Illinois Rulings On Biometric Privacy Expand Tech Firms' Liability

An Illinois biometric privacy legislation that was already among the strictest in the country has been expanded by two court decisions, raising the possibility of civil responsibility for businesses that collect personal information using facial recognition software, retinal scans, or fingerprinting.

‍

The 2008 law, intended to safeguard both consumers and employees, prohibits businesses from gathering or sharing biometric data without permission, with fines ranging from $1,000 to $5,000 for violators. In its early years, the statute received little attention or application, but in recent years, it has served as the foundation for an enormous number of lawsuits, many of which are vying for class-action status. Many US businesses, notably the tech behemoths Google and Facebook, have already reached substantial settlements in court disputes.   

‍

Following two judgments from the Illinois Supreme Court this month, legal breaches could cost businesses more money. In the most recent case, a divided court decided against the fast food company White Castle System Inc., which is attempting to refute accusations that it frequently scanned employees' fingerprints without their permission. The business projects that the damages might reach $17 billion.

‍

White Castle contended that company could only be held accountable for the first collection of each employee's fingerprints, not for every scan. The court disagreed, stating that a straightforward interpretation of the legislation shows that every incident of illegal biometric data collection or transfer constitutes a new offense.

‍

The state government should address any policy worries about "possibly exorbitant damage awards," the court ruled 4-3. The dissenters claimed that state legislators never intended to subject companies to "punitive, debilitating liabilities."

‍

White Castle is considering its options, according to a representative. In an amicus brief, the U.S. Chamber of Commerce expressed concern that a decision against the chain would "ruin rather than dissuade" businesses.

‍

The verdict upholds that biometric data collectors "cannot evade their duty by relying on erroneous interpretations of the statutory text," according to James Zouras, an attorney who argued the workers' case. 

‍

A second decision sided with the plaintiffs in a lawsuit filed by employees against a logistics company for allegedly unlawfully collecting fingerprint data for employee time clocks, giving them a five-year legal window to bring their claim rather than the company's suggested one-year timeframe.

‍

In anticipation of the state Supreme Court decisions, between 1,000 and 2,000 cases were on hold, according to Gerald Maatman, a lawyer with Duane Morris LLP, who is defending about 50 businesses in these claims. He projected that as a result of the recent rulings, more lawsuits would be filed and plaintiffs' counsel would request larger settlements.

‍

The floodgates are now open, declared Mr. Maatman. In the modern era, where everyone lives their life steeped in technology, the idea of privacy is so crucial and sacrosanct. I would anticipate additional rules requiring commitments from businesses.

‍

Google, a subsidiary of Alphabet Inc., reached a $100 million settlement last year on allegations that the firm's photo-sharing and storage service acquired users' facial data without their consent. In order to resolve related charges, Facebook Inc. agreed a $650 million settlement in 2021.

‍

The issue was successfully resolved in Illinois, according to a Google spokesman, but the company is still dedicated to developing intuitive controls for its photo recognition software. Facebook declined to comment, although it did admit that it modified its photo tagging system at the time of the settlement.

‍

A $228 million jury verdict against BNSF Railway for collecting employee fingerprints came from a first federal jury trial that took place last year.

‍

The bankruptcy of Pay By Touch, a now-defunct corporation, served as the impetus for the Illinois statute. State lawmakers were concerned that the company's vast collection of fingerprint data could be sold or otherwise abused, according to Matthew Kugler, a law professor at Northwestern University. He claimed that, in contrast to today, when tech corporations are campaigning against some biometric data measures proposed in other states, there was little to no controversy when the law was passed.

‍

As other states ponder enacting comparable privacy rules as biometric technology becomes more commonplace in both consumer and employment settings, developments in Illinois may be instructive. A number of states, including Texas and Washington, have already approved laws governing the gathering of biometric data. Cities have also enacted these ordinances, notably New York City.

‍

The only state that still permits people to file lawsuits for violations is Illinois. Others give state attorneys general discretion to act.

‍

"States are waking up to the danger that biometrics represent to people's privacy," Boston University law professor Woodrow Hartzog said.