Client Alert: Illinois Supreme Court Rules That A BIPA Claim Accrues With Each Scan Or Transmission Of Private Information
In an opinion issued on Friday in Cothron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court resolved the question of when claims for violations of sections 15(b) and (d) of the Illinois Biometric Information Privacy Act (BIPA) accrue. In a 4-3 decision, the Court held that a separate claim accrues each time a private entity scans or disseminates an individual’s biometric identifier or information in violation of sections 15(b) or (d).
Background On BIPA And The Cothron Litigation
The Illinois legislature enacted BIPA in 2008 to regulate the collection, retention, and use of biometric data. BIPA has proved to be very popular with plaintiffs’ class action lawyers, and BIPA claims have resulted in numerous high-profile, high-value class settlements and a recent $228 million jury verdict.
In Cothron, the plaintiff filed a putative class action complaint on behalf of all Illinois employees of White Castle in the Circuit Court of Cook County. Challenging White Castle’s use of a system that required employees to scan their fingerprints to access their pay stubs and restaurant computers, the complaint alleged violations of BIPA sections 15(b) and (d). The case was removed to federal court.
White Castle moved for judgment on the pleadings, arguing that the plaintiff’s claims were untimely because they accrued in 2008, when the plaintiff first used the technology and White Castle allegedly first obtained the plaintiff’s biometric data and allegedly disseminated it to third-party technology vendors and storage providers. The plaintiff responded by arguing that the “continuing violation” rule applied, and therefore her claims did not accrue until the last time that White Castle allegedly collected and disseminated her data without first complying with sections 15(b) and (d). The plaintiff also argued, in the alternative, that every scan and every dissemination of that scan to third-party vendors constituted a separate violation of BIPA, and therefore at least a portion of her claims was timely.
The district court denied White Castle’s motion, holding that the continuing violation rule did not apply, but finding that an entity violates sections 15(b) and (d) each time it collects and disseminates biometric data without complying with the statute. The district court subsequently certified the issue for immediate interlocutory appeal. On appeal, the US Court of Appeals for the Seventh Circuit found that the parties’ competing interpretations of BIPA were both reasonable and presented a novel and controlling issue of state law. It certified the claim-accrual question for resolution by the Illinois Supreme Court, and the Illinois Supreme Court chose to answer the question.
The Illinois Supreme Court’s Cothron Opinion
In Friday’s decision, the Illinois Supreme Court held that, under the plain language of the statute, a party violates sections 15(b) or 15(d) when it collects, captures, or transmits a person’s biometric information without prior informed consent, and “each and every capture and use of plaintiff’s fingerprint or hand scan,” and each and every subsequent “transmission” of that data to a third-party, constitutes a separate violation of the statute.
Section 15(b) states that “[n]o private entity may collect [or] capture . . . a person’s or a customer’s biometric identifier or biometric information, unless it first” provides a specified written notice and obtains a written release. Defining the word “collect” in section 15(b) to include “receiv[ing], gather[ing], or exact[ing],” and defining “capture” as “to take, seize, or catch,” the Court found that all scans—both the first print stored in a database and all subsequent authentication scans—involve collection or capture.
The Court rejected White Castle’s interpretation of the phrase “unless it first” as referring only to the first collection of biometric information. That phrase, the Court explained, modifies the entity’s obligation to obtain consent, not the triggering action.
The Court reached the same conclusion as to section 15(d), which provides that “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” it obtains informed consent from the individual or her legal representative or has legal authorization. Rejecting White Castle’s position that disclosure is a one-time event and defining “disclose” as to “expose to view,” the Court held that this provision’s plain language applies to “every transmission to a third party.” The Court also rejected arguments by White Castle that section 15(d) applies only when information is disclosed to a new third party, not every time information is provided to the same vendor or other third party.
