An Illinois Supreme Court ruling on February 17, 2023 opened the door to astronomical damages under the Illinois Biometric Information Privacy Act (“BIPA”).  Enacted in 2008, BIPA provides for a private right of action against an entity that collects or discloses a person’s biometric identifier without opt-in consent.

The Case

Cothron v. White Castle System, Inc. involved a private BIPA class action against the White Castle fast-food chain by current and former employees. The lead plaintiff alleged that since 2004, White Castle employees had been required to scan their fingerprints to access pay stubs and company computers (which required transmission of the scanned print to a technology vendor), but White Castle did not begin seeking its employees’ consent until 2018.

White Castle sought dismissal on the basis of the applicable 5-year statute of limitations, arguing that the plaintiff’s claim accrued upon the first collection and disclosure of her fingerprint and was time-barred as of her suit a decade later. Plaintiff countered that separate claims accrued for each violation of BIPA, i.e., each time she scanned her fingerprint and each time that scan was accessed by the technology vendor.

The Question

The district court ruled in the plaintiff’s favor and, following an immediate appeal, the 7th Circuit certified the following question for immediate review by the Illinois Supreme Court: Do BIPA claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively?

The Decision

In a 4-3 split decision, the Illinois Supreme Court answered affirmatively. It found that separate claims under BIPA accrued for each nonconsensual collection or disclosure, including repeated collections of the same biometric identifier and repeated disclosures of that biometric identifier to the same third party.  

The Reasoning

The court reasoned that the statutory definition of “collection” encompassed scans of a biometric identifier for verification against a database, as well the initial capture of the identifier for storage in the database.

As to “disclosure,” the court found that the statute’s inclusion of the catchall – to “otherwise disseminate” – suggested that “disclosure” included any transmission of biometric information to a third party, including one that already possessed the information.

In so holding, the court was not swayed by arguments that its interpretation would allow for astronomical damages under BIPA’s ‘per-violation’ liquidated-damages clause. The court acknowledged that class-wide damages for 9,500 current and former White Castle employees could total $17 billion, but noted that these damages were discretionary and that the court was nonetheless bound to follow the plain language of the statute. The court suggested that any policy issues should be resolved by the legislature.

The Bottom Line

Two key implications follow from this ruling:

First, entities without robust opt-in consent policies for biometric data may have exposure in the billions of dollars.

Second, plaintiffs are entitled to damages for accumulated violations during a 5-year lookback period, and so may delay bringing a claim until the moment that a consent policy is implemented. Consequently, delay in adopting a consent policy will increase liability exposure (provided the entity has collected biometric data for less than 5 years).

Cyberattacks on corporate networks are on the rise, and the ramifications from such attacks can be financially devastating. Recent benchmarking data shows that the number of material cyber breaches at large businesses increased by 20.5% from 2020 to 2021, with cybersecurity budgets across industries aimed at preventing breaches jumping 51%. And while businesses suffering cyberattacks emanating from state-sponsored entities may have insurance coverage for their losses, the scope of coverage available can vary dramatically depending on the amount of coverage purchased and the terms and conditions of policies. Interestingly, next month Lloyd’s is adding exclusions to limit insurance coverage for state-sponsored cyberattacks.

Read on to learn how to prepare your company for these rapidly evolving security risks and why policyholders should review cyber, property and other policies to determine which may provide cyberattack coverage.

The Supreme Court of Illinois relied on legislative intent, policy concerns and precedents to hold that all Biometric Information Privacy Act claims are subject to a five-year statute of limitations. Read on to learn more about the Tims v. Black Horse Carriers, Inc. opinion and how it may impact businesses and their BIPA decisions going forward.

In a unanimous decision, the Ohio Supreme Court found that a computer software company’s business owners insurance policy does not cover losses resulting from a ransomware attack on the company’s computer software systems because the attack did not cause physical loss or physical damage to the software.

Read on for background on this case and analysis of the ruling.

A bipartisan coalition of state attorneys general sent a comment letter to the Federal Trade Commission highlighting the risks to consumers from businesses’ surveillance and their collection and storage of data such as health information and location tracking.

Read on for details about this development and how companies that collect such information can minimize risks to their businesses and their customers.

As 2022 draws to a close, it is important to keep in mind that key state-level regulations on consumer and employee data privacy will become effective as soon as 2023 begins. Data security measures, personal data processing activities and privacy policies of businesses covered by the regulations are now proscribed specific standards and requirements in recognition of the consumer rights created by each of the Acts. As a result, businesses need to ensure that their policies and practices are adjusted to address the increased privacy risk.

The Virginia Consumer Data Protection Act (“VCDPA”) will go into effect on January 1, 2023. This statute requires companies who operate in Virginia or target Virginia consumers (whether or not the company is located in Virginia) and collect personal information from more than 100,000 Virginia consumers annually to meet certain cybersecurity requirements and to offer certain privacy rights to those consumers, such as the right to opt-out. For more specifics on the VCDPA read on here.

The California Privacy Rights Act (“CPRA”) also goes into effect on January 1, 2023. This statute applies to any business that collects the personal information of a California resident if that business meets one of the following three criteria:  (1) had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year; (2) alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more California consumers or, households; or (3) derives 50 percent or more of its annual revenues from selling or sharing California consumers’ personal information.  These businesses must meet certain disclosure and cybersecurity requirements and must offer certain privacy rights to those consumers.  Subject to certain exceptions, these rights include the right by the consumers to know what information is collected about them, the rights to correct and delete their personal information, the right to opt-out of the sale or sharing of their personal information and the right to limit the use of their sensitive personal information.  Read on for more specifics on the CPRA here.

Our Data Privacy & Security team can assist with drafting privacy policies that are consistent with the Virginia CDPA and the CPRA. Contact us today to learn more.

On Nov. 21, 2022, the Federal Communications Commission issued a declaratory ruling and order finding that “ringless voicemails” to wireless phones are “calls” made using an artificial or prerecorded voice. Such calls, therefore, are subject to the Telephone Consumer Protection Act and callers must obtain consent before delivering such messages.

Read on to learn about the FCC’s ruling and why companies should not rely on a vendor’s representation that its technology falls outside the TCPA’s reach.

Compliance with out-of-state investigative requests, like warrants, just got a little trickier for some California-based companies.

Read on for details and implications of a new California law that, among other things, prohibits technology and communications companies based in the state from providing user data to out-of-state authorities investigating abortions that would be legal under California law.

During the 2022 Federal Identity Forum & Exposition on Sept. 7, FinCEN acting Deputing Director Jimmy Kirby emphasized the importance of securing digital identity as “fundamental to the effectiveness” of every financial institution’s anti-money laundering/countering the financing of terrorism (AML/CFT) program.

Read on for details and analysis of his remarks and proactive steps financial institutions can take to build secure, privacy-preserving digital identity solutions.

On Wednesday, August 24, 2022, the California Attorney General released a public statement addressing its first enforcement action under the California Consumer Privacy Act (“CCPA”) against Sephora. The Attorney General alleged that Sephora failed to disclose to consumers that it was selling personal information, it failed to honor requests submitted through Global Privacy Controls (“GPC”), and it failed to cure these violations within the 30-day period. The parties settled for a $1.2M fine and injunctive relief requiring Sephora to comply with the CCPA and accept GPC. Continue Reading First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory