Capitol Fax.com - Your Illinois News Radar


Latest Post | Last 10 Posts | Archives


Previous Post: Pritzker asked why he didn’t propose tax cuts
Next Post: Question of the day

*** UPDATED x1 *** Divided Illinois Supreme Court upholds tough BIPA ruling, but asks legislature to review policy concerns

Posted in:

* A preview from earlier this morning in anticipation of an Illinois Supreme Court ruling on Cothron v. White Castle, a Biometric Information Privacy Act case. This was prepared by Locke Lord senior counsel Ken Suh…

• This will be the second major Illinois Supreme Court decision in this month to define the scope of BIPA liability and damages.
• Earlier this month, the Court decided in Tims v. Black Horse Motor Carriers that BIPA claims were subject to a five-year statute of limitations.
• At issue in the case is when a claim under BIPA accrues. The Court’s answer will determine whether a violation of BIPA occurs every time a person’s biometric data is scanned without the proper consent or disclosure, or a violation of BIPA occurs once per individual regardless of the number of times that person’s biometric data is scanned without the proper consent or disclosure.
• The decision will have huge consequences because BIPA provides for statutory damages per violation.

* Four of the seven Supreme Court justices handed down their majority opinion at about 9 this morning

We hold that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).

* The violations started in 2008, when the BIPA law took effect

According to her complaint, plaintiff is a manager of a White Castle restaurant in Illinois, where she has been employed since 2004. Shortly after her employment began, White Castle introduced a system that required its employees to scan their fingerprints to access their pay stubs and computers. A third-party vendor then verified each scan and authorized the employee’s access. […]

In relevant part, White Castle moved for judgment on the pleadings, arguing that plaintiff’s action was untimely because her claim accrued in 2008, when White Castle first obtained her biometric data after the Act’s effective date. Plaintiff responded that a new claim accrued each time she scanned her fingerprints and White Castle sent her biometric data to its third-party authenticator, rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.

* More

As with section 15(b), we conclude that the plain language of section 15(d) applies to every transmission to a third party. White Castle argues that a disclosure is something that can happen only once. The Seventh Circuit asserted that the plain meaning of “disclose” connotes a new revelation. […]

This court has repeatedly recognized the potential for significant damages awards under the Act. This court explained that the legislature intended to subject private entities who fail to follow the statute’s requirements to substantial potential liability. The purpose in doing so was to give private entities “the strongest possible incentive to conform to the law and prevent problems before they occur.” As the Seventh Circuit noted, private entities would have “little incentive to course correct and comply if subsequent violations carry no legal consequences.” […]

While we explained in Rosenbach that “subjecting private entities who fail to follow the statute’s requirements to substantial potential liability, including liquidated damages, injunctions, attorney fees, and litigation expenses ‘for each violation’ of the law” is one of the principal means that the Illinois legislature adopted to achieve the Act’s objectives of protecting biometric information, there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.

Ultimately, however, we continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature. See McDonald, 2022 IL 126511, ¶¶ 48-49 (observing that violations of the Act have the potential for “substantial consequences” and large damage awards but concluding that “whether a different balance should be struck *** is a question more appropriately addressed to the legislature”). We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.

* From Justice Overstreet’s dissent, joined by Justices Thiess and Holder White

The majority’s interpretation cannot be reconciled with the plain language of the statute, the purposes behind the Biometric Information Privacy Act (Act) (740 ILCS 14/1 et seq. (West 2018)), or this court’s case law, and it will lead to consequences that the legislature could not have intended. Moreover, the majority’s interpretation renders compliance with the Act especially burdensome for employers. This court should answer the certified question by saying that a claim accrues under section 15(b) or 15(d) of the Act (id. § 15(b), (d)) only upon the first scan or transmission.

…Adding… Tribune

In a statement, White Castle said it was “deeply disappointed with the court’s decision and the significant business disruption that will be caused to Illinois businesses, which now face potentially huge damages.” The company said it was reviewing its options to seek further judicial review, pointing to the dissent in the ruling.

Matthew Kugler, a professor at Northwestern University’s Pritzker School of Law whose research includes biometric privacy issues, said the ruling sends a clear to signal to lower courts that companies should not be required to pay out such massive damages in privacy cases.

“We will continue to see a large damages awards, but the court is signaling to the lower courts that those awards should not be larger than they were previously,” Kugler said.

