Historic penalty decision in BIPA case shows the need to take biometric privacy seriously

Biometrics in one U.S. jurisdiction is now officially a live electrical wire dancing on the ground, ready to shock the unwary, and there appears to be no shortage of unwary companies in the state of Illinois.

The Illinois Supreme Court last week declined to revisit a previous decision that a company can be held liable for every biometric scan it conducts on anyone without their consent or without advising the subject how the data collected will be managed.

The state’s Biometric Information Privacy Act, passed in 2008, mandates that businesses wanting to use the biometrics of Illinois residents take special care of the data, which is a person’s only irreplaceable identifiers.

Companies globally profit from the identifiers without consent or compensation. And biometrics have been stolen, causing unmeasurable damage to individuals who are victimized. The courts have not been kind to some of these businesses.

The latest decision (No. 128004), in Cothron v. White Castle System could, as the defendant has warned, force a business out of business under the weight of the collective penalties. A judge had previously sided with the plaintiffs, but that decision was appealed to the state supreme court.

White Castle can appeal the decision no further because the United States Supreme Court doesn’t weigh in on state constitutional issues. There is some momentum behind an effort to defang BIPA with new legislation, but it is not clear how it would impact White Castle and other companies that have run afoul of the law.

The justices in the minority excoriated the majority, according to reporting by legal trade publication The National Law Review. There is no evidence that legislators approving BIPA wanted to create existential punishment for companies found guilty of violating the law.

Cothron v. White Castle bears on another significant BIPA case – Rogers v. BNSF Railway — that seemingly was already decided.

The judge last fall awarded $228 million in a class action. A truck driver sued the rail firm for taking his biometrics every time he drove onto the company’s property.

The plaintiffs say that the White Castle award means they should get more compensation because their award was figured per driver, not per scan.

The defendant had previously said it wants the penalty reduced because it was treated as being mandated and not discretionary.

As noted, there appear to be no shortage of unwary companies in Illinois when it comes to BIPA, and an analysis of privacy developments points to health care companies that have using Meta Platform’s Pixel software feature to collect information from people traversing their sites.

Whether Pixel is a new avenue for BIPA plaintiffs is not clear, but in reporting on people who claim their medical data was collected and shared, an article in the legal trade journal Law360 again makes the case – perhaps unwittingly — that some personal information, once out of a person’s control is forever available for others’ use.

Article Topics

biometric data  |  biometric identifiers  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  lawsuits