, please contact David Morrison, or any of the litigators at Goldberg Kohn.