The majority acknowledged that its reading could result in the plaintiff in Cothron bringing claims on behalf of as many as 9,500 current and former White Castle employees, with class-wide damages exceeding $17 billion, but noted that “the statutory language clearly supports plaintiff’s position.” While noting that the “potential for significant damages awards” under BIPA should not dictate the legal interpretation of the statute, the Court’s holding includes two significant caveats regarding damages. First, “[i]t appears that the General Assembly chose to make damages discretionary rather than mandatory,” and, according to the Court, “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” Second, a trial court presiding over a BIPA class action, as a “creature of equity,” has the discretion to fashion a damages award that fairly compensates class members and deters future violations without destroying a defendant’s business. Ultimately, though, the Court noted that policy-based concerns over “potentially excessive damage awards under the Act are best addressed by the legislature,” and suggested that the General Assembly “review these policy concerns and make clear its intent regarding the assessment of damages” under BIPA.
Three justices dissented. They reasoned that the majority’s decision could not be reconciled with the plain language of the statute, the purposes behind BIPA, or existing case law, and that it would lead to consequences far beyond what the legislature could have intended. The dissent reasoned that the purpose of BIPA is to prevent an individual’s loss of the right to maintain privacy of their biometric data, and that once a private entity obtains a particular type of biometric data from an individual, the “secrecy interest is lost,” and the entity is not obtaining anything new by collecting it again. The dissent also reasoned that the Illinois General Assembly could not have intended to impose punitive, crippling liability on businesses when it enacted BIPA. To the contrary, the legislature “recognized the utility of biometric technology and wanted to facilitate its safe use.” Indeed, the penalty for selling biometric information to a third party without knowledge of the purpose for which it would be used is only $5,000—a figure inconsistent with an interpretation of BIPA that makes available drastically higher damages for businesses that collect biometric information for their own business purposes.
Takeaways
Along with the Illinois Supreme Court’s February 2, 2023 decision in Tims, et al. v. Black Horse Carriers, Inc., which held that BIPA claims are governed by a five-year, rather than one-year, limitations period, the decision in Cothron is another in a line of Illinois Supreme Court decisions that have interpreted BIPA broadly and in ways that favor plaintiffs. It is likely to have significant impacts: It will broaden the set of claims that are timely. It also is likely to encourage the filing of even more BIPA class action cases. And it certainly will lead to many new disputes in existing BIPA cases, as both plaintiffs and defendants seek to use Cothron to advance their positions.
The Illinois General Assembly also likely will revisit the annual question of whether BIPA should be amended, and there will be extensive advocacy efforts directed to whether and how the law should be revised to prevent the “harsh, unjust, absurd, or unwise” consequences that the Cothron majority recognized its holding could create.
Background On BIPA And The Cothron Litigation
The Illinois legislature enacted BIPA in 2008 to regulate the collection, retention, and use of biometric data. BIPA has proved to be very popular with plaintiffs’ class action lawyers, and BIPA claims have resulted in numerous high-profile, high-value class settlements and a recent $228 million jury verdict.
In Cothron, the plaintiff filed a putative class action complaint on behalf of all Illinois employees of White Castle in the Circuit Court of Cook County. Challenging White Castle’s use of a system that required employees to scan their fingerprints to access their pay stubs and restaurant computers, the complaint alleged violations of BIPA sections 15(b) and (d). The case was removed to federal court.
White Castle moved for judgment on the pleadings, arguing that the plaintiff’s claims were untimely because they accrued in 2008, when the plaintiff first used the technology and White Castle allegedly first obtained the plaintiff’s biometric data and allegedly disseminated it to third-party technology vendors and storage providers. The plaintiff responded by arguing that the “continuing violation” rule applied, and therefore her claims did not accrue until the last time that White Castle allegedly collected and disseminated her data without first complying with sections 15(b) and (d). The plaintiff also argued, in the alternative, that every scan and every dissemination of that scan to third-party vendors constituted a separate violation of BIPA, and therefore at least a portion of her claims was timely.
The district court denied White Castle’s motion, holding that the continuing violation rule did not apply, but finding that an entity violates sections 15(b) and (d) each time it collects and disseminates biometric data without complying with the statute. The district court subsequently certified the issue for immediate interlocutory appeal. On appeal, the US Court of Appeals for the Seventh Circuit found that the parties’ competing interpretations of BIPA were both reasonable and presented a novel and controlling issue of state law. It certified the claim-accrual question for resolution by the Illinois Supreme Court, and the Illinois Supreme Court chose to answer the question.
