* A preview from earlier this morning in anticipation of an Illinois Supreme Court ruling on Cothron v. White Castle, a Biometric Information Privacy Act case. This was prepared by Locke Lord senior counsel Ken Suh…
• This will be the second major Illinois Supreme Court decision in this month to define the scope of BIPA liability and damages.
• Earlier this month, the Court decided in Tims v. Black Horse Motor Carriers that BIPA claims were subject to a five-year statute of limitations.
• At issue in the case is when a claim under BIPA accrues. The Court’s answer will determine whether a violation of BIPA occurs every time a person’s biometric data is scanned without the proper consent or disclosure, or a violation of BIPA occurs once per individual regardless of the number of times that person’s biometric data is scanned without the proper consent or disclosure.
• The decision will have huge consequences because BIPA provides for statutory damages per violation.
o A victory for the plaintiff, could mean that businesses are liable for a statutory damages amount every time an employee’s biometric data was scanned without the proper consent or disclosure for the preceding five years.
o In contrast, a victory for defendant White Castle, will establish that every employee whose biometric data was scanned without consent or disclosure, would be entitled to a single statutory damages award regardless of the number of times their biometric data was scanned.
* Four of the seven Supreme Court justices handed down their majority opinion at about 9 this morning…
We hold that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).
* The violations started in 2008, when the BIPA law took effect…
According to her complaint, plaintiff is a manager of a White Castle restaurant in Illinois, where she has been employed since 2004. Shortly after her employment began, White Castle introduced a system that required its employees to scan their fingerprints to access their pay stubs and computers. A third-party vendor then verified each scan and authorized the employee’s access. […]
In relevant part, White Castle moved for judgment on the pleadings, arguing that plaintiff’s action was untimely because her claim accrued in 2008, when White Castle first obtained her biometric data after the Act’s effective date. Plaintiff responded that a new claim accrued each time she scanned her fingerprints and White Castle sent her biometric data to its third-party authenticator, rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.
* More…
As with section 15(b), we conclude that the plain language of section 15(d) applies to every transmission to a third party. White Castle argues that a disclosure is something that can happen only once. The Seventh Circuit asserted that the plain meaning of “disclose” connotes a new revelation. […]
This court has repeatedly recognized the potential for significant damages awards under the Act. This court explained that the legislature intended to subject private entities who fail to follow the statute’s requirements to substantial potential liability. The purpose in doing so was to give private entities “the strongest possible incentive to conform to the law and prevent problems before they occur.” As the Seventh Circuit noted, private entities would have “little incentive to course correct and comply if subsequent violations carry no legal consequences.” […]
While we explained in Rosenbach that “subjecting private entities who fail to follow the statute’s requirements to substantial potential liability, including liquidated damages, injunctions, attorney fees, and litigation expenses ‘for each violation’ of the law” is one of the principal means that the Illinois legislature adopted to achieve the Act’s objectives of protecting biometric information, there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.
Ultimately, however, we continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature. See McDonald, 2022 IL 126511, ¶¶ 48-49 (observing that violations of the Act have the potential for “substantial consequences” and large damage awards but concluding that “whether a different balance should be struck *** is a question more appropriately addressed to the legislature”). We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.
* From Justice Overstreet’s dissent, joined by Justices Thiess and Holder White…
The majority’s interpretation cannot be reconciled with the plain language of the statute, the purposes behind the Biometric Information Privacy Act (Act) (740 ILCS 14/1 et seq. (West 2018)), or this court’s case law, and it will lead to consequences that the legislature could not have intended. Moreover, the majority’s interpretation renders compliance with the Act especially burdensome for employers. This court should answer the certified question by saying that a claim accrues under section 15(b) or 15(d) of the Act (id. § 15(b), (d)) only upon the first scan or transmission.
…Adding… Tribune…
In a statement, White Castle said it was “deeply disappointed with the court’s decision and the significant business disruption that will be caused to Illinois businesses, which now face potentially huge damages.” The company said it was reviewing its options to seek further judicial review, pointing to the dissent in the ruling.
Matthew Kugler, a professor at Northwestern University’s Pritzker School of Law whose research includes biometric privacy issues, said the ruling sends a clear to signal to lower courts that companies should not be required to pay out such massive damages in privacy cases.
