Nevertheless, White Castle argued that interpreting BIPA to allow for repeated accruals of claims by one individual “would constitute ‘annihilative liability’ not contemplated by the legislature and possibly be unconstitutional.” The company contended “if [the] plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion.” The court was unpersuaded by these arguments, concluding that “policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature … [to] make clear its intent regarding the assessment of damages under [BIPA].”
Majority’s Rule Will Render BIPA Compliance Burdensome
The dissenting opinion contends the majority’s interpretation is unsupported by the statute’s plain language and, in no uncertain terms, “will lead to consequences that the legislature could not have intended.” For example, the dissent observed “that the ‘precise harm’ the legislature sought to prevent [in enacting BIPA] was an individual’s loss of the right to maintain biometric privacy.” With that in mind, the dissent argues that a private entity may obtain an individual’s biometric information in violation of BIPA only once as there is only “one loss of control or privacy, and this happens when the information is first obtained.” Accordingly, in the dissent’s view, subsequent scans cannot be considered as obtaining additional biometric information because “White Castle already has it.”
Turning to the implications of the majority’s rule, the dissent highlighted two areas of concern. First, under the majority approach, plaintiffs are incentivized to delay bringing their claims as long as possible, thereby impermissibly “racking up damages.” Second, in light of the potential $17 billion damages award White Castle may face, the dissent argued the majority’s interpretation is clearly contrary to legislative intent. In sum, the dissent concluded that “[i]mposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.”
Navigating a Post-Cothron World
The Cothron decision illustrates that statutory claims for alleged privacy violations can quickly turn into “bet the company” litigation. This risk is particularly acute whenever the potentially applicable statutory regime includes a private right of action for alleged violations. To effectively mitigate this risk, companies must clearly identify the regulatory requirements that apply to any personal information—not just biometric information—collected and processed as part of operations from any individual, whether a customer, employee, independent contractor, vendor, or other individual. With this foundation, companies can develop, implement, and regularly update comprehensive and robust compliance protocols with respect to the collection, processing, storage, and destruction of the regulated personal information.
In light of the Cothron decision, and specifically with respect to biometric information, any business collecting and processing biometric data should consider implementing the following best practices:
- develop a system for providing written notice and obtaining informed consent prior to the collection of biometric information
- ensure the written notice clearly informs the individual of: (1) the entity collecting or storing biometric information; (2) the entity’s purpose for collection, use, and storage; (3) whether the biometric information will be disclosed or disseminated to other parties, and if so, the specific purpose for each such disclosure or dissemination; and (4) how long the entity will use or store the information
- maintain a program for tracking the written consents and releases authorizing the entity to collect, process, and disclose biometric information
- develop, implement, and enforce a policy for destruction of biometric information that no longer serves a legitimate business purpose.