Capitol Fax.com - Your Illinois News Radar » *** UPDATED x1 *** Divided Illinois Supreme Court upholds tough BIPA ruling, but asks legislature to review policy concerns
SUBSCRIBE to Capitol Fax      Advertise Here      About     Exclusive Subscriber Content     Updated Posts    Contact Rich Miller
CapitolFax.com
To subscribe to Capitol Fax, click here.
*** UPDATED x1 *** Divided Illinois Supreme Court upholds tough BIPA ruling, but asks legislature to review policy concerns

Friday, Feb 17, 2023 - Posted by Rich Miller

* A preview from earlier this morning in anticipation of an Illinois Supreme Court ruling on Cothron v. White Castle, a Biometric Information Privacy Act case. This was prepared by Locke Lord senior counsel Ken Suh…

• This will be the second major Illinois Supreme Court decision in this month to define the scope of BIPA liability and damages.
• Earlier this month, the Court decided in Tims v. Black Horse Motor Carriers that BIPA claims were subject to a five-year statute of limitations.
• At issue in the case is when a claim under BIPA accrues. The Court’s answer will determine whether a violation of BIPA occurs every time a person’s biometric data is scanned without the proper consent or disclosure, or a violation of BIPA occurs once per individual regardless of the number of times that person’s biometric data is scanned without the proper consent or disclosure.
• The decision will have huge consequences because BIPA provides for statutory damages per violation.

    o A victory for the plaintiff, could mean that businesses are liable for a statutory damages amount every time an employee’s biometric data was scanned without the proper consent or disclosure for the preceding five years.
    o In contrast, a victory for defendant White Castle, will establish that every employee whose biometric data was scanned without consent or disclosure, would be entitled to a single statutory damages award regardless of the number of times their biometric data was scanned.

* Four of the seven Supreme Court justices handed down their majority opinion at about 9 this morning

We hold that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).

* The violations started in 2008, when the BIPA law took effect

According to her complaint, plaintiff is a manager of a White Castle restaurant in Illinois, where she has been employed since 2004. Shortly after her employment began, White Castle introduced a system that required its employees to scan their fingerprints to access their pay stubs and computers. A third-party vendor then verified each scan and authorized the employee’s access. […]

In relevant part, White Castle moved for judgment on the pleadings, arguing that plaintiff’s action was untimely because her claim accrued in 2008, when White Castle first obtained her biometric data after the Act’s effective date. Plaintiff responded that a new claim accrued each time she scanned her fingerprints and White Castle sent her biometric data to its third-party authenticator, rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.

* More

As with section 15(b), we conclude that the plain language of section 15(d) applies to every transmission to a third party. White Castle argues that a disclosure is something that can happen only once. The Seventh Circuit asserted that the plain meaning of “disclose” connotes a new revelation. […]

This court has repeatedly recognized the potential for significant damages awards under the Act. This court explained that the legislature intended to subject private entities who fail to follow the statute’s requirements to substantial potential liability. The purpose in doing so was to give private entities “the strongest possible incentive to conform to the law and prevent problems before they occur.” As the Seventh Circuit noted, private entities would have “little incentive to course correct and comply if subsequent violations carry no legal consequences.” […]

While we explained in Rosenbach that “subjecting private entities who fail to follow the statute’s requirements to substantial potential liability, including liquidated damages, injunctions, attorney fees, and litigation expenses ‘for each violation’ of the law” is one of the principal means that the Illinois legislature adopted to achieve the Act’s objectives of protecting biometric information, there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.

Ultimately, however, we continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature. See McDonald, 2022 IL 126511, ¶¶ 48-49 (observing that violations of the Act have the potential for “substantial consequences” and large damage awards but concluding that “whether a different balance should be struck *** is a question more appropriately addressed to the legislature”). We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.

* From Justice Overstreet’s dissent, joined by Justices Thiess and Holder White

The majority’s interpretation cannot be reconciled with the plain language of the statute, the purposes behind the Biometric Information Privacy Act (Act) (740 ILCS 14/1 et seq. (West 2018)), or this court’s case law, and it will lead to consequences that the legislature could not have intended. Moreover, the majority’s interpretation renders compliance with the Act especially burdensome for employers. This court should answer the certified question by saying that a claim accrues under section 15(b) or 15(d) of the Act (id. § 15(b), (d)) only upon the first scan or transmission.

…Adding… Tribune

In a statement, White Castle said it was “deeply disappointed with the court’s decision and the significant business disruption that will be caused to Illinois businesses, which now face potentially huge damages.” The company said it was reviewing its options to seek further judicial review, pointing to the dissent in the ruling.

Matthew Kugler, a professor at Northwestern University’s Pritzker School of Law whose research includes biometric privacy issues, said the ruling sends a clear to signal to lower courts that companies should not be required to pay out such massive damages in privacy cases.