The Illinois Supreme Court’s Cothron Opinion
In Friday’s decision, the Illinois Supreme Court held that, under the plain language of the statute, a party violates sections 15(b) or 15(d) when it collects, captures, or transmits a person’s biometric information without prior informed consent, and “each and every capture and use of plaintiff’s fingerprint or hand scan,” and each and every subsequent “transmission” of that data to a third-party, constitutes a separate violation of the statute.
Section 15(b) states that “[n]o private entity may collect [or] capture . . . a person’s or a customer’s biometric identifier or biometric information, unless it first” provides a specified written notice and obtains a written release. Defining the word “collect” in section 15(b) to include “receiv[ing], gather[ing], or exact[ing],” and defining “capture” as “to take, seize, or catch,” the Court found that all scans—both the first print stored in a database and all subsequent authentication scans—involve collection or capture.
The Court rejected White Castle’s interpretation of the phrase “unless it first” as referring only to the first collection of biometric information. That phrase, the Court explained, modifies the entity’s obligation to obtain consent, not the triggering action.
The Court reached the same conclusion as to section 15(d), which provides that “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” it obtains informed consent from the individual or her legal representative or has legal authorization. Rejecting White Castle’s position that disclosure is a one-time event and defining “disclose” as to “expose to view,” the Court held that this provision’s plain language applies to “every transmission to a third party.” The Court also rejected arguments by White Castle that section 15(d) applies only when information is disclosed to a new third party, not every time information is provided to the same vendor or other third party.
The majority acknowledged that its reading could result in the plaintiff in Cothron bringing claims on behalf of as many as 9,500 current and former White Castle employees, with class-wide damages exceeding $17 billion, but noted that “the statutory language clearly supports plaintiff’s position.” While noting that the “potential for significant damages awards” under BIPA should not dictate the legal interpretation of the statute, the Court’s holding includes two significant caveats regarding damages. First, “[i]t appears that the General Assembly chose to make damages discretionary rather than mandatory,” and, according to the Court, “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” Second, a trial court presiding over a BIPA class action, as a “creature of equity,” has the discretion to fashion a damages award that fairly compensates class members and deters future violations without destroying a defendant’s business. Ultimately, though, the Court noted that policy-based concerns over “potentially excessive damage awards under the Act are best addressed by the legislature,” and suggested that the General Assembly “review these policy concerns and make clear its intent regarding the assessment of damages” under BIPA.
Three justices dissented. They reasoned that the majority’s decision could not be reconciled with the plain language of the statute, the purposes behind BIPA, or existing case law, and that it would lead to consequences far beyond what the legislature could have intended. The dissent reasoned that the purpose of BIPA is to prevent an individual’s loss of the right to maintain privacy of their biometric data, and that once a private entity obtains a particular type of biometric data from an individual, the “secrecy interest is lost,” and the entity is not obtaining anything new by collecting it again. The dissent also reasoned that the Illinois General Assembly could not have intended to impose punitive, crippling liability on businesses when it enacted BIPA. To the contrary, the legislature “recognized the utility of biometric technology and wanted to facilitate its safe use.” Indeed, the penalty for selling biometric information to a third party without knowledge of the purpose for which it would be used is only $5,000—a figure inconsistent with an interpretation of BIPA that makes available drastically higher damages for businesses that collect biometric information for their own business purposes.
Takeaways
Along with the Illinois Supreme Court’s February 2, 2023 decision in Tims, et al. v. Black Horse Carriers, Inc., which held that BIPA claims are governed by a five-year, rather than one-year, limitations period, the decision in Cothron is another in a line of Illinois Supreme Court decisions that have interpreted BIPA broadly and in ways that favor plaintiffs. It is likely to have significant impacts: It will broaden the set of claims that are timely. It also is likely to encourage the filing of even more BIPA class action cases. And it certainly will lead to many new disputes in existing BIPA cases, as both plaintiffs and defendants seek to use Cothron to advance their positions.
The Illinois General Assembly also likely will revisit the annual question of whether BIPA should be amended, and there will be extensive advocacy efforts directed to whether and how the law should be revised to prevent the “harsh, unjust, absurd, or unwise” consequences that the Cothron majority recognized its holding could create.
