Data Privacy & Security

7th Circuit: Is Each Transmission of Biometric Data a BIPA Violation?

Outcome will have a dramatic impact on statutory damages.

Jennifer Oliver

The Seventh Circuit U.S. Court of Appeals has certified a question to the Illinois Supreme Court over the accrual of claims under the Illinois Biometric Information Privacy Act (BIPA). The question, posed by the court in Cothron v. White Castle Systems, Inc., reads:

“Do section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”


The case was brought by an employee of the White Castle hamburger chain, which requires fingerprint scans for employees to access computer systems. The plaintiff charged that sharing her fingerprints with a third party vendor violated the law. Cothron v. White Castle Sys., No. 20-3202, 2021 U.S. App. LEXIS 37593 (7th Cir. Dec. 20, 2021).

An accrual rule based on each collection, opponents to such a finding argue, would pose potentially existential damages — especially in the class action context — since BIPA provides for statutory damages of $1,000 or $5,000 per violation. Parties disagree on whether BIPA damages are mandatory or discretionary, however. Should the court determine that the first scan is the only scan that starts the statute of limitations clock ticking, opponents to that interpretation say,  anyone bringing a claim after five years would be out of luck, even if their private biometric data continued to be transmitted more than five years after the first occurrence. 

Preceding the federal court’s certification of this question by just five days, an Illinois appellate court ruled that, yes, claims under sections 15(a) and (b) accrue with each capture and use of a plaintiff’s biometric  information. Watson v. Legacy Healthcare Financial Services, LLC, et al., 2021 IL App (1st) 210279 No. 1-21-0279, Opinion filed Dec. 15, 2021.

White Castle LogoThis is an important case to watch.

Illinois was the first to implement such legislation, something several states have since emulated. Should it come down in favor of an “all scans” interpretation, defendants may find themselves on the receiving end of devastating damages multipliers. Of course, the Illinois Supreme Court could determine that damage awards are at the discretion of a court, and are not mandatory under the law. Or it could rule that every scan or transmission restarts the statute of limitations clock, but that a claimant may only collect damages once for a series of transmissions of the same data, similar to how damages for defamation are not based on each publication of the same defaming remarks. Yet another possibility is that the court could determine that the clock starts to run when a claimant first learns of an alleged violation, which has precedent in litigation involving latent diseases caused by products, where individuals cannot know they were harmed until they developed a signature disease, i.e., one connected to a specific product.

The ruling in this case is especially interesting as the COVID-19 pandemic has led to skyrocketing adoption of remote access tools that can collect biometric data for learning, court appearances, and work-from-home arrangements, and a corresponding uptick in BIPA lawsuits.

Edited by Tom Hagy for MoginRubin LLP.

Subscribe to the MoginRubin blog

Sign up to start receiving our blog posts straight to your inbox.

Thank You!

Check your inbox for details about your MoginRubin Blog subscription.