* The law firm of Mayer Brown…
In what is becoming a pattern, the Illinois Supreme Court recently issued another decision interpreting the Biometric Information Privacy Act (“BIPA”) to expand potential liability for businesses. The court held in Cothron v. White Castle that each time a business collects or discloses an individual’s biometric data without first obtaining BIPA-compliant consent, a separate claim accrues under BIPA. BIPA authorizes statutory damages of $1,000 for “each violation” of the statute—and $5,000 if the violation is found to be intentional or reckless.
* From the majority opinion…
White Castle estimates that if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class- wide damages in her action may exceed $17 billion. We have found, however, that the statutory language clearly supports plaintiff’s position. […]
(T)here is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.
We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.
* An amendment was filed today by Senate President Pro Tempore Bill Cunningham…
(A) private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.
However, the amendment also increases penalties by fifty percent. That’s just one of the complaints, many of them legit, from business groups.
* Press release…
Leading business, healthcare and technology groups are united in opposition to proposed changes to the state’s Biometric Information Privacy Act (BIPA), which fails to enact needed reforms and would instead increase financial damages against businesses and further suppress security, innovation and economic growth.
A coalition including the Chicagoland Chamber of Commerce, Illinois Chamber of Commerce, Illinois Hotel & Lodging Association, Illinois Manufacturers’ Association, Illinois Railroad Association, Illinois Retail Merchants Association, Illinois Trucking Association, TechNet and National Federation of Independent Business Illinois is urging lawmakers to reject the proposal, which is contained in an amendment made to HB3811.
The proposal undermines months of negotiations intended to limit the impact of BIPA, which has been routinely abused in order to extort businesses for financial gain where no harm has ever been alleged. The legislation represents a 50 percent increase in penalties that can be awarded on future settlements. Furthermore, there is no standard to prove harm which is the definition of a frivolous lawsuit.
“Just when we thought BIPA couldn’t get any worse for businesses in Illinois, lawmakers unveil a proposal that will only increase abuse of this law by trial attorneys,” said Mark Denzler, President and CEO, Illinois Manufacturers’ Association. “To say this is a disappointing end to negotiations understates the true harm this proposal will cause if enacted.” […]
In the 15 years since BIPA was enacted, more than 1,500 frivolous lawsuits have been filed by class action lawyers against manufacturers, retailers, hospitals, nursing homes, entertainment venues, hotels, and other businesses by claiming violation of employee or consumer rights even though there has been no harm to individuals, theft of identities or nefarious intent. Of those more than 1,500 lawsuits, the vast majority occurred after a 2019 Illinois Supreme Court decision in Rosenbach v. Six Flags, which held that a plaintiff need not demonstrate any form of harm beyond a violation of the law.
Examples of entities sued by trial lawyers under BIPA:
• US Department of Homeland Security
• The Salvation Army of Cook County
• Lutheran Senior Services
• Council of Jewish Elderly
• Nursing homes
• The Art Institute of Chicago
• School bus companies
• Colleges
• Ambulances
• Hospitals
This year, the Illinois Supreme Court issued two additional rulings that exponentially expand the scope and costs of BIPA lawsuits. The first, Tims v. Black Horse Carriers, Inc., eliminated the possibility of a one-year statute of limitations for claims under BIPA, ruling that a “catchall” five-year statute of limitations applies to these cases, dramatically increasing the timeframe for which complaints can be brought. […]
Needed changes include: updating the law to require proof that actual harm occurred to individuals before imposing fines; establishing a “notice and cure” period, which would allow businesses to address any potential issues in instances where there has been no actual harm; giving the Attorney General authority to provide companies with advisory opinions on whether or not their compliance efforts meet the requirements of the law; limiting the statute of limitations for legal action to one year; and allowing biometric identifiers to be used for security purposes such as managing access to controlled substances, preventing organized retail theft and other violent crimes, and accessing sensitive facilities, including electric plants and refineries.
Legislators should also provide for electronic consent as well as “evergreen” consent, which would operate similarly to the federal Health Insurance Portability and Accountability Act (HIPAA) privacy rule, which allows a single waiver to encompass multiple instances in which information is shared.
They had been negotiating for weeks, but apparently got the rug pulled out from under them last night.
- Day Late - Friday, May 19, 23 @ 3:46 pm:
Why in the world would the Senate President push this half baked idea on the day of the scheduled adjournment (even though that is a joke since they couldn’t lead their way out of a paper bag). Unbelievably irresponsible to add to the problem you’re purporting to fix.
- Steve Polite - Friday, May 19, 23 @ 3:55 pm:
“updating the law to require proof that actual harm occurred to individuals before imposing fines;”
NO, NO, NO AND NO. Absolutely not. Don’t water down BIPA. To the companies, just comply with the law. Don’t share or sell biometric information without express written consent.
The penalties should not be tied to whether or not there has been actual harm. If a company does not have my permission to share my biometric information, and they do anyway, they should be penalized and strongly. I believe we should maintain complete ownership and rights of our personal biometric data, and blanket permission is not enough. I want to approve each occurrence, just like I would for any other valuable item I own.
- low level - Friday, May 19, 23 @ 4:02 pm:
==(even though that is a joke since they couldn’t lead their way out of a paper bag).==
LOL. I take it you aren’t a supporter of Harmon…
- Rich Miller - Friday, May 19, 23 @ 4:20 pm:
=== I take it you aren’t a supporter of Harmon===
Whether the person is or not is irrelevant. Stick to the bill.
