Bloomberg Law
May 2, 2023, 9:15 AM

Illinois Biometric Privacy Cases Jump 65% After Seminal Ruling

Stephen Joyce
Stephen Joyce
Senior Correspondent
Skye Witley
Skye Witley

Class actions accusing companies of violating Illinois’s biometric privacy law have more than doubled in the wake of a February Illinois Supreme Court ruling that expanded the potential for high damage awards.

The number of lawsuits in Illinois circuit courts alleging violations of the 2008 Biometric Information Protection Act jumped 65%, to 122 cases, during the two months following the Feb. 17 Cothron v. White Castle System Inc. decision, according to a Bloomberg Law analysis of dockets through April 17.

A total of 74 lawsuits were filed in the two months prior to that decision, between Dec. 17 and Feb. 17. By contrast, total cases filed in Cook County, Ill.'s chancery court—the court where the vast majority of Illinois BIPA class actions are filed—increased overall only 2.8% during the same period. Federal courts also saw a modest increase in new BIPA lawsuits.

“I believe filings will continue at a brisk pace given the five-year statute of limitations, new players entering the scene and new theories of liability,” Lewis Brisbois Bisgaard & Smith LLP partner Mary Smigielski said in an email.

Garfinkel Group LLC founding partner Haskell Garfinkel said the uptick in cases is likely linked to a growing awareness of the law and the prohibitions it imposes. Even small companies are increasingly cognizant of the law, but cases will continue to be filed against businesses of all sizes that aren’t compliant with the statute, he said. “It’s an illegal business practice,” he said in an interview.

The Illinois law requires companies that collect biometric data, which includes fingerprints and facial recognition, to receive written consent from employees and customers and to develop a written policy about its collection, retention, and destruction.

Illinois, the first state to enact a such a law, has seen its highest court issue some of the most important state judicial rulings interpreting biometric privacy rights this year. The White Castle case increased the possibility for large fines for violations. The Feb. 2 Tims v. Black Horse Carriers Inc. decision clarified that a five-year statute of limitations — not a one-year limitation—applies to three specific violations of the law.

Legal Teams

Since the White Castle decision, small- and medium-sized firms have dominated filing new BIPA lawsuits, with the vast majority of those cases filed by the Chicago employment law firm Justicia Laboral LLC. Justicia director and managing member Daniel Schlade and his partner James Dore, who didn’t respond to requests for comment, represent plaintiffs in at least 72 Illinois BIPA cases filed since the White Castle decision.

William Beaumont of the Beaumont Costales law firm, with offices in Chicago and New Orleans, is counsel of record in 16 BIPA cases filed since the White Castle decision. Todd Friedman Law Offices filed six cases and Peiffer Wolf Carr Kane Conway & Wise LLP filed four cases since White Castle.

Several sole practitioners are also representing potential classes, including three cases each filed by Pasha Vaziri and Scott Drury. Drury previously served as an Illinois House member and assistant US attorney in the US District Court for the Northern District of Illinois.

Boost in Filings

Many defense-side lawyers said the spike in Illinois biometric privacy cases will likely continue, for now, as smaller companies become targets for the plaintiff’s bar. However, eventually this type of litigation will dry up for lawyers that don’t generally focus on privacy and technology issues, they said.

“You’re going to see an increase in filings because there’s just clarity on the law now that there has not been for several years, frankly,” Keller Postman LLC partner Ben Whiting said in an interview. “As the potential damages go up, obviously, that’s going to make the economics appealing to not only law firms that have already been pretty steeped in the BIPA litigation but arguably also to other firms who had a thought that the economics weren’t there for them.”

But Fish Potter Bolaños PC founding partner David Fish said case filings may have peaked because companies are educating themselves on the law and enacting BIPA compliance programs that preclude many firms, such as his own, from filing new cases. Companies he’s vetted and concluded possess compliant BIPA policies have nevertheless been targeted by other plaintiff’s lawyers; many of those filings will likely be dismissed or withdrawn by the end of the year, he said.

Indeed, the number of new filings in April, though April 17, were on pace to be about 30% less than the March high of 69 new cases filed.

Growing Risk

Defendants in the Illinois cases include publicly traded national companies such as Inc. and JAB Holding Co. subsidiary Krispy Kreme Inc. But they also target smaller businesses, such as Chicago-based furniture manufacturer The Marvel Group Inc., Grande Cosmetics LLC, linen rental company BBJ Rentals Inc., and the Chicago restaurant group operated by James Beard award-winning chef Stephanie Izard.

“Many smaller companies implemented ‘biometric’ technology because they viewed it as a way to gain efficiencies with fewer resources. Now those resources are being spent defending litigation. Companies are resolving cases not because they have merit, but because limited resources are better expended elsewhere instead of fighting these claims through trial,” said Smigielski, co-chair of her firm’s Illinois BIPA practice group.

Others agreed. Growing BIPA liability risks may push more businesses into settlement agreements, Locke Lord LLP senior counsel Kenneth Suh said.

The state supreme court ruling in White Castle dramatically expanded a company’s potential liability, by concluding that a separate claim for damages can arise each time a business fails to seek permission to gather biometric data from workers or consumers, or fails to disclose retention plans for that information.

Violations, which can total in the hundreds or thousands each day for companies using biometric devices to clock their employees into and out of the workplace, are punishable by fines of up to $5,000 for each violation.

To contact the reporters on this story: Stephen Joyce in Chicago at; Skye Witley at

To contact the editors responsible for this story: Stephanie Gleason at; Jay-Anne B. Casuga at

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.