The Illinois Supreme Court issued a much-anticipated opinion on the state’s biometric privacy law Friday, leaving the door open for massive damages when companies are found to violate residents’ privacy rights but suggesting lawmakers revisit the issue.
The case involves Ohio-based fast food company White Castle. Latrina Cothron, a White Castle manager, alleged she was required to use a fingerprint scan in order to access her paystubs at White Castle without prior consent in violation of the law.
Advertisement
Privacy attorneys and experts have closely watched for the Supreme Court’s decision in the Cothron case because of the potential for a ruling that could allow damages to accrue each and every time Cothron scanned her fingerprints over the course of her employment with White Castle.
On Friday, the Supreme Court ruled that biometric privacy claims accrue under state law every time a person provides their biometric information without prior informed consent. The court acknowledged that this interpretation of the law could leave the door open to massive damages — in White Castle’s case, more than $17 billion, but said “the statutory language clearly supports plaintiff’s position.”
Advertisement
But the court also suggested damages should not be so large as to bankrupt businesses, as White Castle has argued.
In a split opinion, the majority wrote that while subjecting companies to substantial liability “is one of the principal means that the Illinois legislature adopted to achieve the Act’s objectives of protecting biometric information, there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.”
“Ultimately, however, we continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” the court wrote. “We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”
In a statement, White Castle said it was “deeply disappointed with the court’s decision and the significant business disruption that will be caused to Illinois businesses, which now face potentially huge damages.” The company said it was reviewing its options to seek further judicial review, pointing to the dissent in the ruling.
James Zouras, an attorney for Cothron, said in a statement he was “extremely gratified” by the ruling.
“The Illinois Supreme Court’s well-reasoned decision affirms that the law means what it says and that biometric data collectors cannot shirk their duties by relying on dubious interpretations of the statutory text,” Zouras said. “Hopefully, today’s decision will encourage employers and other biometric data collectors to finally start taking the law seriously and ensure such biometric data is properly safeguarded.”
Three justices dissented from the ruling, arguing that a claim under the biometric privacy law accrues only upon the first scan or transmission of biometric data. “There is only one loss of control or privacy, and this happens when the information is first obtained,” the dissenters argue, adding that the majority’s ruling could lead to “annihilative liability” for companies.
“Imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm,” the dissent reads.
Advertisement
Matthew Kugler, a professor at Northwestern University’s Pritzker School of Law whose research includes biometric privacy issues, said the ruling sends a clear to signal to lower courts that companies should not be required to pay out such massive damages in privacy cases.
“We will continue to see a large damages awards, but the court is signaling to the lower courts that those awards should not be larger than they were previously,” Kugler said.
A number of major business groups signed onto amicus briefs in support of White Castle, including the National Retail Federation, the Chicagoland Chamber of Commerce, the Illinois Chamber of Commerce and the Chamber of Commerce of the United States.
Illinois’ biometric privacy law requires affirmative consent before companies can collect and store biometric data, such as fingerprints or retina scans. It’s considered the strictest such law in the U.S., in large part because it allows individuals to sue companies over alleged violations.
Texas has a similar biometric privacy law, but only the state’s attorney general can bring a lawsuit under its statute. Since its passage in 2008, the Illinois law has sparked upwards of 1,600 lawsuits in state and federal courts, according to White Castle’s attorneys in their Supreme Court brief. Illinois residents who received checks from class action settlements by tech companies such as Facebook have been the beneficiaries of the law.
More to come.
Advertisement
Advertisement
Advertisement
Advertisement
.
.