“We will continue to see a large damages awards, but the court is signaling to the lower courts that those awards should not be larger than they were previously,” Kugler said.

*** UPDATE *** I didn’t see this my first time through, but wow

White Castle estimates that if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class- wide damages in her action may exceed $17 billion. We have found, however, that the statutory language clearly supports plaintiff’s position.

And from the dissent

The majority acknowledges White Castle’s estimate that, if plaintiff is successful in her claims on behalf of as many as 9500 current and former White Castle employees, damages in this action may exceed $17 billion. Supra  40. Nevertheless, the majority brushes this concern aside by stating that “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”

Yikes.

       

37 Comments
  1. - MisterJayEm - Friday, Feb 17, 23 @ 10:47 am:

    “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business”

    I am very curious what such language would look like and if there are any examples of such language in the Illinois code.

    – MrJM


  2. - move on - Friday, Feb 17, 23 @ 11:18 am:

    This is what happens when trial lawyers are left unchecked and policies passed without a full vetting or understanding of the consequences.


  3. - RNUG - Friday, Feb 17, 23 @ 11:20 am:

    IL SC translation: Don’t come to us for fiscal relief from violating this law. You need to lobby the Legislature.


  4. - Torco Sign - Friday, Feb 17, 23 @ 11:20 am:

    The trial lawyers are already getting their money’s worth from the 2022 election.


  5. - Hannibal Lecter - Friday, Feb 17, 23 @ 11:22 am:

    $17 Billion. Wow. That would effectively put White Castle out of business. The legislature needs to act ASAP.


  6. - JoeMaddon - Friday, Feb 17, 23 @ 11:50 am:

    **That would effectively put White Castle out of business. The legislature needs to act ASAP.**

    White Castle could have just followed the law.


  7. - Friendly Bob Adams - Friday, Feb 17, 23 @ 11:50 am:

    My guess is that some changes will be made to the law to limit damages. But maybe, just maybe, corporations will think twice about how they use personal information.

    I mean, how was this person’s fingerprint necessary to work at a burger joint? How did it affect the work environment? How did it impact employee morale? How did it improve the quality of the sliders??


  8. - Hannibal Lecter - Friday, Feb 17, 23 @ 11:55 am:

    === White Castle could have just followed the law. ===

    So you believe that White Castle should be put out of business for this?


  9. - Hannibal Lecter - Friday, Feb 17, 23 @ 11:57 am:

    === I mean, how was this person’s fingerprint necessary to work at a burger joint? How did it affect the work environment? How did it impact employee morale? How did it improve the quality of the sliders?? ===

    You are overthinking this. This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in. Unless there is some evidence that the information was misused, why should this crippling level of damages be imposed for technical violations?


  10. - Leap Day William - Friday, Feb 17, 23 @ 11:59 am:

    == $17 Billion. Wow. That would effectively put White Castle out of business. The legislature needs to act ASAP. ==

    Do they, though? The whole point of this law is to deter businesses from mishandling immutable biometric data. I’m not a lawyer, but to me as an information professional, I’m glad these big number lawsuits are showing up.

    How many times has a business been sued, settled for what amounts to a slap on the wrist and a “we are paying this money and do not admit we did anything bad”, and then continue doing bad things in slightly different ways? Remember that Equifax data breach a few years ago? Those settlement checks went out and those people received beans and the knowledge that their SSN has been compromised. Equifax will just roll right along and continue to be terrible at protecting consumer private data, and people will have to take more proactive steps to protect themselves against identity theft because the company who is responsible for protecting that data couldn’t bother to keep it safe.

    The employees who are party to this suit can’t go to the store and get new fingerprints. You can’t freeze a fingerprint like you can a credit repot. White Castle was more concerned about saving a few bucks by making sure their low-wage employees were not having someone else clock in for them. This isn’t the 1990s, and these biometric data issues are not going away. If you can’t realize that and take steps to cover your rear from liability, then you don’t deserve to be in business anymore.

    They could have solved all of this by simply NOT using the fingerprint scanners in the first place, but they decided that “preventing timeclock theft” was more important.


  11. - Numbers - Friday, Feb 17, 23 @ 12:02 pm:

    That potential award averages out to $1.8 million per employee (ignoring attorney’s fees). Wow.


  12. - Stuck in Celliniland - Friday, Feb 17, 23 @ 12:02 pm:

    There goes the chances (however small they may be) of White Castle loosening their definition of “St. Louis area” to include Springfield in their future expansion plans.


  13. - Nick - Friday, Feb 17, 23 @ 12:03 pm:

    There’s some interesting things to weigh here.

    Lessening the violations or limiting them explicitly can really defang the law, and this has to be one of the most significant areas where Illinois is ahead of the curve versus the rest of the country. I really do not want to see BIPA weakened.