*** UPDATE *** I didn’t see this my first time through, but wow

White Castle estimates that if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class- wide damages in her action may exceed $17 billion. We have found, however, that the statutory language clearly supports plaintiff’s position.

And from the dissent

The majority acknowledges White Castle’s estimate that, if plaintiff is successful in her claims on behalf of as many as 9500 current and former White Castle employees, damages in this action may exceed $17 billion. Supra  40. Nevertheless, the majority brushes this concern aside by stating that “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”

Yikes.

posted by Rich Miller
Friday, Feb 17, 23 @ 10:23 am

Comments

  1. “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business”

    I am very curious what such language would look like and if there are any examples of such language in the Illinois code.

    – MrJM

    Comment by MisterJayEm Friday, Feb 17, 23 @ 10:47 am

  2. This is what happens when trial lawyers are left unchecked and policies passed without a full vetting or understanding of the consequences.

    Comment by move on Friday, Feb 17, 23 @ 11:18 am

  3. IL SC translation: Don’t come to us for fiscal relief from violating this law. You need to lobby the Legislature.

    Comment by RNUG Friday, Feb 17, 23 @ 11:20 am

  4. The trial lawyers are already getting their money’s worth from the 2022 election.

    Comment by Torco Sign Friday, Feb 17, 23 @ 11:20 am

  5. $17 Billion. Wow. That would effectively put White Castle out of business. The legislature needs to act ASAP.

    Comment by Hannibal Lecter Friday, Feb 17, 23 @ 11:22 am

  6. **That would effectively put White Castle out of business. The legislature needs to act ASAP.**

    White Castle could have just followed the law.

    Comment by JoeMaddon Friday, Feb 17, 23 @ 11:50 am

  7. My guess is that some changes will be made to the law to limit damages. But maybe, just maybe, corporations will think twice about how they use personal information.

    I mean, how was this person’s fingerprint necessary to work at a burger joint? How did it affect the work environment? How did it impact employee morale? How did it improve the quality of the sliders??

    Comment by Friendly Bob Adams Friday, Feb 17, 23 @ 11:50 am

  8. === White Castle could have just followed the law. ===

    So you believe that White Castle should be put out of business for this?

    Comment by Hannibal Lecter Friday, Feb 17, 23 @ 11:55 am

  9. === I mean, how was this person’s fingerprint necessary to work at a burger joint? How did it affect the work environment? How did it impact employee morale? How did it improve the quality of the sliders?? ===

    You are overthinking this. This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in. Unless there is some evidence that the information was misused, why should this crippling level of damages be imposed for technical violations?

    Comment by Hannibal Lecter Friday, Feb 17, 23 @ 11:57 am

  10. == $17 Billion. Wow. That would effectively put White Castle out of business. The legislature needs to act ASAP. ==

    Do they, though? The whole point of this law is to deter businesses from mishandling immutable biometric data. I’m not a lawyer, but to me as an information professional, I’m glad these big number lawsuits are showing up.

    How many times has a business been sued, settled for what amounts to a slap on the wrist and a “we are paying this money and do not admit we did anything bad”, and then continue doing bad things in slightly different ways? Remember that Equifax data breach a few years ago? Those settlement checks went out and those people received beans and the knowledge that their SSN has been compromised. Equifax will just roll right along and continue to be terrible at protecting consumer private data, and people will have to take more proactive steps to protect themselves against identity theft because the company who is responsible for protecting that data couldn’t bother to keep it safe.

    The employees who are party to this suit can’t go to the store and get new fingerprints. You can’t freeze a fingerprint like you can a credit repot. White Castle was more concerned about saving a few bucks by making sure their low-wage employees were not having someone else clock in for them. This isn’t the 1990s, and these biometric data issues are not going away. If you can’t realize that and take steps to cover your rear from liability, then you don’t deserve to be in business anymore.

    They could have solved all of this by simply NOT using the fingerprint scanners in the first place, but they decided that “preventing timeclock theft” was more important.

    Comment by Leap Day William Friday, Feb 17, 23 @ 11:59 am

  11. That potential award averages out to $1.8 million per employee (ignoring attorney’s fees). Wow.

    Comment by Numbers Friday, Feb 17, 23 @ 12:02 pm

  12. There goes the chances (however small they may be) of White Castle loosening their definition of “St. Louis area” to include Springfield in their future expansion plans.

