The Matrix

White Castle argued that damages in the action, which potentially involves approximately 9,500 current and former White Castle employees who provided scans multiple times per day, would be excessive, potentially exceeding $17 billion. However, the Court generally sidestepped such policy arguments on the ground that the Court was “not being asked to render a decision on the damages in this case or to make a policy-based decision about excessive damages,” but was being asked “to determine legislative intent by considering the consequences of construing the statute one way or another.” 2023 IL 128004, ¶ 62. The Court acknowledged that there is no language in the Act suggesting that “financial destruction of a business” is the intent of BIPA, but concluded that a trial court presiding over a class action “would certainly possess the discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying a defendant’s business.” Id. at ¶ 42 (quoting Century Mutual Insurance Co. v. Tracy’s Treasures, Inc., 2014 Il. App. (1st) 123339, ¶ 66 n4). Instead of allowing the magnitude of damages to impact the outcome of its decision, the Court “respectfully suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” Id. at ¶ 43.

The dissent took issue with the majority’s conclusion that a company could violate the law multiple times by taking the same fingerprint successively. The dissent reasoned that “[w]ith the subsequent scans, the fingerprint is not being obtained, it is being compared to the fingerprint that White Castle already has” and the plaintiff “suffered no additional loss of control over her biometric information.”  Id. at ¶ 52 (Overstreet, J., dissenting). The dissent concluded that the “precise harm” the legislature was addressing, i.e., an individual’s loss of the right to maintain biometric privacy, is suffered only upon the first scan. Id. at ¶ 53. But “[o]nce that entity has the fingerprint, there is no additional loss of control, loss of privacy, or loss of secrecy from subsequent scans of the same finger.” Id.

The dissent also faulted the majority for ignoring the principle of statutory construction that dictates an “absurd result must be avoided.” Id. at ¶ 59. The majority’s construction of the statute would both incentivize plaintiffs (who suffer no additional harm with each successive scan) to delay in bringing claims and would easily lead to “annihilative liability for businesses.” Id. at ¶ 61.

Finally, the dissent highlighted that the “legislature’s intent was to ensure the safe use of biometric information, not to discourage its use altogether.”  Id. at ¶ 66. With this decision, the risk of collecting biometric data may be so significant for businesses that they will no longer use these systems here and Illinois citizens will be deprived of the utility and benefits of biometric technologies. It remains to be seen whether the legislature will consider whether this was the intended outcome of BIPA.