    And yet, no, I don’t exactly want to outright bankrupt a business like White Castle either. Their entire annual revenue I think is under a billion, this could ruin them multiple times over.

    Maybe a cap as a percentage of some amount of averaged revenue? Who knows.


  14. - Torco Sign - Friday, Feb 17, 23 @ 12:07 pm:

    “Mary and Liz Bankrupt White Castle,” produced by Dobbs v. Jackson Women’s Health Organization


  15. - Yahoo - Friday, Feb 17, 23 @ 12:09 pm:

    BIPA is a great law. Why did White Castle need to collect biometric information in the first place? “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.


  16. - Rich Miller - Friday, Feb 17, 23 @ 12:09 pm:

    ===Unless there is some evidence that the information was misused===

    If a digital copy of your fingerprints is hacked, you cannot change them.


  17. - ;) - Friday, Feb 17, 23 @ 12:12 pm:

    Here’s a thought White Castle, just don’t take your employees and customers biometric info, it is wholly unnecessary to the function of making a burger. Pretty simple. You don’t like penalties, don’t break the law.


  18. - Yahoo - Friday, Feb 17, 23 @ 12:14 pm:

    If White Castle was using fingerprints for employment purposes, why didn’t they just have their employee’s sign a form?


  19. - Leap Day William - Friday, Feb 17, 23 @ 12:38 pm:

    == You are overthinking this. This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in. Unless there is some evidence that the information was misused, why should this crippling level of damages be imposed for technical violations? ==

    Why should a low-wage employee be forever crippled when (not if, when) the inevitable data breach happens because a current or former employer has such contempt for the people who work for them that they feel it necessary to collect immutable biometric data just to save a few bucks?

    Someone punches the wrong time card or signs in for someone else? Fire them. That’s a lot less liability than being the ones responsible for making someone’s fingerprints forever unsafe.


  20. - Former Downstater - Friday, Feb 17, 23 @ 12:48 pm:

    ==So you believe that White Castle should be put out of business for this?==

    Had I, an ordinary citizen broken the law, the financial effect the fines would have on me would be the last thing the courts consider. Why should a corporate making millions a year in profits be treated any different?


  21. - thisjustinagain - Friday, Feb 17, 23 @ 1:29 pm:

    It is not the Court’s job to draft or amend BIPA; this belongs to the Legislature. When businesses do these “technical violations” they are violating laws and the rights of the victims. After having my identity stolen several times, including from at least one State agency, it is time businesses pay up big time to victims individually, not just their attorneys. White Castle will simply try declaring bankruptcy to avoid paying the employees and reappear as the “legal fiction” of “The New White Castle” with the same decision-makers likely at the top laughing in meetings about worker’s rights.


  22. - froganon - Friday, Feb 17, 23 @ 1:43 pm:

    No worries White Castle loyalists, White Castle will spin off its obligations, re-organize under bankruptcy protection and start afresh. Maybe they’ll re-open under a new name… Green Castle, a nod to being environmental aware/s?
    Seriously, a security breach is a given. Companies/corporations collecting biometric data for any reason should be forbidden. Lives have been wrecked with identity theft as it is.


  23. - ArchPundit - Friday, Feb 17, 23 @ 1:49 pm:

    —Biometric data is used when employees clock in to work to verify that it is actually them clocking in

    There are other solutions to the problem.


  24. - Rich Miller - Friday, Feb 17, 23 @ 2:02 pm:

    ===There are other solutions to the problem===

    Yeah, like have management make sure the people are there. Those restaurants aren’t very large.


  25. - ThePAMan - Friday, Feb 17, 23 @ 2:09 pm:

    BIPA also covers the algorithm that is (in my experience dealing with this issue) created when the employee first sticks a thumb, eye, hand, face, into the scanner. The thumb or hand print, or iris, or face print is not stored in the device or by the employer (so says the device manufacturers and software people). The manufacturers of the devices always claim there is no way to recreate the print, etc. from the algorithm. There are a number of technicalities in this law that can trip up employers that have zero to do with the storage of that algorithm. Have yet to hear of any case where such information was hacked and used against an employee (unlike SSNs, etc.).


  26. - Pot calling kettle - Friday, Feb 17, 23 @ 2:14 pm:

    ===So you believe that White Castle should be put out of business for this?===

    So, you believe that bankruptcy is a defense for violating the law? If so, should we allow that as a defense more broadly? “That fine will put me into bankruptcy, so the judgement should be set aside.” The context for individuals (especially low-income folks) is that many people go deeply into debt defending themselves and/or paying fines and fees. In this case, White Castle could have complied with the law and avoided all of that potential expense; they chose not to.


  27. - H-W - Friday, Feb 17, 23 @ 2:31 pm:

    My iPhone uses biometric data.

