By: Jack Gagner

As technology develops and becomes increasingly intrusive at work, in homes, and online, state legislatures have taken an interest in regulating how private entities handle consumer data.  Five states have enacted comprehensive consumer privacy laws since 2018, and 60 comprehensive consumer privacy bills were considered across 29 states in 2022 alone.  In stark and (nearly) solitary relief is the government of Illinois, which has been regulating data for nearly 15 years.  As government interest in data privacy sweeps across the U.S., recent judicial decisions interpreting Illinois’ Biometric Information Privacy Act (“BIPA”) may prove to be an influential foundation as other states act to protect their citizens’ data.

Unlike in Europe, there is no single, comprehensive federal law regulating the data of American consumers.  Instead, a web of state and federal laws controls specific types of data, such as health information or credit data, or regulate the data of specific groups of people, like children.  As the collection, use, and misuse of consumer data has neared a critical mass, states have begun looking to Europe’s General Data Protection Regulation, and the set of rights and obligations it grants to consumers and imposes on businesses, as inspiration for a more comprehensive approach to regulating consumer information.  Since 2018, five states have passed comprehensive privacy legislation: California, Colorado, Connecticut, Virginia, and Utah.

In one state, Illinois, the political battle for consumer privacy protections has two fronts: the legislature and the courts.  That is because, even as the legislature considers the recently introduced Illinois Data Privacy and Protection Act, both consumers and employees have already found some success directly challenging the data practices of private entities under the Biometric Information Privacy Act.  Originally passed in 2008, BIPA was a response both to corporations’ use of Chicago as a laboratory for new high-tech businesses practices, and the untimely bankruptcy of an early venture in the field of biometric payment systems.  The legislation was ahead of its time, and for years it had more attention from detractors than practical application.

That dormancy gave way as data privacy issues came to the fore, and 2017 saw the beginning of an influx in BIPA litigation that continues to this day.  The first settlement involving BIPA was approved in 2016, and notable cases were brought against companies as large as Facebook (2016), Shutterfly (2017), Google (2017), and Six Flags (2019).  As the concern over data privacy and the use of BIPA have grown, so too has the caution with which companies have approached BIPA litigation.  The first settlement in 2016 was for $1.5 million; just five years later, a settlement for $650 million was approved in a lawsuit against Facebook, praised as a “major win for consumers in the hotly contested area of digital privacy.”

Companies have even more reason to be wary of BIPA litigation after two recent plaintiff-friendly decisions by the Illinois Supreme Court.  In Tims v. Black Horse Carriers, Inc., the court confirmed that the state’s five-year catchall limitations period applied to all claims arising under BIPA.  Lower courts had previously applied a stricter one-year limitations period to claims arising under certain sections of the statute.  This decision was a procedural victory for potential plaintiffs, and as an initial matter seemed to expand the pool of plaintiffs able to recover under the statute.

Black Horse Carriers gained a new significance just a few weeks later with the filing of the court’s opinion in Cothron v. White Castle System, Inc.  In Cothron, the court was asked to decide whether a statutory violation occurs each time a company scans a person’s biometric identifier or transmits such a scan, or whether only the first scan and first transmission constitute the statutory violation.  In construing BIPA to treat every distinct collection and transmission of biometric data as a separate violation, the court vastly increased companies’ risk of exposure in BIPA cases.  Taken together, the decisions both increase the number of potential plaintiffs eligible to join BIPA class action litigation, and vastly expand the liability that companies face to those eligible plaintiffs.  In Cothron, the court itself recognized that the damages available to plaintiffs following the decision could be ruinous for companies, and dicta in the opinion seemed to indicate that statutory damages are not mandatory, but rather up to the discretion of the trial courts.

Although BIPA was years ahead of its time, the technological and policy concerns behind the legislation have only increased in severity and extent since it was passed.  As large class action lawsuits continue to be brought by plaintiffs and the Illinois Courts are more frequently called on to interpret and apply the statute, they may be laying a legal foundation with far-reaching consequences should other state legislatures adopt comparable legislation.  Should the recent trend of comprehensive privacy laws prove inadequate in protecting the particularly sensitive nature of biometric information, the recent opinions of the Illinois Supreme Court will likely influence how state legislatures across the country approach the protection of their citizens’ biometric data.

 

Student Bio: Jack Gagner is a second-year student at Suffolk University Law School.  He is a staff writer on the Journal of High Technology Law.  Jack received a Bachelor of Music Degree in Classical Trombone Performance from the University of Toronto.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.