The Illinois Supreme Court issued a much-anticipated opinion on the state’s biometric privacy law Friday, leaving the door open for massive damages when companies are found to violate residents’ privacy rights but suggesting lawmakers revisit the issue.
The case involves Ohio-based fast food company White Castle. Latrina Cothron, a White Castle manager, alleged she was required to use a fingerprint scan in order to access her paystubs at White Castle.
Privacy attorneys and experts have closely watched for the Supreme Court’s decision in the Cothron case because of the potential for a ruling that could allow damages to accrue each and every time Cothron scanned her fingerprints over the course of her employment with White Castle.
On Friday, the Supreme Court ruled that biometric privacy claims accrue under state law every time a person is asked to provide their biometric information without prior informed consent. The court acknowledged that this interpretation of the law could leave the door open to massive damages — in White Castle’s case, more than $17 billion, but said “the statutory language clearly supports plaintiff’s position.”
But the court also suggested damages should not be so large as to bankrupt businesses, as White Castle has argued.
The majority wrote in its opininon that while subjecting companies to substantial liability “is one of the principal means that the Illinois legislature adopted to achieve the Act’s objectives of protecting biometric information, there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.”
“Ultimately, however, we continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” the court wrote. “We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”
Matthew Kugler, a professor at Northwestern University’s Pritzker School of Law whose research includes biometric privacy issues, said the ruling sends a clear to signal to lower courts that companies should not be required to pay out such massive damages in privacy cases.
“We will continue to see a large damages awards, but the court is signaling to the lower courts that those awards should not be larger than they were previously,” Kugler said.
A number of major business groups signed onto amicus briefs in support of White Castle, including the National Retail Federation, the Chicagoland Chamber of Commerce, the Illinois Chamber of Commerce and the Chamber of Commerce of the United States.
Illinois’ biometric privacy law requires affirmative consent before companies can collect and store biometric data, such as fingerprints or retina scans. It’s considered the strictest such law in the U.S., in large part because it allows individuals to sue companies over alleged violations.
Texas has a similar biometric privacy law, but only the state’s attorney general can bring a lawsuit under its statute. Since its passage in 2008, the Illinois law has sparked upwards of 1,600 lawsuits in state and federal courts, according to White Castle’s attorneys in their Supreme Court brief. Illinois residents who received checks from class action settlements by tech companies such as Facebook have been the beneficiaries of the law.
More to come.