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
In an opinion issued on Friday in Cothron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court resolved the question of when claims for violations of sections 15(b) and (d) of the Illinois Biometric Information Privacy Act (BIPA) accrue. In a 4-3 decision, the Court held that a separate claim accrues each time a private entity scans or disseminates an individual’s biometric identifier or information in violation of sections 15(b) or (d).
Background On BIPA And The Cothron Litigation
The Illinois legislature enacted BIPA in 2008 to regulate the collection, retention, and use of biometric data. BIPA has proved to be very popular with plaintiffs’ class action lawyers, and BIPA claims have resulted in numerous high-profile, high-value class settlements and a recent $228 million jury verdict.
In Cothron, the plaintiff filed a putative class action complaint on behalf of all Illinois employees of White Castle in the Circuit Court of Cook County. Challenging White Castle’s use of a system that required employees to scan their fingerprints to access their pay stubs and restaurant computers, the complaint alleged violations of BIPA sections 15(b) and (d). The case was removed to federal court.
White Castle moved for judgment on the pleadings, arguing that the plaintiff’s claims were untimely because they accrued in 2008, when the plaintiff first used the technology and White Castle allegedly first obtained the plaintiff’s biometric data and allegedly disseminated it to third-party technology vendors and storage providers. The plaintiff responded by arguing that the “continuing violation” rule applied, and therefore her claims did not accrue until the last time that White Castle allegedly collected and disseminated her data without first complying with sections 15(b) and (d). The plaintiff also argued, in the alternative, that every scan and every dissemination of that scan to third-party vendors constituted a separate violation of BIPA, and therefore at least a portion of her claims was timely.
The district court denied White Castle’s motion, holding that the continuing violation rule did not apply, but finding that an entity violates sections 15(b) and (d) each time it collects and disseminates biometric data without complying with the statute. The district court subsequently certified the issue for immediate interlocutory appeal. On appeal, the US Court of Appeals for the Seventh Circuit found that the parties’ competing interpretations of BIPA were both reasonable and presented a novel and controlling issue of state law. It certified the claim-accrual question for resolution by the Illinois Supreme Court, and the Illinois Supreme Court chose to answer the question.
The Illinois Supreme Court’s Cothron Opinion
In Friday’s decision, the Illinois Supreme Court held that, under the plain language of the statute, a party violates sections 15(b) or 15(d) when it collects, captures, or transmits a person’s biometric information without prior informed consent, and “each and every capture and use of plaintiff’s fingerprint or hand scan,” and each and every subsequent “transmission” of that data to a third-party, constitutes a separate violation of the statute.
Section 15(b) states that “[n]o private entity may collect [or] capture . . . a person’s or a customer’s biometric identifier or biometric information, unless it first” provides a specified written notice and obtains a written release. Defining the word “collect” in section 15(b) to include “receiv[ing], gather[ing], or exact[ing],” and defining “capture” as “to take, seize, or catch,” the Court found that all scans—both the first print stored in a database and all subsequent authentication scans—involve collection or capture.
The Court rejected White Castle’s interpretation of the phrase “unless it first” as referring only to the first collection of biometric information. That phrase, the Court explained, modifies the entity’s obligation to obtain consent, not the triggering action.
The Court reached the same conclusion as to section 15(d), which provides that “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” it obtains informed consent from the individual or her legal representative or has legal authorization. Rejecting White Castle’s position that disclosure is a one-time event and defining “disclose” as to “expose to view,” the Court held that this provision’s plain language applies to “every transmission to a third party.” The Court also rejected arguments by White Castle that section 15(d) applies only when information is disclosed to a new third party, not every time information is provided to the same vendor or other third party.
The majority acknowledged that its reading could result in the plaintiff in Cothron bringing claims on behalf of as many as 9,500 current and former White Castle employees, with class-wide damages exceeding $17 billion, but noted that “the statutory language clearly supports plaintiff’s position.” While noting that the “potential for significant damages awards” under BIPA should not dictate the legal interpretation of the statute, the Court’s holding includes two significant caveats regarding damages. First, “[i]t appears that the General Assembly chose to make damages discretionary rather than mandatory,” and, according to the Court, “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” Second, a trial court presiding over a BIPA class action, as a “creature of equity,” has the discretion to fashion a damages award that fairly compensates class members and deters future violations without destroying a defendant’s business. Ultimately, though, the Court noted that policy-based concerns over “potentially excessive damage awards under the Act are best addressed by the legislature,” and suggested that the General Assembly “review these policy concerns and make clear its intent regarding the assessment of damages” under BIPA.