    The data breech is inevitable.

    Should iPhones be disallowed in IL?


  28. - Stuck in Celliniland - Friday, Feb 17, 23 @ 2:36 pm:

    ==No worries White Castle loyalists, White Castle will spin off its obligations, re-organize under bankruptcy protection and start afresh. Maybe they’ll re-open under a new name… Green Castle, a nod to being environmental aware/s?==

    Either that or a competitor swoops in and tries to imitate the White Castle Sliders.

    Such as the “McSlider,” “Little Star” (Hardees), or “Little Prince” (Burger King).


  29. - ArchPundit - Friday, Feb 17, 23 @ 2:36 pm:

    https://news.bloomberglaw.com/privacy-and-data-security/apples-illinois-biometric-privacy-win-expands-compliance-tools

    ====Apple escaped Biometric Information Privacy Act liability because customers voluntarily used optional features like Touch ID and Face ID, their data was stored locally on their own devices, and the company didn’t collect or store that data on separate servers, the Illinois First District Appellate Court decided in late December. Apple therefore didn’t possess or control the users’ data, which would have triggered state biometric privacy requirements.


  30. - Rich Miller - Friday, Feb 17, 23 @ 2:36 pm:

    ===Should iPhones be disallowed===

    That’s not the point. The point is informed consent.


  31. - Demoralized - Friday, Feb 17, 23 @ 2:37 pm:

    ==This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in==

    But should they? Why do they need to do that?


  32. - Nick - Friday, Feb 17, 23 @ 2:41 pm:

    That’s actually been ruled on, at least by an appellate court.

    Apple as a company does not store or profit from use of biometric data including your finger print or facial imaging. Such data is only stored locally on the users device. Along with the fact that the feature, and information, is totally voluntary; you can hardly claim to be shocked that face ID is used to… ID your face.

    https://news.bloomberglaw.com/privacy-and-data-security/apples-illinois-biometric-privacy-win-expands-compliance-tools


  33. - Nick - Friday, Feb 17, 23 @ 2:43 pm:

    Beaten to the punch, it seems


  34. - ArchPundit - Friday, Feb 17, 23 @ 2:43 pm:

    ===The thumb or hand print, or iris, or face print is not stored in the device or by the employer (so says the device manufacturers and software people).

    Just something that can detect it. So the useful part of storing biometric information. Got it.


  35. - H-W - Friday, Feb 17, 23 @ 2:55 pm:

    @ Rich. I get that. However, I wonder how “informed” most consent is when offered in the form of dozens of pages/screens of legal microprint.

    Asserting the customer is culpable if they click a box, because they scrolled through pages and pages of various unrelated forms of legal information they may or may not have understand, in order to click a box at the point of sale, is disingenuous.

    Given the new law, I would suggest companies using biometric data should be required to update informed consent in plain language, so as to avoid culpability for data breeches.

    I would also suggest that companies have an obligation beyond getting consent to hold harmless for anything associated with use of the commodities they sell. That too is disingenuous.


  36. - H-W - Friday, Feb 17, 23 @ 3:00 pm:

    Nevermind my Friday ramblings. I am being foolish.

    Nick and ArchPundit just reminded me of how foolish I appear.

    Time for an IPA


  37. - ArchPundit - Friday, Feb 17, 23 @ 3:25 pm:

    IPAs are always good. Enjoy.


Sorry, comments for this post are now closed.


* Isabel’s afternoon roundup
* SUBSCRIBERS ONLY - Fundraiser list
* Caption contest!
* Online sweepstakes: Looks like a casino, talks like a casino, walks like a casino, but not regulated like a casino
* Friday hearing set for Sean Grayson release conditions, as state's attorney plans appeal to top court
* Showcasing The Retailers Who Make Illinois Work
* Illinois voter turnout was 70.42 percent, but registered voters were down a quarter million from peak four years ago
* It’s just a bill
* Roundup: Madigan corruption trial
* Open thread
* Isabel’s morning briefing
* SUBSCRIBERS ONLY - Today's edition of Capitol Fax (use all CAPS in password)
* Live coverage
* Selected press releases (Live updates)
* Yesterday's stories

Support CapitolFax.com
Visit our advertisers...

...............

...............

...............

...............

...............

...............

...............


Loading


Main Menu
Home
Illinois
YouTube
Pundit rankings
Obama
Subscriber Content
Durbin
Burris
Blagojevich Trial
Advertising
Updated Posts
Polls

Archives
December 2024
November 2024
October 2024
September 2024
August 2024
July 2024
June 2024
May 2024
April 2024
March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004

Blog*Spot Archives
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005

Syndication

RSS Feed 2.0
Comments RSS 2.0




Hosted by MCS SUBSCRIBE to Capitol Fax Advertise Here Mobile Version Contact Rich Miller