Each time Latrina Cothron, a manager at a local White Castle restaurant near Chicago, Illinois, wanted to access workplace computers or see her pay stubs, she had to provide her fingerprint. She sued her employer, alleging that the company had violated her rights under the Illinois Biometric Information Privacy Act by collecting her biometric data without her permission.
Now White Castle could be on the hook for upward of $17 billion.
On February 17, the Illinois Supreme Court made a decision on Cothron’s case that sent the state’s business community reeling. According to the court, every time a company collects an individual’s biometric data without getting informed written consent, it counts as a separate BIPA violation with potential damages from $1,000 to $5,000. In the past, courts interpreted the law to mean one violation per person. Now, if an employee uses their fingerprint to sign into work, or every time they clock in and out for shifts or breaks, the number of infractions rack up quickly, and so does the amount of money to be paid out in damages.
“So now six times a day, 340 days a year for five years, one person is potentially a $1 million risk,” said Jason Stiehl, an attorney who works on litigation, technology and brand protection for Crowell & Moring LLP in Chicago.
Justices on the Illinois Supreme Court acknowledged that the extent of damages could be “harsh, unjust, absurd or unwise” but said the court is bound to interpret laws as they are written by state legislators.
This court decision in the White Castle case comes on the heels of another decision in Tims v. Black Horse Carriers. The ruling, announced on February 2, set the statute of limitations for BIPA violations at five years. Previously, that number had been unclear, but the courts had largely interpreted it to be about two years. So now not only are the damages potentially much higher but the number of incidents in violation could be much larger.
BIPA has been held up as the gold standard for consumer privacy acts. But the court’s latest interpretation of the Illinois law shows the pitfalls of some of its key aspects. The rulings underscore the risks of creating vague regulations for evolving technology and illustrate the tension between business interests and privacy.
When Ted Claypoole, an Atlanta-based data, technology and privacy lawyer, heard the news about the court’s ruling in the White Castle and Black Horse Carriers cases, his first thought was “Oh crap.”
But as a lawyer who advises clients on compliance with data laws, the court’s decision wasn’t a surprise to Claypoole. BIPA is vaguely written, and issues like the statute of limitations or whether violations are measured per person or per scan aren’t clearly written out.
“It’s not a crazy reading of the statute. It just is a crazy result,” said Claypoole.
BIPA has been around since 2008, and Claypoole and privacy advocates consider it to be one of the most important privacy laws in the U.S. because it allows individuals to sue companies using their biometric information without written consent.
But consumers or employees don’t actually need to show that they were harmed by their data being collected, thanks to a 2019 ruling by the Illinois Supreme Court in a case involving the Six Flags theme park.
After that decision, there was an increase in the number of BIPA complaints filed because anyone whose biometrics had been collected without proper consent could file a lawsuit.
This led to what Jeff Keicher, a Republican in the Illinois State House of Representatives, called “an obscene shakedown of business communities.”
Many of these cases have been large class-action lawsuits, resulting in companies like McDonald’s and its franchises across the state paying millions in damages.
In the first case to go to trial, BNSF Railway had to pay $228 million after truck drivers brought a class-action suit over the company’s policy of scanning their fingerprints when they went to BNSF rail yards.
But the recent decision in the White Castle case brings the potential damages to another level. Trade associations in Illinois are raising alarms that these large settlements will drive companies out of business and force Illinois residents out of their jobs.
“Getting a $2 million complaint is one kind of problem. Getting a $10 billion award against you is a whole other kind of problem,” said Claypoole. “It’s not just that it’s higher. It’s that it is existential. It’s life threatening to a business.”
Since the rulings, the number of BIPA complaints filed has gone up, according to Anne Mayette, a labor and employment lawyer who advises clients on BIPA compliance at Husch Blackwell, a national law firm. The number of cases expanded after the Six Flags ruling determined that plaintiffs don’t need to prove that harm was inflicted by the use of their biometrics, but the pace slowed down after a while. After the two latest decisions, Mayette estimates she sees 3 to 10 BIPA suits a day, compared to a few per week previously.
It’s not all panic for businesses though. Many of the companies who were vulnerable to lawsuits have already built policies to be compliant with BIPA.
Stiehl, the attorney, also sees a “silver lining.” The amount in damages is discretionary, not mandatory, meaning a jury can decide to order a smaller payment. Stiehl thinks the White Castle case will go on to trial court, and the company will not be hit with the full $17 billion in damages. “It sends a larger message,” he said, “saying this is not your pot of gold.”
The typical pattern is for regulation to lag behind technology. BIPA is the opposite. In the years since the law passed in 2008, biometrics have changed significantly. That’s why Keicher, the house representative, thinks that it’s time to make some changes to the Illinois law.
“We’re dealing with a statute that’s 15 years old that didn’t even foresee any of the technological advances that we have today,” he said. “To say that it doesn’t need any attention, I think, is naive to the way our society is progressing.”
Keicher has brought forward two bills regarding BIPA this year that decrease a company’s liability to BIPA lawsuits. One clarifies that a company only needs to get consent to collect a person’s biometrics once and makes it clear that BIPA doesn’t apply to biometrics that are stored as mathematical representations. The other says that if a company fixes the problem within 15 days of receiving notice of a violation of BIPA, it can’t be subject to legal action in pursuit of damages.
In particular, attorneys like Claypoole and Stiehl want to get rid of the ability for individuals to directly sue companies through a legal mechanism known as the right to private action. It’s what makes Illinois law unique and allows for these types of suits with statutory damages in the millions.
“Frankly, the easiest way is to take it out of the plaintiffs’ counsels’ hands,” said Stiehl. “ There are paths to still enforce these things in a reasonable way.”
A reckoning over BIPA could have an impact on potential legislation in states like New York, which is considering a similar law that includes the right to private action.
But BIPA isn’t the only model. Texas and Washington have similar biometric privacy laws, but they are enforced by the states’ attorney general, rather than individuals taking direct legal action against companies.
Keicher, for one, thinks handing the enforcement power to the attorney general, particularly in cases involving the employees of a company using biometrics, is a good idea.
Keicher is hopeful that there will be some amendments to BIPA made by the time the legislative session wraps up in May.
“I can’t imagine we walk away at the end of the day without having some sort of accomplished guidepost of where this needs to go,” he said.
But not everyone shares that optimism. Bills amending BIPA historically haven’t gotten very far.
“I’m fully convinced a company will have to be bankrupted by this for a change to be made,” said Mayette, the lawyer at Husch Blackwell.
Keicher thinks that the current way BIPA is working in practice has gone beyond what the lawmakers who wrote the bill intended.
“I certainly don’t think that the framers of the original bill would have wanted a $17 billion judgment against White Castle,” he said. “You can’t sell enough sliders to make that make sense.”