Court rulings supercharge Illinois’ strongest-in-nation biometric
privacy law
Send a link to a friend
[March 01, 2023]
By HANNAH MEISEL
Capitol News Illinois
hmeisel@capitolnewsillinois.com
SPRINGFIELD – In the wake of a pair of recent decisions from the
Illinois Supreme Court strengthening the state’s law governing how
companies must treat employees’ and customers’ biometric data, longtime
critics of the law see an opening to weaken it.
But backers of Illinois’ Biometric Information Privacy Act are reluctant
to renegotiate the strongest-in-the-nation privacy protections laid out
in the law, and they characterize opponents’ uproar following the court
decisions as “fear mongering.”
Nearly 15 years after the law’s initial passage, legal interpretations
of BIPA are still taking shape, as widespread use of the technology that
collects biometric data such as fingerprint and facial scans has only
recently caught up to the law’s forward-looking language. The wide
adoption of such technology has led to the proliferation of class action
lawsuits under BIPA, creating what opponents of the law have called a
cottage industry for ambitious attorneys.
A constant refrain in those suits has been that if an individual’s
social security number is stolen, it may be a nuisance to get a new one
but not impossible. But there’s no remedy for a stolen fingerprint,
retinal, voice or face scan, they argue. Under the law, companies
deploying this technology must obtain employees’ or customers’ written
consent before their biometric information is collected.
While two other states have imitated Illinois’ first-in-the-nation
biometric privacy law, Illinois is the only of the three states that
allow individuals the right to sue over the improper collection and
mishandling of biometric data.
Since about 2018, upwards of 2,000 suits have been filed under BIPA,
followed by several high-profile, high-dollar settlements – including
the $650 million Facebook paid out after settling a class action suit in
2020. Those legal developments, in addition to a series of Illinois
Supreme Court decisions interpreting BIPA’s limits in ways that favor
plaintiffs, have all spooked the business community.
Fast food chain White Castle, the defendant in the most recent case
decided by the state’s high court, claims the court’s ruling could cost
the company $17 billion – a figure that businesses warn could bankrupt
entire industries.
But even in deciding against White Castle, the majority on the court
sought to assuage fears that future damage awards in BIPA cases would
force a company to shutter. The court wrote “there is no language in the
Act suggesting legislative intent to authorize a damages award that
would result in the financial destruction of a business.”
The opinion did, however, “respectfully suggest” the General Assembly
review BIPA “and make clear its intent regarding the assessment of
damages under the Act.”
Whether the court’s advisory will open the door to bigger changes in
BIPA – or whether it will be heeded at all this year – remains to be
seen, as proponents say litigation over biometric privacy means the law
is working exactly as it should.
Recent decisions
Two major BIPA-related decisions from the state’s high court were issued
in February. A unanimous majority found the law unequivocally provided
for a five-year statute of limitations on lawsuits against companies
that collected biometric information from employees or customers without
proper notice – instead of the one-year time limit argued by the
business community.
Read more: Illinois’ biometric privacy law strengthened by latest high
court ruling
And two weeks later, a divided court ruled that each time someone’s
biometric data is collected constitutes a separate violation of BIPA,
which under the law means $1,000 in damages for “negligent” violations
or $5,000 for “reckless” or “intentional” violations. However, the court
didn’t rule on the question of damages specifically, which means the
legal question of how damages can accrue under BIPA is still unsettled.
In that case, the justices were charged with deciding whether White
Castle violated BIPA each time its employees scanned their fingerprints
to access work computers and pay stubs or, as White Castle contended,
whether only the initial collection of fingerprints without proper
notice constituted a single violation under the law.
In a 4-3 opinion, the majority of the seven-member court – four of whom
were not yet on the court when the case was argued last May – reasoned
they could not limit BIPA claims to just “the first time a private
entity scans or transmits a party’s biometric identifier or biometric
information.”
“No such limitation appears in the statute,” the majority wrote. “We
cannot rewrite a statute to create new elements or limitations not
included by the legislature.”
Taken together, both the White Castle decision and the unanimous opinion
solidifying the assumption of a five-year statute of limitations under
BIPA have strengthened the law, but the full effects of those decisions
won’t be felt until those cases wind their way back down to trial court
– if the parties even choose to continue litigation instead of settling.
