Illinois’ biometric privacy law has created liability regime
- Last updated: March 28, 2023 | 22:41
Jim Harper, Tribune News Service
The Illinois Supreme Court recently issued a ruling that exposes the White Castle burger chain to as much as $17 billion in liability because it didn’t get explicit permission from employees to use biometric controls on its time clocks and computers. But don’t blame the courts for the burger joint’s legal costs. The Illinois legislature’s early and aggressive move to regulate technology in the name of privacy ignored time-honored requirements like proportionality. It’s a lesson for other states and for Congress, which should not follow Illinois’ lead.
Statutes of limitations keep stale controversies out of the courts. In defending against the charge that it violated the rights of some 9,500 current and former employees by using biometric controls without their explicit permission, White Castle has argued that the lead plaintiff in the case took more than a decade to complain. If the offense is getting access to her fingerprint data contrary to the rules in the Illinois Biometric Information Privacy Act, it happened too long ago for her to sue. But Latrina Cothron, a Chicago-based White Castle manager, argues that White Castle committed a new offense with each collection of her fingerprint in the absence of the specific agreement the Illinois statute requires.
The court decided that she is right. It reads the statute as creating a new offense every time an employee’s biometric is collected. Every single workday, sometimes multiple times per day.
If that’s true about when Cothron’s complaints accrue, it’s true as to how many offenses White Castle has committed. White Castle may have collected millions of fingerprint scans across its stores in Illinois. The state legislature set out “liquidated damages” of $1,000 to $5,000 for each violation. That means many billions of dollars in potential liability for White Castle.
Were Cothron and her White Castle colleagues harmed by the gathering of their fingerprints? Not in any real sense. There’s no suggestion in the case that they have suffered emotionally or financially or that their biometric data has been compromised or used wrongly. The only thing White Castle has done is fail to get Cothron’s explicit permission, a paperwork violation. To protect privacy in that very small sense, or perhaps to thwart unknown risks of using biometrics, the Illinois legislature created a massive liability regime.
It doesn’t have to be this way.
The American law alternative, which doesn’t require legislation at all, is requiring compensation for wrongs that cause harm. If White Castle permitted a breach of biometric data and that resulted in economic losses, for example, White Castle should rightly fork over for it. General liability rules like that allow society to carefully tune the balance between new technologies that may secure a business’s data and systems, as in this case, and the privacy and security risks they entail. But in their urgency to get technology “under control,” many advocates and legislatures are arguing for heavy penalties even where no harm or damage can be shown. That rings of the “precautionary principle,” preferred in Europe, which says that new processes and products can’t be used unless they are first proved safe.
Banning new technology or hemming in its use with heavy paperwork penalties cuts off avenues of innovation and economic growth. We would all like more security and privacy, but these things are traded off for other goods we like, including inexpensive burgers.
The Illinois Supreme Court pointed out in its opinion that there are several ways the actual damage award against White Castle may be curtailed. One’s immediate instincts are that liability controls should kick in so that any award is just. But doing that would tell legislators in Illinois, and those in other states looking on, that their excesses don’t have any political costs.
Maybe Illinoisans should pay double for their burgers or lose access to them altogether. Maybe they should ask their legislators just what they were thinking when they set White Castle up for a multibillion-dollar paperwork penalty.
Passage of the Illinois Biometric Information Privacy Act made the Land of Lincoln a “leader” in regulating biometrics. But it’s an example other states have not followed, for good reason.
The difficult work of balancing multidimensional values like privacy against new uses of technology is not done with sledgehammers.