Thousands Of Bite-Sized Privacy Law Violations Could See White Castle Subjected To Billions In Fines
Illinois' Biometric Information Privacy Act (BIPA), passed in 2008, continues to be the Little Legislation That Could. While occasionally hijacked by opportunistic litigants whose privacy hasn't actually been violated, it's also been used to achieve some objective good.
In 2020, the law played an instrumental part in wresting a $550 million settlement from Facebook over its noxious auto-tag feature - a feature no one asked for that automatically scans users' photos in order to attach names to faces in newly uploaded content. The payout was a relative bargain, considering the number of violations (at $1k-5k per) by Facebook originally put the estimated fee total closer to $35 billion.
The same law also forced an entity that fed off social media services into settling as well. Clearview - the facial recognition startup that utilizes scraped content to build a database it sells to law enforcement - was sued in 2020 for violating BIPA. That ended in a settlement by facial recognition tech's ugliest child in which it agreed to stop doing business in Illinois. (Unfortunately, that agreement only extends to private parties, not Illinois government agencies, which apparently can still utilize Clearview's offering without either party violating the settlement.)
Now there's this: another BIPA lawsuit that's been given permission to move forward. The entity accused of violating the law, however, isn't what anyone would consider a tech company.
Illinois' highest court on Friday said companies violate the state's unique biometric privacy law each time they misuse a person's private information, not just the first time, a ruling that could expose businesses to billions of dollars in penalties.
The Illinois Supreme Court in a 4-3 decision said fast food chain White Castle System Inc must face claims that it repeatedly scanned fingerprints of nearly 9,500 employees without their consent, which the company says could cost it more than $17 billion.
Obviously, this isn't going to cost the chain $17 billion. It may have offered that top end speculation as a cautionary note to shareholders and perhaps to garner a little sympathy. But that doesn't mean this will end with a financial wrist slap either. The court's opinion [PDF] disagrees with every attempt made by White Castle to limit potential damages to single initial violations, rather than a years-long string of repeated violations.
We agree with plaintiff that the plain language of the statute supports her interpretation. Collect" means to to receive, gather, or exact from a number of persons or other sources." Webster's Third New International Dictionary 444 (1993). Capture" means to take, seize, or catch." We disagree with defendant that these are things that can happen only once. As plaintiff explains in her complaint, White Castle obtains an employee's fingerprint and stores it in its database. The employee must then use his or her fingerprint to access paystubs or White Castle computers. With the subsequent scans, the fingerprint is compared to the stored copy of the fingerprint. Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.
White Castle also argued that it couldn't violate the Act multiple times because once the original violation had taken place (the passing of biometric data to a third party without consent or notification), that privacy could no longer be violated. Interesting, says the court. But wrong. And unsupported by precedent.
Put simply, our caselaw holds that, for purposes of an injury under section 15 of the Act, the court must determine whether a statutory provision was violated. Consequently, we reject White Castle's argument that we should limit a claim under section 15 to the first time that a private entity scans or transmits a party's biometric identifier or biometric information. No such limitation appears in the statute. We cannot rewrite a statute to create new elements or limitations not included by the legislature.
That answers the question passed on to the state's Supreme Court by the Seventh Circuit Appeals Court. Since the answer to the certified question is affirmative, the plaintiffs can continue to sue White Castle for perpetual violations of state law every time they were required to use their fingerprints to verify their identity - a program that began in 2004 and apparently went unaltered even after the privacy law took effect in 2008. White Castle will probably be looking to settle soon. Any agreement in the mere millions is going to sound far more enticing than the $17 billion the company has voluntarily admitted it might owe.