Employers in Illinois could face potential financial devastation under Illinois’ biometrics privacy law, the state Supreme Court has ruled, with little recourse but to appeal to judges’ sense of equity or to persuade lawmakers to rewrite the law to reduce the potential dire economic consequences.
In a sharply divided ruling, authored by one of the newest members of the court’s Democratic majority – who was not on the court when the case was argued 10 months ago – the Illinois Supreme Court ruled the Illinois Biometric Information Privacy Act should be interpreted to allow plaintiffs to demand damages of $1,000-$5,000 for each and every scan of a person’s fingerprints or other biometric identifiers, not just the first one.
In the 4-3 decision, Illinois Supreme Court Justice Elizabeth Rochford conceded the potentially catastrophic consequences the law could have for businesses in Illinois. But the majority, she said, believes “substantial potential liability” for defendants under massive class actions is the point of the law.
Illinois Supreme Court Justice Elizabeth Rochford
| facebook.com/JudgeRochford
“The purpose in doing so was to give private entities ‘the strongest possible incentive to conform to the law and prevent problems before they occur,’” Rochford wrote. “… Private entities would have ‘little incentive to course correct and comply if subsequent violations carry no legal consequences.’”
Rochford said the majority believes courts will still be empowered to “fashion a damage aware that 1) fairly compensated claiming class members and 2) included an amount designed to deter future violations, without destroying defendant’s business,” noting “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.”
But if businesses are concerned about potentially paying many millions or even billions of dollars in damages under the law, they need to bring those concerns to Illinois’ Democratic supermajority in the Illinois General Assembly, Rochford said.
To this point, the Democrats who dominate the state legislature have chosen to ignore those concerns, refusing to amend the law that has served as the basis for thousands of class action lawsuits that have generated many millions of dollars in attorney fees for trial lawyers.
Trial lawyers have also proven to be generous and regular donors to the state’s Democratic Party and lawmakers.
Rochford was joined in the majority decision by Justice P. Scott Neville, and two other of the court’s newest Democratic justices, Joy V. Cunningham and Mary K. O’Brien. None of Rochford, Cunningham or O’Brien were on the court when the case was argued in May 2022.
Rochford and O’Brien were elected to the court in November. Their campaigns were both heavily aided by millions of dollars in spending by an organization established, funded and run by trial lawyers, for the expressed purpose of electing Democrats to the Illinois Supreme Court.
Cunningham was appointed to replace former Chief Justice Anne M. Burke, who retired last fall.
Justice David K. Overstreet dissented, joined by Chief Justice Mary Jane Theis and Justice Lisa Holder White.
Holder White, a Republican who was appointed to replace retired Justice Rita B. Garman, also was not on the court when the case was argued.
$9.5 million vs $17 billion
The decision centers on a class action lawsuit brought against White Castle nearly three years ago. In that case, attorneys with the Chicago firm of Stephan Zouras sued the fast food chain in Cook County Circuit Court on behalf of named plaintiff Latrina Cothron, and potentially 9,500 other current and former White Castle employees.
According to case documents, Cothron worked as a restaurant manager and had been employed by White Castle since 2004.
The lawsuit accused White Castle of improperly requiring workers to scan fingerprints to verify their identity when punching the clock or when accessing work computers, without first securing workers’ written consent and without providing workers with notices concerning how the scanned prints might be used, stored, shared or ultimately destroyed.
White Castle removed the case to federal court and moved to dismiss. In that motion, they argued the law should be read to require them to pay damages only for the first violation of the BIPA law. If that interpretation had been upheld, it would have invalidated Cothron’s claim, because she first scanned her fingerprint before the 2008 law was in place.
Plaintiffs pushed back, however, arguing the law should instead be interpreted to require White Castle to pay for every fingerprint scan obtained without notice or consent.
A federal judge rejected that motion, but allowed the question to advance to the U.S. Seventh Circuit of Appeals. The judge noted the question could prove pivotal, as White Castle’s theory would limit the class action to just one injury claim per employee, not hundreds or thousands per worker.
In dollar terms, the difference could be a payout of $9.5 million under White Castle’s theory or potentially more than $17 billion under the plaintiffs’ approach.
At the Seventh Circuit, judges said they did not feel comfortable answering such an important question under state law. So, they sent the matter to the Illinois Supreme Court, to deliver a final answer.
The White Castle case has been closely watched by observers on both sides. To this point, Illinois courts have proven of little help for the thousands of businesses targeted by class actions under the BIPA law.
On the books since 2008, the BIPA law was touted by supporters as a way to govern how companies can collect Illinois’ residents so-called unique biometric identifying data, such as scans of retinas, fingerprints or faces. The law also included provisions designed to punish companies that fail to safeguard that data, or improperly share it with others.
Under the law, Illinois residents are given the ability to sue companies for improperly collecting or sharing their data, and to demand damages of $1,000-$5,000 per violation.
And since 2015, when a growing cadre of trial lawyers first began pressing class actions under the law, the BIPA statute has been used to bring claims against tech giants, like Facebook and Google, resulting in headline-grabbing settlements of $650 million and $100 million, respectively.
