On July 18, 2023, the Supreme Court of Illinois declined to reconsider its February 2023 holding that claims under the state’s Biometric Information Privacy Act (Privacy Act or BIPA) accrue on each and every scan or transmission. The denial drew a dissent from three justices, who argued  that a per-scan interpretation “subvert[s] the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois and consequently raises significant constitutional due process concerns.”

Quick Hits

  • The Supreme Court of Illinois denied a petition to rehear its February 2023 ruling that Privacy Act violations accrue on each and every scan or transmission and further allowed per-scan damages.
  • Dissenting justices called the per-scan interpretation “flawed” and warned it could lead to “extraordinary damages” that were never intended by the legislature.

The 4–3 ruling in Cothron v. White Castle System Inc. on February 17, 2023, had answered a certified question from the U.S. Court of Appeals for the Seventh Circuit in a putative class action by a White Castle employee who alleged that the company used technology that allegedly scans employees’ fingerprints when accessing pay stubs and computers.

In that decision, the majority stated that the “plain language” of Sections 15(b) and 15(d) of the Privacy Act, which regulate the collection and disclosure of biometric information, including retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry, “demonstrates that such violations occur with every scan or transmission” and allowed damages to accrue per scan.

The justices rejected arguments that the Privacy Act is only violated, if at all, on the first scan or collection. Such a reasonable interpretation could still lead to multimillion-dollar damages awards in class actions based on the Privacy Act’s statutory damages under Sections 15(b) and (d) of $1,000 or $5,000 per violation.

Under the Illinois high court’s interpretation of the Privacy Act, White Castle faces potential damages as high as $17 billion.

The Illinois supreme court denied White Castle’s petition for rehearing in a short order, without further explanation. However, the three justices who had dissented from the February 17, 2023, decision, joined a separate dissenting opinion on the denial of rehearing.

‘Extraordinary Damages’

In the dissenting opinion, Justice David Overstreet argued that the Illinois supreme court’s earlier “opinion leaves a staggering degree of uncertainty for courts and defendants.” The justice argued that the “[t]he legislature never intended the [Privacy Act] to be a mechanism to impose extraordinary damages on businesses or a vehicle for litigants to leverage the exposure of exorbitant statutory damages to extract massive settlements.”

Justice Overstreet, who was joined by two other justices in dissent, stated that the Privacy Act was meant to be “remedial” in nature and that its provision allowing for the greater of actual damages or statutory damages “is indicative of the fact that” statutory damages were meant to be awarded when actual damages are “too small and difficult to prove, not as a multiplier by thousands for each time technology is used.”

Instead, the justice argued the “majority’s flawed construction” presumes that the legislature “resolutely passed the [Privacy] Act for the purpose of establishing a statutory landmine, destroying commerce in its wake when negligently triggered.” The justice stated:

This flawed presumption of the legislature’s intent is required under the majority’s construction because, under the majority’s view, the legislature intended for Illinois businesses to be subject to cataclysmic, jobs-killing damages, potentially up to billions of dollars, for violations of the Act. No reported case has ever made a similar assumption about our legislature’s intent in passing legislation, likely because it does not withstand reason to believe the legislature intended this absurd result.

Justice Overstreet argued that these implications should be grappled with on rehearing, stating that the implications of the decision “are severe and arguably oppressive, wholly disproportioned to the violations addressed in the Act, and unreasonable.”

Next Steps

Despite the arguments from White Castle and the business community to interpret the Privacy Act as being implicated only on the first scan or collection of biometric information, the denial of rehearing leaves in place the Illinois supreme court’s holding that violations accrue per scan. As the dissent points out, with the Privacy Act’s provision for statutory damages, defendants could face potentially “extraordinary damages” amounts.

Still, the Cothron decision did include language that suggested that statutory damages are discretionary in the sense that awards could be fashioned so as to not be arguably “annihilative” of defendants’ businesses.

Citing that language, an Illinois federal judge in June 2023 vacated a $228 million Privacy Act damages award and awarded a new trial on damages, suggesting that juries are able to fashion “appropriate” damage awards in Privacy Act class actions. However, that decision is not binding on Illinois federal courts.

Otherwise, it will be up to the legislature to address the potential for excessive damages under the Privacy Act, which will likely require a coordinated lobbying effort from the business community.

Ogletree Deakins will continue to monitor developments and will provide updates on the Class Action, Cybersecurity and Privacy, and Illinois blogs.

Follow and Subscribe                                                                                                                                     LinkedIn | Twitter | Webinars | Podcasts