Illinois Torched Business And Common Sense With Its Biometric Privacy Law

The Illinois General Assembly's malfeasance has claimed another victim: White Castle.

Illinois Torched Business And Common Sense With Its Biometric Privacy Law

By Mark Glennon of


It is ironic, but it was White Castle that fell to the Illinois General Assembly's ill-feasance. It is modeled after Chicago's Water Tower and serves as a reminder of the resilience and spirit that once prevailed in rebuilding the city.

Today Mrs. O'Leary's cow represents the state's government. It was the beginning of what Mayer Brown, a law firm, rightly referred to as.


A'six-alarm fire alarm for Illinois businesses with customers and employees.

BIPA is the

Biometric Information Privacy Act

As most laws, it arises out of a legitimate concern.

It's privacy of biometric information, such as fingerprints, DNA, and other distinctive elements, like facial features and retina features, in this instance.

Some of that data is used widely in the business world for things like time management, security, wellness programs and worker safety. The law requires informed consent prior to collecting the data, mandates protection and retention guidelines and bans profiting from selling the data.

That's fine, but the problem is that the law imposes penalties wildly out of proportion to the seriousness of noncompliance or amount of harm done by a violation.

It can be a death penalty for violators. And the law allows anybody affected to sue for those fines.

That's a firebomb recipe for personal injury lawyers. Nearly 2,000 lawsuits alleging violations of BIPA have been filed since 2017, 'yielding a series of massive settlements and judgments,' as

Reuters reported

. Defendants have included Facebook, which paid $650 million to settle a BIPA class action and BNSF Railway Co, which a jury ordered to pay $228 million to truck drivers. Anybody thinking about suing enjoys a very generous five-year statute of limitations.

Then came last week's


on White Castle from the Illinois Supreme Court, pouring accelerant on the fire.

Separate BIPA violations were committed

Every time

White Castle required employees to scan their fingerprints in order to access their pay slips and computers. An employee did this, according to the court. BIPA allows for statutory damages up to $1,000 for each violation of the statute and $5,000 for reckless or intentional violations.

The top court's decision therefore could mean a $17 billion liability for White Castle since some 9,500 current and past employees had used the system for years

, as a dissenting opinion says, citing White Castle's estimate. The court's decision 'could easily lead to annihilative liability for businesses,' says the dissent.

That's what makes the decision terrifying for many other businesses that use biometrics. Every instance of use could mean a penalty of $1,000 or $5,000.

The decision 'leaves the plaintiffs' bar with an all-you-can-eat biometric café,'

The law firm was founded.

Winston & Strawn

Subscribe to its newsletter.

White Castle would be destroyed many times over if it was a liability this large. It's

not that big a company

compared to many publicly owned food chains and is privately owned.

Sorry, but the majority of court members stated that the statute's plain language required this result. The General Assembly can fix this if necessary. According to the majority opinion, "Ultimately," the majority believes that the legislature is best able to address policy-based concerns regarding excessive damage awards under the Act.

This is the key takeaway: the General Assembly should have made this a priority long ago. BIPA's liabilities have been spiraling out of control for many years. The ruling that each case is subject to a penalty was long feared and has been passed through the courts for many years. It has remained untouched by bills to remedy it.

Dissenters argued that there should only be one violation for employees whose fingerprints were collected for the first time, and that this is the way the law was intended.

Whether it's right or wrong, this is now water under the bridge. The highest court has ruled. Only the General Assembly is able to amend the statute.

One next potential victim of BIPA may be the cannabis industry, an increasingly important revenue force for the state,

according to lawyers

at Dentons U.S. 'BIPA damages could be a death knell to cannabis operators,' they wrote, explaining,


Security has been a key focus of the cannabis industry. This is to ensure that employees are not involved in cash transactions or customers who purchase a highly regulated product. Despite these security precautions, the cannabis industry is now open to legal action due to BIPA's strict requirements.

According to the majority opinion in White Castle's Case,

'We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.'

That's being too nice. Nobody should be 'respectfully suggesting' anything to legislature about this. They should have fixed BIPA long ago. Fix it now.

In the meantime, any business touching Illinoisans in any way that uses biometrics should follow the advice of many lawyers:

At least mitigate your exposure by immediately reviewing policies and practices related to biometric information to ensure BIPA compliance, including biometric use for employee timekeeping.