So far, BIPA has only seen one jury test: a federal jury in October
granted $228 million in damages in a class action case against BNSF
Railways.
Despite the Illinois Supreme Court’s decision in the White Castle case,
plaintiffs aren’t guaranteed a win when it returns to trial court; the
lawsuit has yet to be certified as a class action, and would also need
to go through a lengthy discovery process before going to trial.
The long road ahead for these cases is why State Rep. Ann Williams,
D-Chicago, said she won’t be diving headfirst into negotiations to tweak
the law any time soon. Williams, who wasn’t yet in office when BIPA
passed in 2008, has taken the lead on biometric information and other
privacy measures in the House. She said she’s wary of those calling for
changes to the law, characterizing them as “sky-is-falling” alarmists
who merely want to strip BIPA of its protections before letting the
litigation continue to unfold.
“So to react immediately by making a quick change in the law without
saying how things play out seems a bit premature to me,” Williams said
in an interview.
But Mark Denzler, president and CEO of the Illinois Manufacturers’
Association, said he and other business leaders aren’t sounding a false
alarm but are instead heeding very real warning bells.
“I had a conversation with an auto company (recently) that’s no longer
going to test autonomous vehicles in Illinois because of this ruling,”
Denzler told Capitol News Illinois.
He cautioned that companies becoming fearful of facing expensive BIPA
lawsuits in the course of doing business – like collecting images of
pedestrians while testing autonomous vehicles – will hinder goals
Denzler shares with Gov. JB Pritzker, including making Illinois a leader
in high-tech manufacturing.
“Certainly these decisions (from the Illinois Supreme Court) throw cold
water on that,” Denzler said.
15 years of BIPA
When then-Gov. Rod Blagojevich signed BIPA into law in 2008, it was a
novel concept meant to guard against technologies that, at the time,
were still mostly the stuff of science fiction.
The legislation passed with unanimous support in both the Illinois House
and Senate, with bipartisan sponsorship. Legislative records at the time
indicate there was no debate on the floor of either chamber. The
introduction from then-State Rep. Kathleen Ryg, D-Vernon Hills, cited
the recent bankruptcy of Pay By Touch, a tech company that allowed
grocery store customers to complete their purchases with a scan of their
fingerprint.
[to top of second column]
|
Members of the Illinois Supreme Court
are pictured at the swearing in of Chief Justice Mary Jane Theis
late last year. (Capitol News Illinois photo by Jerry Nowicki)
“This pullout leaves thousands of customers from Albertsons, Cub Foods,
Farm Fresh, Jewel, Osco, Shell, and Sunflower Market wondering what will
become of their biometric and financial data,” Ryg said at the time.
BIPA didn’t face much legal scrutiny in the first decade or so of its
existence. But around 2017 and 2018, a trickle of BIPA-related lawsuits
quickly became an explosion as attorneys such as Chicago-based Jay
Edelson pioneered biometric privacy litigation in his own small firm,
while larger firms created practice areas specializing in the law.
Technology, too, has caught up with what was merely theoretical at the
time of BIPA’s passage; both employees and customers are regularly
subjected to the collection of their biometric privacy data, through
means such as fingerprint scan, time clocks and closed-circuit video
systems with facial recognition abilities.
In early 2019, the Illinois Supreme Court issued the first of its
opinions reviewing BIPA, unanimously finding that a plaintiff doesn’t
need to plead “actual harm” in order to prove a company violated BIPA.
In other words, whether an employee or customer’s fingerprints or other
biometric data was hacked, stolen or sold is irrelevant; merely the act
of having one’s biometric data collected without their express consent
was enough to warrant up to $5,000 in damages per violation.
One of the earliest legal tests of BIPA – a suit Edelson filed against
Facebook in 2015 for the tech giant’s use of facial recognition
technology – would also become one of the biggest. The $650 million
settlement agreed to by Facebook in 2020 catapulted the relatively
unknown law into the headlines when Illinoisans signed up for their
share of the money, and again when they received those $397 checks last
May.
Plaintiffs firms took advantage of the buzz around BIPA and started
recruiting potential class members for new suits against social media
and other tech companies last year.
But long before the crush of BIPA-related lawsuits began, lobbying
efforts unsuccessfully tried to weaken the law. In 2016, then-state Sen.
