By Mark Glennon of Wirepoints
How sadly ironic that White Castle became the latest victim of the Illinois General Assembly’s malfeasance. Its stores are modeled after the Chicago Water Tower, which survived the Chicago Fire and stands as a monument to the spirit of tenacity and resilience that once prevailed to rebuild the city.
Today, Mrs. O’Leary’s cow is the state’s own government. It set off what the law firm Mayer Brown rightly calls a “six-alarm fire for businesses with customers or employees in Illinois.”
BIPA, the Biometric Information Privacy Act, arises from a legitimate concern, as most laws do. In this case, it’s privacy of personal biometric information such as fingerprints, DNA and distinctive elements of things like face and retina features. Some of that data is used widely in the business world for things like time management, security, wellness programs and worker safety. The law requires informed consent prior to collecting the data, mandates protection and retention guidelines and bans profiting from selling the data.
That’s fine, but the problem is that the law imposes penalties wildly out of proportion to the seriousness of noncompliance or amount of harm done by a violation.
It can be a death penalty for violators. And the law allows anybody affected to sue for those fines.
That’s a firebomb recipe for personal injury lawyers. Nearly 2,000 lawsuits alleging violations of BIPA have been filed since 2017, “yielding a series of massive settlements and judgments,” as Reuters reported. Defendants have included Facebook, which paid $650 million to settle a BIPA class action and BNSF Railway Co, which a jury ordered to pay $228 million to truck drivers. Anybody thinking about suing enjoys a very generous five-year statute of limitations.
Then came last week’s decision on White Castle from the Illinois Supreme Court, pouring accelerant on the fire.
Separate BIPA violations occurred every time an employee used White Castle’s system that required its employees to scan their fingerprints to access their pay stubs and computers, the court ruled. And BIPA authorizes statutory damages of $1,000 for “each violation” of the statute, or $5,000 if the violation is intentional or reckless.
The top court’s decision therefore could mean a $17 billion liability for White Castle since some 9,500 current and past employees had used the system for years, as a dissenting opinion says, citing White Castle’s estimate. The court’s decision “could easily lead to annihilative liability for businesses,” says the dissent.
That’s what makes the decision terrifying for many other businesses that use biometrics. Every instance of use could mean a penalty of $1,000 or $5,000.
The decision “leaves the plaintiffs’ bar with an all-you-can-eat biometric café,” wrote the law firm Winston & Strawn in its newsletter.
A liability that big would destroy White Castle many times over. It’s not that big a company compared to many publicly owned food chains and is privately owned.
Sorry, said the majority of the court said in their opinion, the plain language of the statute required that result. If this needs to be fixed it’s up to the General Assembly. “Ultimately,” the majority opinion says, “we continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”
That’s the real takeaway – the General Assembly should have fixed this long ago. The liabilities being imposed under BIPA have been burning out of control for several years, and the ruling making each instance subject to a penalty has long been feared, having percolated up through the courts for several years. Bills to fix it have languished.
The dissent argued that only one violation should be recognized for any employee for the first time fingerprints are collected, and that the law must have been intended that way.
Right or wrong, that’s now water under the bridge. The top court has ruled. Only the General Assembly can fix the statute.
One next potential victim of BIPA may be the cannabis industry, an increasingly important revenue force for the state, according to lawyers at Dentons U.S. “BIPA damages could be a death knell to cannabis operators,” they wrote, explaining,
The cannabis industry has placed a strong emphasis on security for grow facilities and dispensaries. These enhanced security measures are a must to protect employees handling largely cash transactions and customers purchasing a heavily regulated product. But, in taking these reasonable security measures, the cannabis industry has opened itself up to litigation surrounding BIPA’s stringent requirements.
The majority opinion in White Castle’s case says, “We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”
That’s being too nice. Nobody should be “respectfully suggesting” anything to legislature about this. They should have fixed BIPA long ago. Fix it now.
In the meantime, any business touching Illinoisans in any way that uses biometrics should follow the advice of many lawyers: At least mitigate your exposure by immediately reviewing policies and practices related to biometric information to ensure BIPA compliance, including biometric use for employee timekeeping.