“We will continue to see a large damages awards, but the court is signaling to the lower courts that those awards should not be larger than they were previously,” Kugler said.
*** UPDATE *** I didn’t see this my first time through, but wow…
White Castle estimates that if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class- wide damages in her action may exceed $17 billion. We have found, however, that the statutory language clearly supports plaintiff’s position.
And from the dissent…
The majority acknowledges White Castle’s estimate that, if plaintiff is successful in her claims on behalf of as many as 9500 current and former White Castle employees, damages in this action may exceed $17 billion. Supra 40. Nevertheless, the majority brushes this concern aside by stating that “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”
Yikes.
- MisterJayEm - Friday, Feb 17, 23 @ 10:47 am:
“there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business”
I am very curious what such language would look like and if there are any examples of such language in the Illinois code.
– MrJM
- move on - Friday, Feb 17, 23 @ 11:18 am:
This is what happens when trial lawyers are left unchecked and policies passed without a full vetting or understanding of the consequences.
- RNUG - Friday, Feb 17, 23 @ 11:20 am:
IL SC translation: Don’t come to us for fiscal relief from violating this law. You need to lobby the Legislature.
- Torco Sign - Friday, Feb 17, 23 @ 11:20 am:
The trial lawyers are already getting their money’s worth from the 2022 election.
- Hannibal Lecter - Friday, Feb 17, 23 @ 11:22 am:
$17 Billion. Wow. That would effectively put White Castle out of business. The legislature needs to act ASAP.
- JoeMaddon - Friday, Feb 17, 23 @ 11:50 am:
**That would effectively put White Castle out of business. The legislature needs to act ASAP.**
White Castle could have just followed the law.
- Friendly Bob Adams - Friday, Feb 17, 23 @ 11:50 am:
My guess is that some changes will be made to the law to limit damages. But maybe, just maybe, corporations will think twice about how they use personal information.
I mean, how was this person’s fingerprint necessary to work at a burger joint? How did it affect the work environment? How did it impact employee morale? How did it improve the quality of the sliders??
- Hannibal Lecter - Friday, Feb 17, 23 @ 11:55 am:
=== White Castle could have just followed the law. ===
So you believe that White Castle should be put out of business for this?
- Hannibal Lecter - Friday, Feb 17, 23 @ 11:57 am:
=== I mean, how was this person’s fingerprint necessary to work at a burger joint? How did it affect the work environment? How did it impact employee morale? How did it improve the quality of the sliders?? ===
You are overthinking this. This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in. Unless there is some evidence that the information was misused, why should this crippling level of damages be imposed for technical violations?
- Leap Day William - Friday, Feb 17, 23 @ 11:59 am:
== $17 Billion. Wow. That would effectively put White Castle out of business. The legislature needs to act ASAP. ==
Do they, though? The whole point of this law is to deter businesses from mishandling immutable biometric data. I’m not a lawyer, but to me as an information professional, I’m glad these big number lawsuits are showing up.
How many times has a business been sued, settled for what amounts to a slap on the wrist and a “we are paying this money and do not admit we did anything bad”, and then continue doing bad things in slightly different ways? Remember that Equifax data breach a few years ago? Those settlement checks went out and those people received beans and the knowledge that their SSN has been compromised. Equifax will just roll right along and continue to be terrible at protecting consumer private data, and people will have to take more proactive steps to protect themselves against identity theft because the company who is responsible for protecting that data couldn’t bother to keep it safe.
The employees who are party to this suit can’t go to the store and get new fingerprints. You can’t freeze a fingerprint like you can a credit repot. White Castle was more concerned about saving a few bucks by making sure their low-wage employees were not having someone else clock in for them. This isn’t the 1990s, and these biometric data issues are not going away. If you can’t realize that and take steps to cover your rear from liability, then you don’t deserve to be in business anymore.
They could have solved all of this by simply NOT using the fingerprint scanners in the first place, but they decided that “preventing timeclock theft” was more important.
- Numbers - Friday, Feb 17, 23 @ 12:02 pm:
That potential award averages out to $1.8 million per employee (ignoring attorney’s fees). Wow.