Three justices dissented. They reasoned that the majority’s decision could not be reconciled with the plain language of the statute, the purposes behind BIPA, or existing case law, and that it would lead to consequences far beyond what the legislature could have intended. The dissent reasoned that the purpose of BIPA is to prevent an individual’s loss of the right to maintain privacy of their biometric data, and that once a private entity obtains a particular type of biometric data from an individual, the “secrecy interest is lost,” and the entity is not obtaining anything new by collecting it again. The dissent also reasoned that the Illinois General Assembly could not have intended to impose punitive, crippling liability on businesses when it enacted BIPA. To the contrary, the legislature “recognized the utility of biometric technology and wanted to facilitate its safe use.” Indeed, the penalty for selling biometric information to a third party without knowledge of the purpose for which it would be used is only $5,000—a figure inconsistent with an interpretation of BIPA that makes available drastically higher damages for businesses that collect biometric information for their own business purposes.
Takeaways
Along with the Illinois Supreme Court’s February 2, 2023 decision in Tims, et al. v. Black Horse Carriers, Inc., which held that BIPA claims are governed by a five-year, rather than one-year, limitations period, the decision in Cothron is another in a line of Illinois Supreme Court decisions that have interpreted BIPA broadly and in ways that favor plaintiffs. It is likely to have significant impacts: It will broaden the set of claims that are timely. It also is likely to encourage the filing of even more BIPA class action cases. And it certainly will lead to many new disputes in existing BIPA cases, as both plaintiffs and defendants seek to use Cothron to advance their positions.
The Illinois General Assembly also likely will revisit the annual question of whether BIPA should be amended, and there will be extensive advocacy efforts directed to whether and how the law should be revised to prevent the “harsh, unjust, absurd, or unwise” consequences that the Cothron majority recognized its holding could create.
Background On BIPA And The Cothron Litigation
The Illinois legislature enacted BIPA in 2008 to regulate the collection, retention, and use of biometric data. BIPA has proved to be very popular with plaintiffs’ class action lawyers, and BIPA claims have resulted in numerous high-profile, high-value class settlements and a recent $228 million jury verdict.
In Cothron, the plaintiff filed a putative class action complaint on behalf of all Illinois employees of White Castle in the Circuit Court of Cook County. Challenging White Castle’s use of a system that required employees to scan their fingerprints to access their pay stubs and restaurant computers, the complaint alleged violations of BIPA sections 15(b) and (d). The case was removed to federal court.
White Castle moved for judgment on the pleadings, arguing that the plaintiff’s claims were untimely because they accrued in 2008, when the plaintiff first used the technology and White Castle allegedly first obtained the plaintiff’s biometric data and allegedly disseminated it to third-party technology vendors and storage providers. The plaintiff responded by arguing that the “continuing violation” rule applied, and therefore her claims did not accrue until the last time that White Castle allegedly collected and disseminated her data without first complying with sections 15(b) and (d). The plaintiff also argued, in the alternative, that every scan and every dissemination of that scan to third-party vendors constituted a separate violation of BIPA, and therefore at least a portion of her claims was timely.
The district court denied White Castle’s motion, holding that the continuing violation rule did not apply, but finding that an entity violates sections 15(b) and (d) each time it collects and disseminates biometric data without complying with the statute. The district court subsequently certified the issue for immediate interlocutory appeal. On appeal, the US Court of Appeals for the Seventh Circuit found that the parties’ competing interpretations of BIPA were both reasonable and presented a novel and controlling issue of state law. It certified the claim-accrual question for resolution by the Illinois Supreme Court, and the Illinois Supreme Court chose to answer the question.
The Illinois Supreme Court’s Cothron Opinion
In Friday’s decision, the Illinois Supreme Court held that, under the plain language of the statute, a party violates sections 15(b) or 15(d) when it collects, captures, or transmits a person’s biometric information without prior informed consent, and “each and every capture and use of plaintiff’s fingerprint or hand scan,” and each and every subsequent “transmission” of that data to a third-party, constitutes a separate violation of the statute.