    Comment by Stuck in Celliniland Friday, Feb 17, 23 @ 12:02 pm

  13. There’s some interesting things to weigh here.

    Lessening the violations or limiting them explicitly can really defang the law, and this has to be one of the most significant areas where Illinois is ahead of the curve versus the rest of the country. I really do not want to see BIPA weakened.

    And yet, no, I don’t exactly want to outright bankrupt a business like White Castle either. Their entire annual revenue I think is under a billion, this could ruin them multiple times over.

    Maybe a cap as a percentage of some amount of averaged revenue? Who knows.

    Comment by Nick Friday, Feb 17, 23 @ 12:03 pm

  14. “Mary and Liz Bankrupt White Castle,” produced by Dobbs v. Jackson Women’s Health Organization

    Comment by Torco Sign Friday, Feb 17, 23 @ 12:07 pm

  15. BIPA is a great law. Why did White Castle need to collect biometric information in the first place? “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.

    Comment by Yahoo Friday, Feb 17, 23 @ 12:09 pm

  16. ===Unless there is some evidence that the information was misused===

    If a digital copy of your fingerprints is hacked, you cannot change them.

    Comment by Rich Miller Friday, Feb 17, 23 @ 12:09 pm

  17. Here’s a thought White Castle, just don’t take your employees and customers biometric info, it is wholly unnecessary to the function of making a burger. Pretty simple. You don’t like penalties, don’t break the law.

    Comment by ;) Friday, Feb 17, 23 @ 12:12 pm

  18. If White Castle was using fingerprints for employment purposes, why didn’t they just have their employee’s sign a form?

    Comment by Yahoo Friday, Feb 17, 23 @ 12:14 pm

  19. == You are overthinking this. This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in. Unless there is some evidence that the information was misused, why should this crippling level of damages be imposed for technical violations? ==

    Why should a low-wage employee be forever crippled when (not if, when) the inevitable data breach happens because a current or former employer has such contempt for the people who work for them that they feel it necessary to collect immutable biometric data just to save a few bucks?

    Someone punches the wrong time card or signs in for someone else? Fire them. That’s a lot less liability than being the ones responsible for making someone’s fingerprints forever unsafe.

    Comment by Leap Day William Friday, Feb 17, 23 @ 12:38 pm

  20. ==So you believe that White Castle should be put out of business for this?==

    Had I, an ordinary citizen broken the law, the financial effect the fines would have on me would be the last thing the courts consider. Why should a corporate making millions a year in profits be treated any different?

    Comment by Former Downstater Friday, Feb 17, 23 @ 12:48 pm

  21. It is not the Court’s job to draft or amend BIPA; this belongs to the Legislature. When businesses do these “technical violations” they are violating laws and the rights of the victims. After having my identity stolen several times, including from at least one State agency, it is time businesses pay up big time to victims individually, not just their attorneys. White Castle will simply try declaring bankruptcy to avoid paying the employees and reappear as the “legal fiction” of “The New White Castle” with the same decision-makers likely at the top laughing in meetings about worker’s rights.

    Comment by thisjustinagain Friday, Feb 17, 23 @ 1:29 pm

  22. No worries White Castle loyalists, White Castle will spin off its obligations, re-organize under bankruptcy protection and start afresh. Maybe they’ll re-open under a new name… Green Castle, a nod to being environmental aware/s?
    Seriously, a security breach is a given. Companies/corporations collecting biometric data for any reason should be forbidden. Lives have been wrecked with identity theft as it is.

    Comment by froganon Friday, Feb 17, 23 @ 1:43 pm

  23. —Biometric data is used when employees clock in to work to verify that it is actually them clocking in

    There are other solutions to the problem.

    Comment by ArchPundit Friday, Feb 17, 23 @ 1:49 pm

  24. ===There are other solutions to the problem===

    Yeah, like have management make sure the people are there. Those restaurants aren’t very large.

    Comment by Rich Miller Friday, Feb 17, 23 @ 2:02 pm

  25. BIPA also covers the algorithm that is (in my experience dealing with this issue) created when the employee first sticks a thumb, eye, hand, face, into the scanner. The thumb or hand print, or iris, or face print is not stored in the device or by the employer (so says the device manufacturers and software people). The manufacturers of the devices always claim there is no way to recreate the print, etc. from the algorithm. There are a number of technicalities in this law that can trip up employers that have zero to do with the storage of that algorithm. Have yet to hear of any case where such information was hacked and used against an employee (unlike SSNs, etc.).