- JB13 - Friday, May 19, 23 @ 4:25 pm:
Gee, why does Illinois have such a bad reputation among the business and employment community?
A mystery wrapped in an enigma
- TheInvisibleMan - Friday, May 19, 23 @ 4:36 pm:
–no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.–
The legislature also didn’t make the decision for this business to violate the law on such a massive and ongoing scale.
It is astronomically simple for any company to avoid destroying themselves. Stop collecting the biometric data of people without their consent.
It’s supposed to be punitive enough to prevent business from doing it. Despite the clear language in the law, some still thought it was on the positive side of the risk/reward spectrum. Those are bad decision makers, and those bad decisions have consequences.
I have zero sympathy.
- Too Close - Friday, May 19, 23 @ 4:52 pm:
I once worked for a warehouse that did not then use e-verify that subsequently brought in BIPA to “upgrade” from a timecard punching system. Not only were rank & file employees concerned about “being fingerprinted” and their information being taken, we also had a situation where after a malfunction with the new biometric time clock, we had to send it in to the manufacturer for service…you guessed it, without messing with the data stored in the clock. I always wondered what happened with the data on the clock when we got it back, blank - due to being reset.
I concur with Steve Polite above - put companies out of business over this, protect individuals’ data at all costs. Our apps and other systems are already profiting off of us too much as it is.
- Lloyd - Friday, May 19, 23 @ 4:55 pm:
=== astronomically simple===
While what you say is true, you can do everything by the book, be a steward of and fully support/live/breathe BIPA, and still be hauled into court by attorneys seeking a settlement. Class action lawsuit defense is expensive and crippling. Attorneys are targeting small business licensed fingerprint vendors who were essential businesses during the pandemic protecting our most vulnerable populations. Don’t water down BIPA, but do reform the 2008 BIPA exemptions intended to protect these already regulated, licensed industries who are already doing the right thing.
- TheInvisibleMan - Friday, May 19, 23 @ 5:21 pm:
–and still be hauled into court by attorneys seeking a settlement.–
Yeah, and? That’s not the complaint.
From the argument;
“even though there has been no harm to individuals, theft of identities or nefarious intent.”
The law states the act of collecting the data without consent is the act. If you are not collecting the data without consent, there is nothing for the attorneys to find and reach a settlement over.
Pay close attention to the parsing of what is being argued. They argument is not that *anyone* can be dragged into court. The argument is that it is ‘frivolous’ for all these companies collecting data without consent to be hauled into court *because* nobody has suffered harm as the complainers are defining it.
There is an analogue in the business world in the self-regulation of PCI. It is a partnership between card payment companies(credit cards) and businesses. If you continually violate the rules, the punishment is no longer being able to accept credit cards for payment. It doesn’t matter if anyone used the credit card data fraudulently, all that matters is that you are not following the rules for how to protect that data.
This is no different, and I would not be surprised if the internal discussions when creating BIPA involved comparing it to existing PCI self-regulation.
- lloyd - Friday, May 19, 23 @ 5:24 pm:
Even if you collect consent you can be hauled into court if a person is “aggrieved”. Forget the argument. Read the law.
- Lloyd - Friday, May 19, 23 @ 5:32 pm:
Where does the law say you won’t be hauled into court if you collect consent? It does not. You can do everything right and still be hauled into court.
- TheInvisibleMan - Friday, May 19, 23 @ 5:36 pm:
–Forget the argument. Read the law.–
The law which also says if you are collecting the data, it is then your responsibility to protect it?
**regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.**
It’s right there in the intent of the law. I’m not sure how much more clear it needs to be. Because clarity is not the problem. The problem is companies are now upset they are being held responsible for their poor decisions, because they thought risking the biometric data of someone other than themselves was worth the risk - and profit.
The law doesn’t say harm is required as defined by those complaining about being caught.
The rules are simple.
If you can show me a single company that has done internal independent audits, similar to what is already done on a quarterly basis in the corporate world for PCI, to ensure compliance is being ‘frivolously’ dragged into court for violations - then I would take the complaints seriously.
That’s not happening. Otherwise it would be the first thing being argued. Instead the argument is trying to play victim for getting caught not following the law.
Again. No sympathy.
- TheInvisibleMan - Friday, May 19, 23 @ 5:43 pm:
– Where does the law say you won’t be hauled into court if you collect consent? It does not.–
That’s tort reform, which is a much larger issue.
People can get hauled into court for any reason. That’s why some nefarious types use that ability to get default judgments in their favor.
That’s not exclusive to BIPA, and it’s not the argument being made.
- Lloyd - Friday, May 19, 23 @ 6:34 pm:
===tort reform===
I can’t believe the legislature intended to destroy their network of licensed locksmiths and fingerprint vendors who have done the right thing while awaiting tort reform. I just can’t. It’s not Illinois-centric. I don’t believe the Illinois ACLU did either. Fix BIPA or amend the 2004 locksmith act to better protect those businesses from savvy, sneaky trial attorneys by exclusively giving authority to IDFPR for relief or providing injunctive relief for the aggrieved. https://www.ilga.gov/House/transcripts/Htrans95/09500276.pdf#page=249