- Stuck in Celliniland - Friday, Feb 17, 23 @ 12:02 pm:
There goes the chances (however small they may be) of White Castle loosening their definition of “St. Louis area” to include Springfield in their future expansion plans.
- Nick - Friday, Feb 17, 23 @ 12:03 pm:
There’s some interesting things to weigh here.
Lessening the violations or limiting them explicitly can really defang the law, and this has to be one of the most significant areas where Illinois is ahead of the curve versus the rest of the country. I really do not want to see BIPA weakened.
And yet, no, I don’t exactly want to outright bankrupt a business like White Castle either. Their entire annual revenue I think is under a billion, this could ruin them multiple times over.
Maybe a cap as a percentage of some amount of averaged revenue? Who knows.
- Torco Sign - Friday, Feb 17, 23 @ 12:07 pm:
“Mary and Liz Bankrupt White Castle,” produced by Dobbs v. Jackson Women’s Health Organization
- Yahoo - Friday, Feb 17, 23 @ 12:09 pm:
BIPA is a great law. Why did White Castle need to collect biometric information in the first place? “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.
- Rich Miller - Friday, Feb 17, 23 @ 12:09 pm:
===Unless there is some evidence that the information was misused===
If a digital copy of your fingerprints is hacked, you cannot change them.
- ;) - Friday, Feb 17, 23 @ 12:12 pm:
Here’s a thought White Castle, just don’t take your employees and customers biometric info, it is wholly unnecessary to the function of making a burger. Pretty simple. You don’t like penalties, don’t break the law.
- Yahoo - Friday, Feb 17, 23 @ 12:14 pm:
If White Castle was using fingerprints for employment purposes, why didn’t they just have their employee’s sign a form?
- Leap Day William - Friday, Feb 17, 23 @ 12:38 pm:
== You are overthinking this. This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in. Unless there is some evidence that the information was misused, why should this crippling level of damages be imposed for technical violations? ==
Why should a low-wage employee be forever crippled when (not if, when) the inevitable data breach happens because a current or former employer has such contempt for the people who work for them that they feel it necessary to collect immutable biometric data just to save a few bucks?
Someone punches the wrong time card or signs in for someone else? Fire them. That’s a lot less liability than being the ones responsible for making someone’s fingerprints forever unsafe.
- Former Downstater - Friday, Feb 17, 23 @ 12:48 pm:
==So you believe that White Castle should be put out of business for this?==
Had I, an ordinary citizen broken the law, the financial effect the fines would have on me would be the last thing the courts consider. Why should a corporate making millions a year in profits be treated any different?
- thisjustinagain - Friday, Feb 17, 23 @ 1:29 pm:
It is not the Court’s job to draft or amend BIPA; this belongs to the Legislature. When businesses do these “technical violations” they are violating laws and the rights of the victims. After having my identity stolen several times, including from at least one State agency, it is time businesses pay up big time to victims individually, not just their attorneys. White Castle will simply try declaring bankruptcy to avoid paying the employees and reappear as the “legal fiction” of “The New White Castle” with the same decision-makers likely at the top laughing in meetings about worker’s rights.
- froganon - Friday, Feb 17, 23 @ 1:43 pm:
No worries White Castle loyalists, White Castle will spin off its obligations, re-organize under bankruptcy protection and start afresh. Maybe they’ll re-open under a new name… Green Castle, a nod to being environmental aware/s?
Seriously, a security breach is a given. Companies/corporations collecting biometric data for any reason should be forbidden. Lives have been wrecked with identity theft as it is.
- ArchPundit - Friday, Feb 17, 23 @ 1:49 pm:
—Biometric data is used when employees clock in to work to verify that it is actually them clocking in
There are other solutions to the problem.
- Rich Miller - Friday, Feb 17, 23 @ 2:02 pm:
===There are other solutions to the problem===
Yeah, like have management make sure the people are there. Those restaurants aren’t very large.
