On October 13. 2020, White Castle System, Inc. petitioned the United States Court of Appeals for the Seventh Circuit for permission to seek an interlocutory appeal pursuant to 28 U.S.C. § 1292(b).  This petition arises out of the United States District Court for the Northern District of Illinois’ opinion on White Castle’s motion for judgment on the pleadings issued on August 7, 2020.  The matter hinged on whether repeated collection of the same biometric information from an employee without prior consent constituted separate violations of the Illinois Biometric Information Privacy Act (BIPA).

Summary of District Court’s Cothron v. White Castle Opinion

In the district court’s opinion, Judge Tharp held that “[a] party violates Section 15(b) [of the BIPA] when it collects, captures, or otherwise obtains a person’s biometric information without prior informed consent.”  Judge Tharp continued, “[t]his is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection.”  Similarly, Judge Tharp held that BIPA requires that dissemination of information without consent, even if to the same third party as previously disseminated, is an additional violation of the BIPA.

In response, White Castle argued that such reading “would lead to absurd results because the statutory damages for each violation—if defined as every unauthorized scan or disclosure of Ms. Cothron’s fingerprint—would be crippling.”  While Judge Tharp “fully acknowledge[d] the large damage awards that may result,” he nonetheless found it unpersuasive and opted to follow the unambiguous language of the statute “even though the consequences may be harsh, unjust, absurd, or unwise.”

Immediate Impact of This Decision on Illinois Companies/Employers

The petition to the Seventh Circuit is vitally important with this decision, and indeed, will become a “bet-the-company” issue for many organizations.

Per White Castle’s Petition for Appeal, “[o]f the 700-plus BIPA class actions pending in Illinois state and federal courts, the vast majority are . . . brought by employees against their employers.”  In many of these cases, the employer continuously collects the same biometric information each day that the employee enters the premise.  Thus, as an Illinois state court stated, reading each collection as separate violation would force these employers “out of business—in droves” even “without any nefarious intent.”  Smith v. Top Die Casting Co. (opinion included in the Certificate of Petition linked above).

White Castle has also argued that Judge Tharp’s opinion creates a divergence from other Illinois state court decisions holding that BIPA violations occur only the first time a technology is used by an individual employee.

Impact of This Decision Elsewhere

This decision could have ramifications and serve as persuasive authority on other biometric statutes in Texas, Washington, California, and New York with similar informed consent requirements as the BIPA.  For instance, the Texas biometric privacy law also prohibits the capture and possession of biometric identifiers unless the person obtains informed consent.  While the Texas biometric statute does not include a private right of action, it allows the Texas Attorney General to bring an enforcement action seeking even steeper civil penalties of $25,000 for each violation.  Similarly, though the California Consumer Privacy Act’s (“CCPA”) private right of action may only be limited to data breaches, the California Attorney General’s enforcement capabilities are broader.  The California Attorney General may bring an enforcement action seeking civil penalties of $2,500 per negligent violation and $7,500 per intentional violation for a breach of any provision of the CCPA, including any requests to opt-out of the sale of personal information (which includes biometric information).  In addition, private Plaintiffs currently are testing the definition of a “breach” under CCPA and have suggested an interpretation of a breach to include use of data in a manner that is inconsistent with the privacy policy.  Should they prevail, this issue of how damages are calculated becomes even more relevant to California.

Interlocutory Appeal

While the import of the petition to the Seventh Circuit cannot be overstated, it is entirely possible that the court passes on this opportunity and waits until a final, appealable order.  Statistics show that the Seventh Circuit only grants 39% of permissive interlocutory appeals.  The Seventh Circuit requires the following four-factors to be satisfied to obtain interlocutory review: “[1] there must be a question of law; [2] it must be controlling; [3] it must be contestable; and [4] its resolution must promise to speed up the litigation.”  While the district court found these factors met, the Seventh Circuit could disagree.

Certification to the Illinois Supreme Court

The Seventh Circuit could also certify the issue—i.e., whether each subsequent collection of biometric information without consent is an additional violation of Sections 15(b) and (d) of the BIPA—to the Illinois Supreme Court per Rule 20(a) of the Illinois Supreme Court Rules.  Rule 20(a) states a certified question must involve: (1) issue(s) of Illinois law; (2) that are determinative of the case; and (3) no controlling precedents of the Illinois Supreme Court.  Thus, interpretation of the BIPA, an Illinois statute, would squarely fit.

Conclusion

In the end, time will tell whether the Seventh Circuit (or the Illinois Supreme Court) rules on this issue on interlocutory appeal.  In any event, these class actions will continue to make it through both the federal and state court systems and both appellate courts will have the ability to squarely decide the issue.  In the meantime, businesses need to consider the Cothron decision as well as its impact, and plan accordingly.