Rays of hope for BIPA defendants and plaintiffs in two cases
No matter where biometric data privacy cases in Illinois go — to state or federal courts — the question remains: Do potential or real privacy violations outweigh possibly “ruinous” fines levied on state entities? The question rests on whether the law allows claims to accrue.
Two new court decisions, by a federal appeals court and one from a state appellate court, directly address that question, but neither came close to settling it. In the background of both cases is Illinois’ Biometric Information Protection Act, or BIPA, the nation’s high-water mark in terms of protecting biometric data.
The U.S. Seventh Circuit Court of Appeals, which had been considering a fingerprint biometric case called Cothron v. White Castle System, Inc. (case 20-3202), decided it would be better if the Illinois State Supreme Court judged the matter than itself.
A good rundown of the matter has been published by the Cook County Record here. The case is on hold while the state justices consider it.
Meanwhile, the Illinois Appellate Court has found that every time biometric data is collected without following BIPA, a new claim is accrued, writes law firm Nixon Peabody, which did not participate in Watson v. Legacy Healthcare Financial Services, LLC.
Nixon Peabody’s analysis of the latest Watson case is here.
Both actions could put biometrics-deploying Illinois entities collectively on the hook for untold numbers of potential BIPA violations through future legal interpretation. Of course, they could just as well curtail an individual’s rights to their most personal information, maybe to the point of irrelevance.
Looking at Cothron, White Castle argued that a defendant should only have to answer to a purported violation the first time it happens and never again.
(In this particular matter, a judgment agreeing with White Castle would benefit the hamburger-maker twice. It would put Cothron’s legal protest beyond the state’s relevant statute of limitations, and would protect it from fines resulting from complaints brought by other plaintiffs.)
Given that BIPA allows for statutory damages of $1,000 or $5,000 for each violation, a large restaurant chain like White Castle could face significant fines.
But given that each and every collection of biometric data from an individual can be misused, transferred or stolen for criminal gain, and that biometrics are permanent, irreplaceable identifiers, people have monumental skin in a game in which they have comparatively little to gain.
Transferring Cothron to the Illinois Supreme Court is not unprecedented, according to the Cook County Record. And a decision in federal court could have unintended negative implications for “fundamental” state accrual principles.
This is a game of hot potato, in that respect. But also, BIPA is both unique and a matter that the state justices have considered a great deal. They are better acquainted with the matter.
Meanwhile, Illinois’ appellate court considered Watson’s violation-accrual arguments and found that, indeed, each collection of biometric data can potentially be a violation of BIPA.
(This decision could stand or fall based on how the state supreme decides Cothron. But knowing about Watson will be important for any biometric-privacy plaintiff and defendant in Illinois.)
Quoting the court, Nixon Peabody wrote that “the plain language of the statute establishes that it applies to each and every capture and use of plaintiff’s fingerprint or hand scan.”
While the court dismissed the fact that multiple violations could possibly cripple a company, it pointed out what no doubt was obvious to Legacy Healthcare’s legal team.
Under the law, damages are discretionary and not mandatory. Defendants can argue they did not violate BIPA, and if they lose, they can at least try to convince a judge that the remedy would not match the crime — misusing or not protecting a person’s biometric data adequately.