Biometric data privacy lawsuits approach the absurd with Illinois ruling, Texas claims
White Castle could be forced to pay out $17 billion in damages to a plaintiff for biometric data privacy infringements despite the data not being stolen or breached. Unlike White Castle, many BIPA defendants are small businesses.
Exorbitant damages are an expected consequence of the decision by Illinois’ Supreme Court that claims under the state’s Biometric Information Privacy Act accrue with each non-compliant collection or disclosure, rather than only the first in each situation, reports Law360.
The court invited Illinois legislature to revisit the law, saying its language makes the ruling inevitable.
Mark Eisen, a Benesch Friedlander Coplan & Aronoff partner who defends clients in BIPA cases, told Law360 the decision amounts to an admission that the law “might be absurd, but call your state representative.”
Plaintiffs also have five years, rather than one, to file a complaint, due to another decision by the same court just weeks ago.
The ruling also clarified that damages under the statute are discretionary, not mandatory, opening a window for companies that have taken steps to comply with BIPA to avoid being bankrupted by a successful complaint. How that discretion should be applied, however, remains a subject of speculation.
Eisen also suggested to Law360 that the result of higher potential damages could be more individual litigation replacing some class actions.
Logistics firm NFI has had a settlement worth almost $3.5 million approved by an Illinois federal judge. It was likewise accused of failing to receive informed consent before collecting employees’ biometrics.
Meta pushes back
Meanwhile in Texas, Meta has filed a motion to quash a Deposition Notice which filed by the State’s Attorney General’s Office on February 7, 2023, arguing that it presents a moving target with an ever-expanding scope.
The motion (also via Law360) says that what started as a suit over the use of biometrics in Facebook’s tag suggestions feature now includes every use of facial recognition on every platform owned by Meta over a 12-year period.
The same day, Meta filed a motion for a partial summary judgement, on grounds that the state is seeking civil penalties on behalf of non-users, who do not count as “consumers” under the state’s Deceptive Trade Practices Act. Including them, the company says “would lead to absurd results.” The example it provides of such absurdity is that if the suit proceeds, Texas could sue a company alleged to have failed to disclose material information to a single consumer on behalf of every person in the state.