    Comment by ThePAMan Friday, Feb 17, 23 @ 2:09 pm

  26. ===So you believe that White Castle should be put out of business for this?===

    So, you believe that bankruptcy is a defense for violating the law? If so, should we allow that as a defense more broadly? “That fine will put me into bankruptcy, so the judgement should be set aside.” The context for individuals (especially low-income folks) is that many people go deeply into debt defending themselves and/or paying fines and fees. In this case, White Castle could have complied with the law and avoided all of that potential expense; they chose not to.

    Comment by Pot calling kettle Friday, Feb 17, 23 @ 2:14 pm

  27. My iPhone uses biometric data.

    The data breech is inevitable.

    Should iPhones be disallowed in IL?

    Comment by H-W Friday, Feb 17, 23 @ 2:31 pm

  28. ==No worries White Castle loyalists, White Castle will spin off its obligations, re-organize under bankruptcy protection and start afresh. Maybe they’ll re-open under a new name… Green Castle, a nod to being environmental aware/s?==

    Either that or a competitor swoops in and tries to imitate the White Castle Sliders.

    Such as the “McSlider,” “Little Star” (Hardees), or “Little Prince” (Burger King).

    Comment by Stuck in Celliniland Friday, Feb 17, 23 @ 2:36 pm

  29. https://news.bloomberglaw.com/privacy-and-data-security/apples-illinois-biometric-privacy-win-expands-compliance-tools

    ====Apple escaped Biometric Information Privacy Act liability because customers voluntarily used optional features like Touch ID and Face ID, their data was stored locally on their own devices, and the company didn’t collect or store that data on separate servers, the Illinois First District Appellate Court decided in late December. Apple therefore didn’t possess or control the users’ data, which would have triggered state biometric privacy requirements.

    Comment by ArchPundit Friday, Feb 17, 23 @ 2:36 pm

  30. ===Should iPhones be disallowed===

    That’s not the point. The point is informed consent.

    Comment by Rich Miller Friday, Feb 17, 23 @ 2:36 pm

  31. ==This happens within industries all throughout the country. Biometric data is used when employees clock in to work to verify that it is actually them clocking in==

    But should they? Why do they need to do that?

    Comment by Demoralized Friday, Feb 17, 23 @ 2:37 pm

  32. That’s actually been ruled on, at least by an appellate court.

    Apple as a company does not store or profit from use of biometric data including your finger print or facial imaging. Such data is only stored locally on the users device. Along with the fact that the feature, and information, is totally voluntary; you can hardly claim to be shocked that face ID is used to… ID your face.

    https://news.bloomberglaw.com/privacy-and-data-security/apples-illinois-biometric-privacy-win-expands-compliance-tools

    Comment by Nick Friday, Feb 17, 23 @ 2:41 pm

  33. Beaten to the punch, it seems

    Comment by Nick Friday, Feb 17, 23 @ 2:43 pm

  34. ===The thumb or hand print, or iris, or face print is not stored in the device or by the employer (so says the device manufacturers and software people).

    Just something that can detect it. So the useful part of storing biometric information. Got it.

    Comment by ArchPundit Friday, Feb 17, 23 @ 2:43 pm

  35. @ Rich. I get that. However, I wonder how “informed” most consent is when offered in the form of dozens of pages/screens of legal microprint.

    Asserting the customer is culpable if they click a box, because they scrolled through pages and pages of various unrelated forms of legal information they may or may not have understand, in order to click a box at the point of sale, is disingenuous.

    Given the new law, I would suggest companies using biometric data should be required to update informed consent in plain language, so as to avoid culpability for data breeches.

    I would also suggest that companies have an obligation beyond getting consent to hold harmless for anything associated with use of the commodities they sell. That too is disingenuous.

    Comment by H-W Friday, Feb 17, 23 @ 2:55 pm

  36. Nevermind my Friday ramblings. I am being foolish.

    Nick and ArchPundit just reminded me of how foolish I appear.

    Time for an IPA

    Comment by H-W Friday, Feb 17, 23 @ 3:00 pm

  37. IPAs are always good. Enjoy.

    Comment by ArchPundit Friday, Feb 17, 23 @ 3:25 pm

Add a comment

Sorry, comments are closed at this time.

Previous Post: Pritzker asked why he didn’t propose tax cuts
Next Post: Question of the day


Last 10 posts:

more Posts (Archives)

WordPress Mobile Edition available at alexking.org.

powered by WordPress.