- ThePAMan - Friday, Feb 17, 23 @ 2:09 pm:
BIPA also covers the algorithm that is (in my experience dealing with this issue) created when the employee first sticks a thumb, eye, hand, face, into the scanner. The thumb or hand print, or iris, or face print is not stored in the device or by the employer (so says the device manufacturers and software people). The manufacturers of the devices always claim there is no way to recreate the print, etc. from the algorithm. There are a number of technicalities in this law that can trip up employers that have zero to do with the storage of that algorithm. Have yet to hear of any case where such information was hacked and used against an employee (unlike SSNs, etc.).
- Pot calling kettle - Friday, Feb 17, 23 @ 2:14 pm:
===So you believe that White Castle should be put out of business for this?===
So, you believe that bankruptcy is a defense for violating the law? If so, should we allow that as a defense more broadly? “That fine will put me into bankruptcy, so the judgement should be set aside.” The context for individuals (especially low-income folks) is that many people go deeply into debt defending themselves and/or paying fines and fees. In this case, White Castle could have complied with the law and avoided all of that potential expense; they chose not to.
- H-W - Friday, Feb 17, 23 @ 2:31 pm:
My iPhone uses biometric data.
The data breech is inevitable.
Should iPhones be disallowed in IL?
- Stuck in Celliniland - Friday, Feb 17, 23 @ 2:36 pm:
==No worries White Castle loyalists, White Castle will spin off its obligations, re-organize under bankruptcy protection and start afresh. Maybe they’ll re-open under a new name… Green Castle, a nod to being environmental aware/s?==
Either that or a competitor swoops in and tries to imitate the White Castle Sliders.
Such as the “McSlider,” “Little Star” (Hardees), or “Little Prince” (Burger King).
- ArchPundit - Friday, Feb 17, 23 @ 2:36 pm:
https://news.bloomberglaw.com/privacy-and-data-security/apples-illinois-biometric-privacy-win-expands-compliance-tools
====Apple escaped Biometric Information Privacy Act liability because customers voluntarily used optional features like Touch ID and Face ID, their data was stored locally on their own devices, and the company didn’t collect or store that data on separate servers, the Illinois First District Appellate Court decided in late December. Apple therefore didn’t possess or control the users’ data, which would have triggered state biometric privacy requirements.
- Rich Miller - Friday, Feb 17, 23 @ 2:36 pm:
===Should iPhones be disallowed===
That’s not the point. The point is informed consent.
- Demoralized - Friday, Feb 17, 23 @ 2:37 pm:
==This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in==
But should they? Why do they need to do that?
- Nick - Friday, Feb 17, 23 @ 2:41 pm:
That’s actually been ruled on, at least by an appellate court.
Apple as a company does not store or profit from use of biometric data including your finger print or facial imaging. Such data is only stored locally on the users device. Along with the fact that the feature, and information, is totally voluntary; you can hardly claim to be shocked that face ID is used to… ID your face.
https://news.bloomberglaw.com/privacy-and-data-security/apples-illinois-biometric-privacy-win-expands-compliance-tools
- Nick - Friday, Feb 17, 23 @ 2:43 pm:
Beaten to the punch, it seems
- ArchPundit - Friday, Feb 17, 23 @ 2:43 pm:
===The thumb or hand print, or iris, or face print is not stored in the device or by the employer (so says the device manufacturers and software people).
Just something that can detect it. So the useful part of storing biometric information. Got it.
- H-W - Friday, Feb 17, 23 @ 2:55 pm:
@ Rich. I get that. However, I wonder how “informed” most consent is when offered in the form of dozens of pages/screens of legal microprint.
Asserting the customer is culpable if they click a box, because they scrolled through pages and pages of various unrelated forms of legal information they may or may not have understand, in order to click a box at the point of sale, is disingenuous.
Given the new law, I would suggest companies using biometric data should be required to update informed consent in plain language, so as to avoid culpability for data breeches.
I would also suggest that companies have an obligation beyond getting consent to hold harmless for anything associated with use of the commodities they sell. That too is disingenuous.
- H-W - Friday, Feb 17, 23 @ 3:00 pm:
Nevermind my Friday ramblings. I am being foolish.
Nick and ArchPundit just reminded me of how foolish I appear.
Time for an IPA
- ArchPundit - Friday, Feb 17, 23 @ 3:25 pm:
IPAs are always good. Enjoy.