Biometric Privacy Ruling at Illinois Supreme Court Could Cost White Castle Billions

White Castle may be best known for its sliders, but after this year, Illinois lawyers will know it for a 4 – 3 decision by the Illinois Supreme Court. In Cothron v. White Castle Sys. Inc., the court answered a certified question from the U.S. Court of Appeals for the Seventh Circuit, which asked how to construe sections 15(b) and 15(d) of the Biometric Information Privacy Act (Act)(740 ILCS 14/15(b), (d) (West 2018). The Act broadly prevents the collection of biometric data without proper consent.[1] More particularly, echoing a question seen in other cases like Ledbetter v. Goodyear Tire & Rubber Co., 550 U.S. 618 (2007), the court had to determine whether a claim accrued “each time a private entity scans a person’s biometric identifier or information in violation of section15(b) or 15(d)?”[2] Ultimately, the court found that, based on a plain reading of the statute, a separate claim accrues each time a person’s biometric identifier is scanned in violation of section 15(b) and 15(d).[3]

The plaintiff in the case is a manager of a White Castle restaurant in Illinois who started working there in 2004.[4] White Castle collects fingerprints (a form of biometric data under the Act) from each of its employees upon hiring.[5] An employee must scan his or her fingerprint to access pay stubs and computers. The scan is transmitted to a third party, who verifies the fingerprint match.[6] The plaintiff alleged that White Castle did not seek her consent to acquire her fingerprints until 2018.[7] Therefore, she said, White Castle unlawfully collected her biometric data and unlawfully disclosed it to a third party in violation of sections 15(b) and 15(d).[8]

Section 15(b) of the Act provides that “[n]o private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first . . .” informs and obtains consent from either the subject or the subject’s legally authorized representative.[9] Section 15(d) provides that “no private entity may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” consent from the subject or his legally authorized representative is achieved.[10]

The majority decided that, based upon a plain reading of the statute, a separate claim accrued based upon each violation.[11] The majority opinion, written by Justice Elizabeth Rochford and joined by Justices P. Scott Neville, Joy Cunningham, and Mary O’Brien, stated that “the cardinal principle and primary objective in construing a statute is to ascertain and give effect to the intention of the legislature.”[12] Therefore, the court primarily relied on the plain and ordinary meaning of the statutory text to interpret the Act.[13]

The court found that “collect” in section 15(b) means to “receive, gather, or exact from a number of persons or other sources,” and “capture” means “to take, seize, or catch.”[14] The court argued that both capture and collection could occur more than once. Therefore, each time a White Castle employee scanned his fingerprint, a collection or capture occurred because “Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.”[15]

The court gave similar reasoning for section 15(d) and found that “the plain language of section 15(d) applies to every transmission to a third party.”[16] The court first found that the phrase “disclose” means to “expose to view.”[17] The court found  White Castle’s biometric system to be a form of disclosure because “a fingerprint scan system requires a person to expose his or her fingerprint to the system so that the print may be compared with the stored copy.”[18] The court also found that the term “disseminate” means “to spread or send out freely or widely.”[19] The majority only said on this matter that White Castle “provides no definitional support” for its argument that a dissemination is “something that can happen only once.”[20] Therefore, the court said, under a plain reading of 15(d), a violation occurs each time an employer scans the biometric data of employees and discloses that information to a third party.

The majority then briefly addressed White Castle’s argument that under the majority’s construction of the Act, White Castle may be liable for up to $17 billion in damages. The court quoted the district court saying, “where statutory language is clear, it must be given effect, ‘even though the consequences may be harsh, unjust, absurd, or unwise.’”[21] The court finished by suggesting that any complaints about the high damages exposure should be sent to the legislature.[22]

Justice David Overstreet dissented for himself, Chief Justice Mary Theis, and Justice Lisa White, writing, “the majority’s interpretation cannot be reconciled with the plain language of the statute, the purposes behind the Biometric Information Privacy Act . . . or this court’s case law.”[23] To interpret the statute, the dissent asked first, “what interests does the Act seek to protect?” and second, “what constitutes a violation of section 15(b) or (d) under the plain language of those provisions?”[24]

The dissent answered the first question by looking at previous Illinois Supreme Court cases. The court’s decision in Rosenbach v. Six Flags Entertainment Corp. summarized the dissent’s interpretation of the purpose of the statute because there the court found that “the Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.”[25] Therefore, the Act “protects an individual’s ‘right to privacy in and control over their biometric identifiers and biometric information.’”[26]

The dissent considered it “axiomatic” that biometric data can only be collected once, unless destroyed after collection.[27] The dissent argued the majority erred in holding that every fingerprint scan qualifies as a “collection” under 15(b). The dissent stated that “the subsequent scans did not collect any new information from plaintiff, and she suffered no additional loss of control over her biometric information.”[28] Since the Act is meant to protect a “secrecy interest”—a person’s right to “keep his or her personal identifying information like fingerprints secret”—a person loses control over biometric information when it is first collected.[29] Afterwards, “once the entity has the fingerprint, there is no additional loss of control, loss of privacy, or loss of secrecy from subsequent scans of the same finger.”[30] Therefore, “there is only one loss of control or privacy, and this happens when the information is first obtained.”[31] The dissent also argues that the majority did not explain why each scan constitutes a “collection” and thereby a violation of the statute.[32]

The dissent made a similar argument with respect to section 15(d). The word “disclose” in section 15(d) means, “to make known” or “to reveal” something that is secret or not generally known.[33] The dissent asserted you cannot disclose something twice and provides the example that “you can tell someone your middle name an unlimited number of times, but you can disclose it to them only once.”[34] Therefore, the dissent argued, “redisclosure” in the statute “does not mean repeated disclosure to the same party (a logical impossibility) but rather refers to downstream disclosures to third parties.”[35]

For 15(b) and 15(d), the dissent found that a plain reading of the statute entails that a violation of the Act can only occur once. This occurs for 15(b) upon the first collection or capture, and for 15(d) upon the first disclosure. The dissent finished its argument by finding that “the majority’s construction of the Act could easily lead to annihilative liability for businesses,” and it quoted the potential $17 billion in damages for White Castle.[36] The dissent argued that the court is charged with finding legislative intent by looking at the consequences of interpreting a statute in a particular way.[37] The dissent stated that “imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.”[38] Therefore, it could not have been the legislature’s intent to allow for multiple violations of the law to accrue.

Cothron v. White Castle reveals, among other things, the legal system’s continuing struggle to define privacy rights around data. The concept of data capture, the appropriate damages for an invasion of privacy, and the need for consent all call for attention in future cases. In this case, however, these issues were secondary to the question of statutory interpretation; here, the plain meaning of the legislated text ruled the day.

Note from the Editor: The Federalist Society takes no positions on particular legal and public policy matters. Any expressions of opinion are those of the author. We welcome responses to the views presented here. To join the debate, please email us at [email protected].