37 Comments - MisterJayEm - Friday, Feb 17, 23 @ 10:47 am: “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business” I am very curious what such language would look like and if there are any examples of such language in the Illinois code. – MrJM - move on - Friday, Feb 17, 23 @ 11:18 am: This is what happens when trial lawyers are left unchecked and policies passed without a full vetting or understanding of the consequences. - RNUG - Friday, Feb 17, 23 @ 11:20 am: IL SC translation: Don’t come to us for fiscal relief from violating this law. You need to lobby the Legislature. - Torco Sign - Friday, Feb 17, 23 @ 11:20 am: The trial lawyers are already getting their money’s worth from the 2022 election. - Hannibal Lecter - Friday, Feb 17, 23 @ 11:22 am: $17 Billion. Wow. That would effectively put White Castle out of business. The legislature needs to act ASAP. - JoeMaddon - Friday, Feb 17, 23 @ 11:50 am: **That would effectively put White Castle out of business. The legislature needs to act ASAP.** White Castle could have just followed the law. - Friendly Bob Adams - Friday, Feb 17, 23 @ 11:50 am: My guess is that some changes will be made to the law to limit damages. But maybe, just maybe, corporations will think twice about how they use personal information. I mean, how was this person’s fingerprint necessary to work at a burger joint? How did it affect the work environment? How did it impact employee morale? How did it improve the quality of the sliders?? - Hannibal Lecter - Friday, Feb 17, 23 @ 11:55 am: === White Castle could have just followed the law. === So you believe that White Castle should be put out of business for this? - Hannibal Lecter - Friday, Feb 17, 23 @ 11:57 am: === I mean, how was this person’s fingerprint necessary to work at a burger joint? How did it affect the work environment? How did it impact employee morale? How did it improve the quality of the sliders?? === You are overthinking this. This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in. Unless there is some evidence that the information was misused, why should this crippling level of damages be imposed for technical violations? - Leap Day William - Friday, Feb 17, 23 @ 11:59 am: == $17 Billion. Wow. That would effectively put White Castle out of business. The legislature needs to act ASAP. == Do they, though? The whole point of this law is to deter businesses from mishandling immutable biometric data. I’m not a lawyer, but to me as an information professional, I’m glad these big number lawsuits are showing up. How many times has a business been sued, settled for what amounts to a slap on the wrist and a “we are paying this money and do not admit we did anything bad”, and then continue doing bad things in slightly different ways? Remember that Equifax data breach a few years ago? Those settlement checks went out and those people received beans and the knowledge that their SSN has been compromised. Equifax will just roll right along and continue to be terrible at protecting consumer private data, and people will have to take more proactive steps to protect themselves against identity theft because the company who is responsible for protecting that data couldn’t bother to keep it safe. The employees who are party to this suit can’t go to the store and get new fingerprints. You can’t freeze a fingerprint like you can a credit repot. White Castle was more concerned about saving a few bucks by making sure their low-wage employees were not having someone else clock in for them. This isn’t the 1990s, and these biometric data issues are not going away. If you can’t realize that and take steps to cover your rear from liability, then you don’t deserve to be in business anymore. They could have solved all of this by simply NOT using the fingerprint scanners in the first place, but they decided that “preventing timeclock theft” was more important. - Numbers - Friday, Feb 17, 23 @ 12:02 pm: That potential award averages out to $1.8 million per employee (ignoring attorney’s fees). Wow. - Stuck in Celliniland - Friday, Feb 17, 23 @ 12:02 pm: There goes the chances (however small they may be) of White Castle loosening their definition of “St. Louis area” to include Springfield in their future expansion plans. - Nick - Friday, Feb 17, 23 @ 12:03 pm: There’s some interesting things to weigh here. Lessening the violations or limiting them explicitly can really defang the law, and this has to be one of the most significant areas where Illinois is ahead of the curve versus the rest of the country. I really do not want to see BIPA weakened. And yet, no, I don’t exactly want to outright bankrupt a business like White Castle either. Their entire annual revenue I think is under a billion, this could ruin them multiple times over. Maybe a cap as a percentage of some amount of averaged revenue? Who knows. - Torco Sign - Friday, Feb 17, 23 @ 12:07 pm: “Mary and Liz Bankrupt White Castle,” produced by Dobbs v. Jackson Women’s Health Organization - Yahoo - Friday, Feb 17, 23 @ 12:09 pm: BIPA is a great law. Why did White Castle need to collect biometric information in the first place? “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. - Rich Miller - Friday, Feb 17, 23 @ 12:09 pm: ===Unless there is some evidence that the information was misused=== If a digital copy of your fingerprints is hacked, you cannot change them. - ;) - Friday, Feb 17, 23 @ 12:12 pm: Here’s a thought White Castle, just don’t take your employees and customers biometric info, it is wholly unnecessary to the function of making a burger. Pretty simple. You don’t like penalties, don’t break the law. - Yahoo - Friday, Feb 17, 23 @ 12:14 pm: If White Castle was using fingerprints for employment purposes, why didn’t they just have their employee’s sign a form? - Leap Day William - Friday, Feb 17, 23 @ 12:38 pm: == You are overthinking this. This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in. Unless there is some evidence that the information was misused, why should this crippling level of damages be imposed for technical violations? == Why should a low-wage employee be forever crippled when (not if, when) the inevitable data breach happens because a current or former employer has such contempt for the people who work for them that they feel it necessary to collect immutable biometric data just to save a few bucks? Someone punches the wrong time card or signs in for someone else? Fire them. That’s a lot less liability than being the ones responsible for making someone’s fingerprints forever unsafe. - Former Downstater - Friday, Feb 17, 23 @ 12:48 pm: ==So you believe that White Castle should be put out of business for this?