The Privacy Class Action Review - 2023 - Report - Page 23
under the BIPA each time a private entity scans or transmits an individual’s biometric
identifier or information, in violation of §§ 15(b) or 15(d). First, the Illinois Supreme Court
analyzed the certified question with respect to § 15(b), which provides that no private
entity “may collect, capture, purchase, receive through trade, or otherwise obtain” a
person’s biometric data unless it first provides notice and receives written consent. 740
ILCS 14/15(b). Relying on the plain language of the statute and the fact that the actions
of “collecting” and “capturing” biometric data can occur more than once, the Supreme
Court agreed with the plaintiff’s interpretation – namely, that § 15(b) “applies to every
instance when a private entity collects biometric information without prior consent.” Id.
¶¶ 19, 23. As interpreted in the context of the facts of the case, the Supreme Court
further observed that White Castle obtains an employee’s fingerprint, stores it in its
database, and then compares the fingerprint taken during subsequent scans to verify
the identity of the employee. In the Supreme Court’s words, White Castle “fails to
explain how such a system could work without collecting or capturing the fingerprint
every time the employee needs to access his or her computer or pay stub.” Id. ¶ 23.
Accordingly, consistent with the District Court’s decision in Cothron and the Illinois
Appellate Court’s conclusion in Watson, 2021 IL App (1st) 210279, ¶ 46, the Illinois
Supreme Court held that an entity violates § 15(b) the first time it collects biometric data
without having provided the requisite notice and obtaining consent, in addition to “each
subsequent scan or collection.” Id. ¶ 24.
Next, closely tracking its analysis of § 15(b), the Supreme Court similarly held that BIPA
§ 15(d) – which prohibits the disclosure, redisclosure, or dissemination of biometric data
without consent – “applies to every transmission to a third party.” Id. ¶ 28. Like the verbs
“collect” and “capture” in § 15(b), the acts of disclosing and redisclosing biometric data
occur upon the initial disclosure in addition to any subsequent disclosure or
redisclosure of the data. See id. ¶ 29 (“A fingerprint scan system requires a person to
expose his or her fingerprint to the system so that the print may be compared with the
stored copy, and this happens each time a person uses the system.”).
The majority opinion also rejected White Castle’s remaining “nontextual” arguments
supporting its single-accrual interpretation. White Castle argued that a BIPA claim
accrued only upon the initial collection or disclosure of a person’s biometric data
because an individual loses the right to control his or her biometric data as soon as the
data is collected and/or disclosed. In rejecting the argument, the Supreme Court again
relied on the statute’s plain language, stating: “[n]o such limitation appears in the
statute. We cannot rewrite a statute to create new elements or limitations not included
by the legislature.” Id. ¶ 39.
Next, the Supreme Court turned to White Castle’s argument that in light of the BIPA’s
liquidated damages provision, interpreting the statute to mean an entity violates §§
15(b) and 15(d) every time it collects or discloses biometric data means “a party may
recover for “each violation,” allowing multiple or repeated accruals of claims by one
individual could potentially result in punitive and “astronomical” damage awards that
would constitute “annihilative liability” not contemplated by the legislature and possibly
be unconstitutional.” Id. ¶ 41. For example, White Castle estimated that if the plaintiff
22
© Duane Morris LLP 2023
Duane Morris Privacy Class Action Review – 2023
