Court rulings supercharge Illinois’ strongest-in-nation biometric privacy law
Law’s critics want to reopen debate, but backers say law is working as intended
In the wake of a pair of recent decisions from the Illinois Supreme Court strengthening the state’s law governing how companies must treat employees’ and customers’ biometric data, longtime critics of the law see an opening to weaken it.
But backers of Illinois’ Biometric Information Privacy Act are reluctant to renegotiate the strongest-in-the-nation privacy protections laid out in the law, and they characterize opponents’ uproar following the court decisions as “fear mongering.”
Nearly 15 years after the law’s initial passage, legal interpretations of BIPA are still taking shape, as widespread use of the technology that collects biometric data such as fingerprint and facial scans has only recently caught up to the law’s forward-looking language. The wide adoption of such technology has led to the proliferation of class action lawsuits under BIPA, creating what opponents of the law have called a cottage industry for ambitious attorneys.
A constant refrain in those suits has been that if an individual’s social security number is stolen, it may be a nuisance to get a new one but not impossible. But there’s no remedy for a stolen fingerprint, retinal, voice or face scan, they argue. Under the law, companies deploying this technology must obtain employees’ or customers’ written consent before their biometric information is collected.
While two other states have imitated Illinois’ first-in-the-nation biometric privacy law, Illinois is the only of the three states that allow individuals the right to sue over the improper collection and mishandling of biometric data.
Since about 2018, upwards of 2,000 suits have been filed under BIPA, followed by several high-profile, high-dollar settlements – including the $650 million Facebook paid out after settling a class action suit in 2020. Those legal developments, in addition to a series of Illinois Supreme Court decisions interpreting BIPA’s limits in ways that favor plaintiffs, have all spooked the business community.
Fast food chain White Castle, the defendant in the most recent case decided by the state’s high court, claims the court’s ruling could cost the company $17 billion – a figure that businesses warn could bankrupt entire industries.
But even in deciding against White Castle, the majority on the court sought to assuage fears that future damage awards in BIPA cases would force a company to shutter. The court wrote “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.”
The opinion did, however, “respectfully suggest” the General Assembly review BIPA “and make clear its intent regarding the assessment of damages under the Act.”
Whether the court’s advisory will open the door to bigger changes in BIPA – or whether it will be heeded at all this year – remains to be seen, as proponents say litigation over biometric privacy means the law is working exactly as it should.
Two major BIPA-related decisions from the state’s high court were issued in February. A unanimous majority found the law unequivocally provided for a five-year statute of limitations on lawsuits against companies that collected biometric information from employees or customers without proper notice – instead of the one-year time limit argued by the business community.
And two weeks later, a divided court ruled that each time someone’s biometric data is collected constitutes a separate violation of BIPA, which under the law means $1,000 in damages for “negligent” violations or $5,000 for “reckless” or “intentional” violations. However, the court didn’t rule on the question of damages specifically, which means the legal question of how damages can accrue under BIPA is still unsettled.
In that case, the justices were charged with deciding whether White Castle violated BIPA each time its employees scanned their fingerprints to access work computers and pay stubs or, as White Castle contended, whether only the initial collection of fingerprints without proper notice constituted a single violation under the law.
In a 4-3 opinion, the majority of the seven-member court – four of whom were not yet on the court when the case was argued last May – reasoned they could not limit BIPA claims to just “the first time a private entity scans or transmits a party’s biometric identifier or biometric information.”
“No such limitation appears in the statute,” the majority wrote. “We cannot rewrite a statute to create new elements or limitations not included by the legislature.”
Taken together, both the White Castle decision and the unanimous opinion solidifying the assumption of a five-year statute of limitations under BIPA have strengthened the law, but the full effects of those decisions won’t be felt until those cases wind their way back down to trial court – if the parties even choose to continue litigation instead of settling. So far, BIPA has only seen one jury test: a federal jury in October granted $228 million in damages in a class action case against BNSF Railways.