== Had I, an ordinary citizen broken the law, the financial effect the fines would have on me would be the last thing the courts consider. Why should a corporate making millions a year in profits be treated any different? - thisjustinagain - Friday, Feb 17, 23 @ 1:29 pm: It is not the Court’s job to draft or amend BIPA; this belongs to the Legislature. When businesses do these “technical violations” they are violating laws and the rights of the victims. After having my identity stolen several times, including from at least one State agency, it is time businesses pay up big time to victims individually, not just their attorneys. White Castle will simply try declaring bankruptcy to avoid paying the employees and reappear as the “legal fiction” of “The New White Castle” with the same decision-makers likely at the top laughing in meetings about worker’s rights. - froganon - Friday, Feb 17, 23 @ 1:43 pm: No worries White Castle loyalists, White Castle will spin off its obligations, re-organize under bankruptcy protection and start afresh. Maybe they’ll re-open under a new name… Green Castle, a nod to being environmental aware/s? Seriously, a security breach is a given. Companies/corporations collecting biometric data for any reason should be forbidden. Lives have been wrecked with identity theft as it is. - ArchPundit - Friday, Feb 17, 23 @ 1:49 pm: —Biometric data is used when employees clock in to work to verify that it is actually them clocking in There are other solutions to the problem. - Rich Miller - Friday, Feb 17, 23 @ 2:02 pm: ===There are other solutions to the problem=== Yeah, like have management make sure the people are there. Those restaurants aren’t very large. - ThePAMan - Friday, Feb 17, 23 @ 2:09 pm: BIPA also covers the algorithm that is (in my experience dealing with this issue) created when the employee first sticks a thumb, eye, hand, face, into the scanner. The thumb or hand print, or iris, or face print is not stored in the device or by the employer (so says the device manufacturers and software people). The manufacturers of the devices always claim there is no way to recreate the print, etc. from the algorithm. There are a number of technicalities in this law that can trip up employers that have zero to do with the storage of that algorithm. Have yet to hear of any case where such information was hacked and used against an employee (unlike SSNs, etc.). - Pot calling kettle - Friday, Feb 17, 23 @ 2:14 pm: ===So you believe that White Castle should be put out of business for this?=== So, you believe that bankruptcy is a defense for violating the law? If so, should we allow that as a defense more broadly? “That fine will put me into bankruptcy, so the judgement should be set aside.” The context for individuals (especially low-income folks) is that many people go deeply into debt defending themselves and/or paying fines and fees. In this case, White Castle could have complied with the law and avoided all of that potential expense; they chose not to. - H-W - Friday, Feb 17, 23 @ 2:31 pm: My iPhone uses biometric data. The data breech is inevitable. Should iPhones be disallowed in IL? - Stuck in Celliniland - Friday, Feb 17, 23 @ 2:36 pm: ==No worries White Castle loyalists, White Castle will spin off its obligations, re-organize under bankruptcy protection and start afresh. Maybe they’ll re-open under a new name… Green Castle, a nod to being environmental aware/s?== Either that or a competitor swoops in and tries to imitate the White Castle Sliders. Such as the “McSlider,” “Little Star” (Hardees), or “Little Prince” (Burger King). - ArchPundit - Friday, Feb 17, 23 @ 2:36 pm: https://news.bloomberglaw.com/privacy-and-data-security/apples-illinois-biometric-privacy-win-expands-compliance-tools ====Apple escaped Biometric Information Privacy Act liability because customers voluntarily used optional features like Touch ID and Face ID, their data was stored locally on their own devices, and the company didn’t collect or store that data on separate servers, the Illinois First District Appellate Court decided in late December. Apple therefore didn’t possess or control the users’ data, which would have triggered state biometric privacy requirements. - Rich Miller - Friday, Feb 17, 23 @ 2:36 pm: ===Should iPhones be disallowed=== That’s not the point. The point is informed consent. - Demoralized - Friday, Feb 17, 23 @ 2:37 pm: ==This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in== But should they? Why do they need to do that? - Nick - Friday, Feb 17, 23 @ 2:41 pm: That’s actually been ruled on, at least by an appellate court. Apple as a company does not store or profit from use of biometric data including your finger print or facial imaging. Such data is only stored locally on the users device. Along with the fact that the feature, and information, is totally voluntary; you can hardly claim to be shocked that face ID is used to… ID your face. https://news.bloomberglaw.com/privacy-and-data-security/apples-illinois-biometric-privacy-win-expands-compliance-tools - Nick - Friday, Feb 17, 23 @ 2:43 pm: Beaten to the punch, it seems - ArchPundit - Friday, Feb 17, 23 @ 2:43 pm: ===The thumb or hand print, or iris, or face print is not stored in the device or by the employer (so says the device manufacturers and software people). Just something that can detect it. So the useful part of storing biometric information. Got it. - H-W - Friday, Feb 17, 23 @ 2:55 pm: @ Rich. I get that. However, I wonder how “informed” most consent is when offered in the form of dozens of pages/screens of legal microprint. Asserting the customer is culpable if they click a box, because they scrolled through pages and pages of various unrelated forms of legal information they may or may not have understand, in order to click a box at the point of sale, is disingenuous. Given the new law, I would suggest companies using biometric data should be required to update informed consent in plain language, so as to avoid culpability for data breeches. I would also suggest that companies have an obligation beyond getting consent to hold harmless for anything associated with use of the commodities they sell. That too is disingenuous. - H-W - Friday, Feb 17, 23 @ 3:00 pm: Nevermind my Friday ramblings. I am being foolish. Nick and ArchPundit just reminded me of how foolish I appear. Time for an IPA - ArchPundit - Friday, Feb 17, 23 @ 3:25 pm: IPAs are always good. Enjoy. Sorry, comments for this post are now closed.