Biometric-Privacy Rulings in Illinois Expand Potential Liability for Tech Firms

The 2008 law, designed to protect consumers and workers, bars companies from collecting or disseminating biometric data without obtaining consent, with penalties ranging from $1,000 to $5,000 for violations. The law was little-noticed or used in its infancy but in recent years it has been the basis for a rapidly expanding number of lawsuits, many seeking class-action status. Some U.S. companies, including technology giants Google and

Facebook,

already have settled cases for significant sums.   

Legal violations potentially became more expensive for companies after two decisions this month from the Illinois Supreme Court. In the most recent, a divided court ruled against fast food chain White Castle System Inc., which is seeking to fend off claims that it repeatedly scanned fingerprints for about 9,500 employees without obtaining consent. The company estimates it could cost as much as $17 billion in damages. 

White Castle argued it could only be penalized for initially collecting each worker’s fingerprint, and not each time the prints were scanned. The court disagreed, saying a plain reading of the law indicates a new violation occurs with each instance of improper collection or transmission of biometric data.

Any policy concerns about “potentially excessive damage awards” should be addressed by the state legislature, the court said in a 4-3 ruling. The dissenters said state lawmakers never intended to impose “punitive, crippling liability on corporations.”

A White Castle spokesman said the company is reviewing its options. The U.S. Chamber of Commerce had filed an amicus brief warning that a ruling against the chain would “ruin rather than deter” companies.

James Zouras, a lawyer who argued the case for the workers, said the decision affirms that biometric data collectors “cannot shirk their duties by relying on dubious interpretations of the statutory text.” 

A second ruling sided with workers who sued a logistics company for allegedly collecting fingerprint information for employee time clocks without consent, allowing the plaintiffs to have a five-year legal window to file suit, not one year as the company argued.  

There were between 1,000 and 2,000 cases on pause while awaiting the state Supreme Court rulings, said Gerald Maatman, a lawyer with Duane Morris LLP, who is representing roughly 50 companies defending against such lawsuits. He predicted more would be filed and that plaintiffs’ attorneys would demand higher settlements as a result of the recent rulings.

“The floodgates are open,” Mr. Maatman said. “The notion of privacy is so important and sacred in a new world in which everyone lives their lives immersed in technology. I would imagine more regulations that impose obligations on companies.”

Alphabet Inc.’s

Google struck a $100 million settlement last year over claims that the company’s photo-sharing and storing service collected individuals’ facial data without proper notice. Facebook Inc. in 2021 reached a $650 million settlement to resolve similar claims.

A Google spokesman said the company was pleased to resolve the matter in Illinois, but remains committed to build easy-to-use controls for its photo recognition tools. Facebook declined to comment but said at the time of the settlement that it changed its photo tagging system.

A first federal jury trial last year resulted in a $228 million jury verdict against BNSF Railway for collecting fingerprints from workers. 

The Illinois law was prompted by the bankruptcy of a now-defunct company called Pay By Touch. State legislators were worried that the company’s trove of fingerprint data could be sold or misused, said Matthew Kugler, a Northwestern University law professor. There was little to no controversy when the law passed, he said, unlike today, when tech companies are lobbying against some biometric data measures proposed in other states.

Developments in Illinois could prove instructive as other states consider similar privacy laws and biometric technology becomes more ubiquitous in employment and consumer settings. States, including Texas and Washington, previously passed legislation to regulate biometric data collection. Cities, including New York City, have also passed such laws.

Illinois remains the only state to allow individuals to sue over violations. Others allow state attorneys general to take action. 

“States are waking up to the danger that biometrics pose to people’s privacy,” Boston University law professor Woodrow Hartzog said.

Write to Erin Mulvaney at [email protected]

The 2008 law, designed to protect consumers and workers, bars companies from collecting or disseminating biometric data without obtaining consent, with penalties ranging from $1,000 to $5,000 for violations. The law was little-noticed or used in its infancy but in recent years it has been the basis for a rapidly expanding number of lawsuits, many seeking class-action status. Some U.S. companies, including technology giants Google and

Facebook,

already have settled cases for significant sums.   

Legal violations potentially became more expensive for companies after two decisions this month from the Illinois Supreme Court. In the most recent, a divided court ruled against fast food chain White Castle System Inc., which is seeking to fend off claims that it repeatedly scanned fingerprints for about 9,500 employees without obtaining consent. The company estimates it could cost as much as $17 billion in damages. 

White Castle argued it could only be penalized for initially collecting each worker’s fingerprint, and not each time the prints were scanned. The court disagreed, saying a plain reading of the law indicates a new violation occurs with each instance of improper collection or transmission of biometric data.

Any policy concerns about “potentially excessive damage awards” should be addressed by the state legislature, the court said in a 4-3 ruling. The dissenters said state lawmakers never intended to impose “punitive, crippling liability on corporations.”

A White Castle spokesman said the company is reviewing its options. The U.S. Chamber of Commerce had filed an amicus brief warning that a ruling against the chain would “ruin rather than deter” companies.

James Zouras, a lawyer who argued the case for the workers, said the decision affirms that biometric data collectors “cannot shirk their duties by relying on dubious interpretations of the statutory text.” 

A second ruling sided with workers who sued a logistics company for allegedly collecting fingerprint information for employee time clocks without consent, allowing the plaintiffs to have a five-year legal window to file suit, not one year as the company argued.  

There were between 1,000 and 2,000 cases on pause while awaiting the state Supreme Court rulings, said Gerald Maatman, a lawyer with Duane Morris LLP, who is representing roughly 50 companies defending against such lawsuits. He predicted more would be filed and that plaintiffs’ attorneys would demand higher settlements as a result of the recent rulings.

“The floodgates are open,” Mr. Maatman said. “The notion of privacy is so important and sacred in a new world in which everyone lives their lives immersed in technology. I would imagine more regulations that impose obligations on companies.”

Alphabet Inc.’s

Google struck a $100 million settlement last year over claims that the company’s photo-sharing and storing service collected individuals’ facial data without proper notice. Facebook Inc. in 2021 reached a $650 million settlement to resolve similar claims.

A Google spokesman said the company was pleased to resolve the matter in Illinois, but remains committed to build easy-to-use controls for its photo recognition tools. Facebook declined to comment but said at the time of the settlement that it changed its photo tagging system.

A first federal jury trial last year resulted in a $228 million jury verdict against BNSF Railway for collecting fingerprints from workers. 

The Illinois law was prompted by the bankruptcy of a now-defunct company called Pay By Touch. State legislators were worried that the company’s trove of fingerprint data could be sold or misused, said Matthew Kugler, a Northwestern University law professor. There was little to no controversy when the law passed, he said, unlike today, when tech companies are lobbying against some biometric data measures proposed in other states.

Developments in Illinois could prove instructive as other states consider similar privacy laws and biometric technology becomes more ubiquitous in employment and consumer settings. States, including Texas and Washington, previously passed legislation to regulate biometric data collection. Cities, including New York City, have also passed such laws.

Illinois remains the only state to allow individuals to sue over violations. Others allow state attorneys general to take action. 

“States are waking up to the danger that biometrics pose to people’s privacy,” Boston University law professor Woodrow Hartzog said.

Write to Erin Mulvaney at [email protected]