Terry Link, D-Vernon Hills, who had been the Senate sponsor of BIPA in
2008 and has since been indicted for unrelated tax evasion charges,
sponsored a bill that would have retroactively excluded photos posted
online from being subject to the law. Had it passed, the measure would
have ended the ongoing lawsuit against Facebook.
Democrats introduced similar bills in 2018, but they didn’t go very far,
while BIPA-related bills filed by superminority Republicans have also
been left on the cutting room floor.
BIPA moving forward
In its decision last week, the Illinois Supreme Court noted that its
prior opinions in BIPA-related cases have “repeatedly recognized the
potential for significant damages awards” under the law, which the
justices said were intended to give companies “the strongest possible
incentive to conform to the law and prevent problems before they occur.”
However, the justices also said they believed the legislature intended
to make damages “discretionary rather than mandatory.” The high court
also agreed that a trial court “would certainly possess the discretion
to fashion a damage award that fairly compensated claiming class members
and included an amount designed to deter future violations, without
destroying defendant’s business.”
That’s cold comfort for defense attorneys like Danielle Kays of
Chicago-based firm Seyfarth Shaw LLP, who represents companies facing
BIPA lawsuits. Kays said the decision was “extremely disappointing” and
could result in businesses having to pay out “draconian” damages. But,
she noted, multimillion or -billion dollar damages could lead to a
constitutional challenge of the law.
Before it gets to that point, Kays said, she would rather see the
legislature address issues brought to the surface by legal challenges.
She suggested allowing businesses to “cure” their violation of BIPA once
it was brought to a company’s attention, especially since she noted the
vast majority of biometric privacy litigation does not involve hacking,
stealing or sale of that data.
But that’s a non-starter for Williams, who characterized the compliance
standards laid out in BIPA as “not difficult.” However, she said she’d
be willing to discuss clarifications and small tweaks to the law.
While Williams, who is an attorney, noted that many plaintiffs’ lawyers
aren’t arguing for the accrual of damages on a per-scan basis, she said
the specter of having such personal biometric data stolen or misused is
reason enough to maintain the potential for “significant damages.”
“If you don't, these big tech companies that are billion-dollar
companies are going to look at violations just as a cost of doing
business, and not be concerned about compliance,” Williams said.
A spokesman from the ACLU of Illinois echoed Williams’ sentiments,
saying the organization – an architect and backer of the law – doesn’t
see any urgency to change it.
But Denzler, whose organization is one of the most influential business
lobbying groups in Illinois, does.
“(There will be) billions paid out,” Denzler said of settlements and
future damage awards. “That money could've gone to capital investments
or higher wages for workers. Instead, it’s going into the pocketbooks of
trial lawyers.”
State Rep. Jeff Keicher, R-DeKalb, said he believes a bill he’s put
forward could strike the right balance in tweaking the law. House Bill
3199 would allow companies to obtain consent electronically for
collecting and using employees’ and customers’ biometric data, in
addition to clarifying that consent is only needed for the first time a
company collects it.
Keicher said he’s sensitive to biometric privacy concerns because of the
massive data center Facebook is building in his district. He called BIPA
a “bragging point” because “we don’t allow Illinois citizens to be
manipulated in the fashion that some other (states) do.”
“We have technology and we need to adapt to it, but at the same time, we
have to be very sensitive to the abuses that some unscrupulous large
technology firms may take,” Keicher said in an interview. “And so where
that center line is, I think we owe it to the people of Illinois to
investigate.”
Stephan Zouras, who represented the former White Castle manager at the
center of the most recent case, is also involved with two other BIPA-related
cases set for hearings in front of the high court in the next year or
so. Those cases concern whether the Labor Management Relations Act
preempts BIPA claims, and whether the law provides an exemption for
employees in the health care industry.
“The decision is a win for the workers and all other citizens of
Illinois who are understandably fed up with the cavalier and
irresponsible disregard of their privacy rights by wealthy, powerful
corporations, especially when those rights are trampled upon as a
condition of employment at the workplace,” Zouras said in an email.
Capitol News Illinois is a nonprofit, nonpartisan news
service covering state government. It is distributed to more than 400
newspapers statewide, as well as hundreds of radio and TV stations. It
is funded primarily by the Illinois Press Foundation and the Robert R.
McCormick Foundation. |