Despite the Illinois Supreme Court’s decision in the White Castle case, plaintiffs aren’t guaranteed a win when it returns to trial court; the lawsuit has yet to be certified as a class action, and would also need to go through a lengthy discovery process before going to trial.
The long road ahead for these cases is why State Rep. Ann Williams, D-Chicago, said she won’t be diving headfirst into negotiations to tweak the law any time soon. Williams, who wasn’t yet in office when BIPA passed in 2008, has taken the lead on biometric information and other privacy measures in the House. She said she’s wary of those calling for changes to the law, characterizing them as “sky-is-falling” alarmists who merely want to strip BIPA of its protections before letting the litigation continue to unfold.
“So to react immediately by making a quick change in the law without saying how things play out seems a bit premature to me,” Williams said in an interview.
But Mark Denzler, president and CEO of the Illinois Manufacturers’ Association, said he and other business leaders aren’t sounding a false alarm but are instead heeding very real warning bells.
“I had a conversation with an auto company (recently) that’s no longer going to test autonomous vehicles in Illinois because of this ruling,” Denzler told Capitol News Illinois.
He cautioned that companies becoming fearful of facing expensive BIPA lawsuits in the course of doing business – like collecting images of pedestrians while testing autonomous vehicles – will hinder goals Denzler shares with Gov. JB Pritzker, including making Illinois a leader in high-tech manufacturing.
“Certainly these decisions (from the Illinois Supreme Court) throw cold water on that,” Denzler said.
15 years of BIPA
When then-Gov. Rod Blagojevich signed BIPA into law in 2008, it was a novel concept meant to guard against technologies that, at the time, were still mostly the stuff of science fiction.
The legislation passed with unanimous support in both the Illinois House and Senate, with bipartisan sponsorship. Legislative records at the time indicate there was no debate on the floor of either chamber. The introduction from then-State Rep. Kathleen Ryg, D-Vernon Hills, cited the recent bankruptcy of Pay By Touch, a tech company that allowed grocery store customers to complete their purchases with a scan of their fingerprint.
“This pullout leaves thousands of customers from Albertsons, Cub Foods, Farm Fresh, Jewel, Osco, Shell, and Sunflower Market wondering what will become of their biometric and financial data,” Ryg said at the time.
BIPA didn’t face much legal scrutiny in the first decade or so of its existence. But around 2017 and 2018, a trickle of BIPA-related lawsuits quickly became an explosion as attorneys such as Chicago-based Jay Edelson pioneered biometric privacy litigation in his own small firm, while larger firms created practice areas specializing in the law.
Technology, too, has caught up with what was merely theoretical at the time of BIPA’s passage; both employees and customers are regularly subjected to the collection of their biometric privacy data, through means such as fingerprint scan, time clocks and closed-circuit video systems with facial recognition abilities.
In early 2019, the Illinois Supreme Court issued the first of its opinions reviewing BIPA, unanimously finding that a plaintiff doesn’t need to plead “actual harm” in order to prove a company violated BIPA. In other words, whether an employee or customer’s fingerprints or other biometric data was hacked, stolen or sold is irrelevant; merely the act of having one’s biometric data collected without their express consent was enough to warrant up to $5,000 in damages per violation.
One of the earliest legal tests of BIPA – a suit Edelson filed against Facebook in 2015 for the tech giant’s use of facial recognition technology – would also become one of the biggest. The $650 million settlement agreed to by Facebook in 2020 catapulted the relatively unknown law into the headlines when Illinoisans signed up for their share of the money, and again when they received those $397 checks last May.
Plaintiffs firms took advantage of the buzz around BIPA and started recruiting potential class members for new suits against social media and other tech companies last year.
But long before the crush of BIPA-related lawsuits began, lobbying efforts unsuccessfully tried to weaken the law. In 2016, then-state Sen. Terry Link, D-Vernon Hills, who had been the Senate sponsor of BIPA in 2008 and has since been indicted for unrelated tax evasion charges, sponsored a bill that would have retroactively excluded photos posted online from being subject to the law. Had it passed, the measure would have ended the ongoing lawsuit against Facebook.