Section 15(b) states that “[n]o private entity may collect [or] capture . . . a person’s or a customer’s biometric identifier or biometric information, unless it first” provides a specified written notice and obtains a written release. Defining the word “collect” in section 15(b) to include “receiv[ing], gather[ing], or exact[ing],” and defining “capture” as “to take, seize, or catch,” the Court found that all scans—both the first print stored in a database and all subsequent authentication scans—involve collection or capture.
The Court rejected White Castle’s interpretation of the phrase “unless it first” as referring only to the first collection of biometric information. That phrase, the Court explained, modifies the entity’s obligation to obtain consent, not the triggering action.
The Court reached the same conclusion as to section 15(d), which provides that “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” it obtains informed consent from the individual or her legal representative or has legal authorization. Rejecting White Castle’s position that disclosure is a one-time event and defining “disclose” as to “expose to view,” the Court held that this provision’s plain language applies to “every transmission to a third party.” The Court also rejected arguments by White Castle that section 15(d) applies only when information is disclosed to a new third party, not every time information is provided to the same vendor or other third party.
The majority acknowledged that its reading could result in the plaintiff in Cothron bringing claims on behalf of as many as 9,500 current and former White Castle employees, with class-wide damages exceeding $17 billion, but noted that “the statutory language clearly supports plaintiff’s position.” While noting that the “potential for significant damages awards” under BIPA should not dictate the legal interpretation of the statute, the Court’s holding includes two significant caveats regarding damages. First, “[i]t appears that the General Assembly chose to make damages discretionary rather than mandatory,” and, according to the Court, “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” Second, a trial court presiding over a BIPA class action, as a “creature of equity,” has the discretion to fashion a damages award that fairly compensates class members and deters future violations without destroying a defendant’s business. Ultimately, though, the Court noted that policy-based concerns over “potentially excessive damage awards under the Act are best addressed by the legislature,” and suggested that the General Assembly “review these policy concerns and make clear its intent regarding the assessment of damages” under BIPA.
Three justices dissented. They reasoned that the majority’s decision could not be reconciled with the plain language of the statute, the purposes behind BIPA, or existing case law, and that it would lead to consequences far beyond what the legislature could have intended. The dissent reasoned that the purpose of BIPA is to prevent an individual’s loss of the right to maintain privacy of their biometric data, and that once a private entity obtains a particular type of biometric data from an individual, the “secrecy interest is lost,” and the entity is not obtaining anything new by collecting it again. The dissent also reasoned that the Illinois General Assembly could not have intended to impose punitive, crippling liability on businesses when it enacted BIPA. To the contrary, the legislature “recognized the utility of biometric technology and wanted to facilitate its safe use.” Indeed, the penalty for selling biometric information to a third party without knowledge of the purpose for which it would be used is only $5,000—a figure inconsistent with an interpretation of BIPA that makes available drastically higher damages for businesses that collect biometric information for their own business purposes.
Takeaways
Along with the Illinois Supreme Court’s February 2, 2023 decision in Tims, et al. v. Black Horse Carriers, Inc., which held that BIPA claims are governed by a five-year, rather than one-year, limitations period, the decision in Cothron is another in a line of Illinois Supreme Court decisions that have interpreted BIPA broadly and in ways that favor plaintiffs. It is likely to have significant impacts: It will broaden the set of claims that are timely. It also is likely to encourage the filing of even more BIPA class action cases. And it certainly will lead to many new disputes in existing BIPA cases, as both plaintiffs and defendants seek to use Cothron to advance their positions.
The Illinois General Assembly also likely will revisit the annual question of whether BIPA should be amended, and there will be extensive advocacy efforts directed to whether and how the law should be revised to prevent the “harsh, unjust, absurd, or unwise” consequences that the Cothron majority recognized its holding could create.
Related Attorneys
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Podcasts
Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast
Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.
July 15, 2026
Publications
Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report
Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.
July 14, 2026
Publications
Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law
Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.
July 7, 2026
Publications
In New York Law Journal, The True Lender Doctrine and the OppFi Decision
Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.
July 1, 2026
Event
Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference
On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.
July 1, 2026