However, the overwhelming bulk of the class actions have taken aim at smaller companies, a wide range of employers sued for the way in which they require workers to scan fingerprints or other biometric identifiers to clock in and out of work shifts, or to access secure facilities or systems on the job.
Fearing huge payouts, many of those companies have opted to settle the BIPA class actions against them, with hundreds of settlements paying up to $50 million each. Lawyers representing plaintiffs have typically claimed 25-40% of those funds each time.
At the Illinois Supreme Court in May, White Castle argued its position was in keeping with the plain language of the law and with prior Illinois Supreme Court decisions regarding liability under BIPA, including the case known as Rosenbach v Six Flags. In that ruling, the state high court ruled plaintiffs don’t need to prove they were ever really harmed by the collection of their biometric data in order to sue under BIPA.
The fast food purveyor argued subsequent fingerprint scans by Cothron and other White Castle employees don’t amount to “continuing violations” or “new disclosures” that should trigger more damages under BIPA.
“Once the secret is out, the secret is out,” said attorney Melissa Siebert, of the firm of Shook Hardy & Bacon, who represented White Castle before the Illinois Supreme Court.
Justices serving on the court at the time seemed skeptical of the plaintiffs’ position, questioning whether the “astronomical” damage claims were “disproportionate” for purely statutory violations without any real injuries.
But in the months since, the Illinois Supreme Court underwent massive change, with four new justices replacing four of the justices who heard arguments last spring. Nonetheless, the court delayed issuing its decision on the case until after the four new justices joined the ranks and could join in the decision.
In the majority opinion, Rochford said the majority believes the “plain language” of the law “demonstrates that … violations occur with every scan or transmission.”
The majority, she said, specifically further rejected White Castle’s assertion that violation of privacy rights under BIPA can only be a “single overt act.”
Rochford said that argument improperly brushes past the high court’s conclusion in Rosenbach and subsequent decisions that the “injury” under the law is the “statutory violation itself.” The majority reiterated its determination that plaintiffs don’t need to prove they were harmed in any real way to press their claims seeking multi-million or even billion dollar payouts from targeted companies.
'Absurd' 'punitive' results
In dissent, Justice Overstreet said that interpretation of the law will lead to “consequences that the legislature could not have intended” and would make the law “especially burdensome for employers.”
Overstreet said the law was meant to address the “collection” of biometric data, and the majority has gone too far in allowing plaintiffs to claim each fingerprint scan is the same as a distinct “collection.”
“Here, White Castle obtains an employee’s biometric identifier the first time that a fingerprint is scanned,” Overstreet wrote. “White Castle is obviously not obtaining it with subsequent scans - White Castle already has it. As plaintiff acknowledges in her complaint, White Castle obtains an employee’s fingerprint and stores it in its database. The employee is then required to use his or her fingerprint to access paystubs or White Castle computers.
“With the subsequent scans, the fingerprint is not being obtained, it is being compared to the fingerprint that White Castle already has.
“… The subsequent scans did not collect any new information from plaintiff, and she suffered no additional loss of control over her biometric information.”
Overstreet criticized the majority for sloppy and faulty legal reasoning in the case. He noted the majority “never explains how there is any additional loss of control or privacy with subsequent scans… The majority simply asserts that every scan is a collection and therefore a violation of the Act.
“And this is the key flaw in the majority’s analysis: it begs – rather than answers – the most important question before the court.”
Further, he said, by brushing aside the risk of financial ruin to employers for purely statutory violations, the majority also ignores a key legal tenet, that courts should avoid reaching legal conclusions that lead to “an absurd result.”
In this case, Overstreet said, the absurdities are multiple.
First, he said, the ruling will financially incentivize plaintiffs to wait as long as possible. Earlier this month, the state Supreme Court ruled BIPA claims can accrue over a five-year period. Thus, plaintiffs are essentially invited to amass as many violations as possible within a five-year period, to maximize their potential payout in court.
“This point, all by itself, should convince the majority that its interpretation is wrong,” Overstreet said. “If, indeed, a party was losing control over his or her biometric information with every scan, this incentive would simply not exist.”
Further, he said, the interpretation would lead to an “absurd result” in which an employer who intentionally sells employee biometric data would face damages of only $5,000 per employee, while an employer who merely asked employees to scan fingerprints to track their work hours “could be subject to damages hundreds or thousands of times that amount.”
This interpretation “could lead to annihilative liability for businesses” who have “no ill intent,” leading to a result in which employers and other businesses may choose to abandon new technology altogether for fear of facing massive liability under BIPA.
“… The Act’s legislative findings and intent show that the legislature recognized the utility of biometric technology and wanted to facilitate its safe use by private entities by regulating how it is used,” Overstreet wrote. “… I see nothing in the Act indicating that the legislature intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier.
“The legislature’s intent was to ensure the safe use of biometric information, not to discourage its use altogether.”
Plaintiffs were represented in the case by attorney James B. Zouras, of the Stephan Zouras firm.
The case against White Castle remains pending in Chicago federal court.