By Daniel Wiessner
(Reuters) – Illinois’ highest court on Friday said companies violate the state’s unique biometric privacy law each time they misuse a person’s private information, not just the first time, a ruling that could expose businesses to billions of dollars in penalties.
The Illinois Supreme Court in a 4-3 decision said fast food chain White Castle System Inc must face claims that it repeatedly scanned fingerprints of nearly 9,500 employees without their consent, which the company says could cost it more than $17 billion.
The Illinois Biometric Information Privacy Act (BIPA) imposes penalties of $1,000 per violation and $5,000 for reckless or intentional violations. The law requires companies to obtain permission before collecting fingerprints, retinal scans and other biometric information from workers and consumers.
White Castle had argued that it could only be sued for initially collecting each worker’s fingerprint, and not every time they were scanned to access a company computer system.
The company was backed by a dozen major business groups including the U.S. Chamber of Commerce, the country’s largest business lobby. The Chamber in a brief filed last year said a ruling against White Castle would spur litigation that could be financially ruinous for some companies.
The court on Friday said BIPA broadly prohibits “collecting” or “capturing” biometric information without consent, and White Castle had to collect workers’ fingerprints every time they used the computer system.
A Chicago-based U.S. appeals court had asked the Illinois Supreme Court to decide the issue. The lawsuit against White Castle now goes back to that court to apply Friday’s decision.
Ohio-based White Castle in a statement provided by a spokesperson said it was disappointed with the ruling and was considering its options.
James Zouras, a lawyer for the named plaintiff, said the decision means companies cannot shirk their legal obligations to safeguard private information.
“Hopefully, today’s decision will encourage employers and other biometric data collectors to finally start taking the law seriously,” he said.
Two weeks ago, the Illinois Supreme Court held in a separate case that plaintiffs have five years to sue for violations of BIPA, rejecting a one-year window pushed by business groups.
Together, the two decisions will allow workers and consumers to file lawsuits alleging many more violations of BIPA over a longer period of time. This could potentially lead to billions of dollars in penalties and raises pressure on companies to settle cases.
Nearly 2,000 lawsuits alleging violations of BIPA have been filed since 2017, yielding a series of massive settlements and judgments.
Meta Platforms Inc’s Facebook in 2020 agreed to pay $650 million to settle a BIPA class action involving its use of facial recognition software. The company denied wrongdoing.
In October, following the first-ever trial in a BIPA case, a jury ordered BNSF Railway Co to pay $228 million for collecting truck drivers’ fingerprints without their consent. The railroad has moved for a new trial.
The case is Cothron v. White Castle System Inc, Illinois Supreme Court, No. 128004.
(Reporting by Daniel Wiessner in Albany, New York, Editing by Alexia Garamfalvi and David Gregorio)