Democrats introduced similar bills in 2018, but they didn’t go very far, while BIPA-related bills filed by superminority Republicans have also been left on the cutting room floor.
BIPA moving forward
In its decision last week, the Illinois Supreme Court noted that its prior opinions in BIPA-related cases have “repeatedly recognized the potential for significant damages awards” under the law, which the justices said were intended to give companies “the strongest possible incentive to conform to the law and prevent problems before they occur.”
However, the justices also said they believed the legislature intended to make damages “discretionary rather than mandatory.” The high court also agreed that a trial court “would certainly possess the discretion to fashion a damage award that fairly compensated claiming class members and included an amount designed to deter future violations, without destroying defendant’s business.”
That’s cold comfort for defense attorneys like Danielle Kays of Chicago-based firm Seyfarth Shaw LLP, who represents companies facing BIPA lawsuits. Kays said the decision was “extremely disappointing” and could result in businesses having to pay out “draconian” damages. But, she noted, multimillion or -billion dollar damages could lead to a constitutional challenge of the law.
Before it gets to that point, Kays said, she would rather see the legislature address issues brought to the surface by legal challenges. She suggested allowing businesses to “cure” their violation of BIPA once it was brought to a company’s attention, especially since she noted the vast majority of biometric privacy litigation does not involve hacking, stealing or sale of that data.
But that’s a non-starter for Williams, who characterized the compliance standards laid out in BIPA as “not difficult.” However, she said she’d be willing to discuss clarifications and small tweaks to the law.
While Williams, who is an attorney, noted that many plaintiffs’ lawyers aren’t arguing for the accrual of damages on a per-scan basis, she said the specter of having such personal biometric data stolen or misused is reason enough to maintain the potential for “significant damages.”
“If you don't, these big tech companies that are billion-dollar companies are going to look at violations just as a cost of doing business, and not be concerned about compliance,” Williams said.
A spokesman from the ACLU of Illinois echoed Williams’ sentiments, saying the organization – an architect and backer of the law – doesn’t see any urgency to change it.
But Denzler, whose organization is one of the most influential business lobbying groups in Illinois, does.
“(There will be) billions paid out,” Denzler said of settlements and future damage awards. “That money could've gone to capital investments or higher wages for workers. Instead, it’s going into the pocketbooks of trial lawyers.”
State Rep. Jeff Keicher, R-DeKalb, said he believes a bill he’s put forward could strike the right balance in tweaking the law. House Bill 3199 would allow companies to obtain consent electronically for collecting and using employees’ and customers’ biometric data, in addition to clarifying that consent is only needed for the first time a company collects it.
Keicher said he’s sensitive to biometric privacy concerns because of the massive data center Facebook is building in his district. He called BIPA a “bragging point” because “we don’t allow Illinois citizens to be manipulated in the fashion that some other (states) do.”
“We have technology and we need to adapt to it, but at the same time, we have to be very sensitive to the abuses that some unscrupulous large technology firms may take,” Keicher said in an interview. “And so where that center line is, I think we owe it to the people of Illinois to investigate.”
Stephan Zouras, who represented the former White Castle manager at the center of the most recent case, is also involved with two other BIPA-related cases set for hearings in front of the high court in the next year or so. Those cases concern whether the Labor Management Relations Act preempts BIPA claims, and whether the law provides an exemption for employees in the health care industry.
“The decision is a win for the workers and all other citizens of Illinois who are understandably fed up with the cavalier and irresponsible disregard of their privacy rights by wealthy, powerful corporations, especially when those rights are trampled upon as a condition of employment at the workplace,” Zouras said in an email.
Capitol News Illinois is a nonprofit, nonpartisan news service covering state government. It is distributed to more than 400 newspapers statewide, as well as hundreds of radio and TV stations. It is funded primarily by the Illinois Press Foundation and the Robert R. McCormick Foundation.