Legal Alerts

BIPA Continues Its Devastating Impact on Illinois Businesses

Chicago, Ill. (September 23, 2020) - On September 18, 2020, in a closely watched Illinois Biometric Information Privacy Act (BIPA) case of first impression, the Illinois First District Court of Appeals ruled that BIPA claims for statutory damages by employees against their employers are not preempted by the exclusive remedy provision of the Illinois Workers Compensation Act (IWCA).

McDonald v. Symphony Bronzeville

The McDonald v. Symphony Bronzeville case came before the appellate court by way of a Rule 308 interlocutory appeal on the certified question of whether the exclusivity provisions of the IWCA bar a claim for statutory damages under BIPA where an employer is alleged to have violated an employee's statutory privacy rights during the course of their employment. The appellate court answered in the negative, reasoning that claims for liquidated damages do not involve a work-related injury and thus are not “compensable” under the IWCA, and furthermore do not fit within the purview of the IWCA scheme. The opinion was limited to determining that liquidated damages are not compensable under the IWCA and left open the question of whether the IWCA preempts the claims of a plaintiff seeking actual damages under BIPA.

Friday’s ruling will likely further embolden plaintiffs’ attorneys who have brought hundreds of class action lawsuits against Illinois companies alleging violations of BIPA. The majority of these lawsuits contend that employers have violated BIPA by implementing so-called “biometric” timeclocks that employees use to clock in and out of work. Many of these pending class actions had been stayed by the lower courts while the First District Appellate Court reviewed the novel question of whether BIPA claims in the employment context are preempted by the IWCA. It is expected that the employer in McDonald will seek review of the appellate court decision by the Illinois Supreme Court within the next 30 days.

Cothron v. White Castle

Additionally, on August 9, 2020, Judge John Tharp of the Northern District of Illinois upheld the “per scan” violation theory of BIPA in one of the first opinions to directly address this theory of liability and damages. The decision results from Judge Tharp’s denial of the defendant’s motion for judgment on the pleadings in Cothron v. White Castle. White Castle implemented a fingerprint-based computer system in 2007, before BIPA was enacted. Although the plaintiff acknowledged in 2007 that she consented to using biometrics, she did not sign a BIPA-specific consent until 2018, while using the biometric system continuously from 2007 to 2018. White Castle moved for judgment on the pleadings, arguing that the plaintiff’s claims were time-barred under any applicable statutes of limitations, i.e., 1 year, 2 year, or 5 year, because any alleged violation accrued the first time the plaintiff used the system after the enactment of BIPA in 2008. The plaintiff argued that the alleged BIPA violations were either a “continuing injury” and thus did not accrue until the last time she used the system prior to the 2018 consent or, alternatively, that each time the plaintiff used the system, it constituted an independent violation of BIPA.

Judge Tharp first held that BIPA violations are not a “continuing injury” and that the violation occurs “fully and immediately,” and is therefore redressable, upon the first scan or collection of a biometric identifier. Judge Tharp then determined that a violation of BIPA’s notice and consent provision occurs “when [a defendant] collects, captures, or otherwise obtains a person’s biometric information without prior informed consent” and that “[t]his is true the first time an entity scans a fingerprint … but it is no less true with each subsequent scan or collection.” (Emphasis added). Judge Tharp also determined that a violation likewise occurs each time an entity discloses or disseminates biometric information in violation of Section 15(d) of the Act. In short, “each time an entity discloses or otherwise disseminates biometric information without consent, it violates the statute.” White Castle is seeking interlocutory appeal to the Seventh Circuit.


Any company doing business in Illinois and using biometric technology should immediately review the requirements of BIPA and ensure compliance. Penalties for statutory violations of BIPA are $1,000 for each negligent violation and $5,000 for each intentional violation. Under a "per scan" theory as described above, penalties could accrue at a rate of $4,000 to $20,000 per employee per day for use of a biometric time clock that actually captures biometric identifiers under BIPA.

Lewis Brisbois was one of the first law firms in the country to form a practice group devoted to Illinois BIPA litigation and compliance. Our BIPA team stands ready to defend businesses that are facing BIPA claims and assist with BIPA compliance obligations. For more information on these specific cases and BIPA in general, contact the author or editor of this alert. Visit our Illinois BIPA Practice page for more alerts on this topic.


Michael J. Roman, Associate


Mary A. Smigielski, Partner and Co-Chair of Lewis Brisbois' Illinois BIPA Practice

Related Practices

Related Attorneys

Find an Attorney

Each of the firm's offices include partners, associates and a professional staff dedicated to meeting the challenge of providing the firm's clients with extraordinary service.