Quantcast

BIPA reform would allow businesses to comply before ‘gotcha’ lawsuits filed, witness says

MADISON - ST. CLAIR RECORD

Tuesday, December 24, 2024

BIPA reform would allow businesses to comply before ‘gotcha’ lawsuits filed, witness says

Reform

SPRINGFIELD – Illinois businesses pay employees $1,000 or more to settle claims that they violated data privacy law, according to statements at an April 12 hearing on a bill to change the law. 

The proposed reform would reduce penalties that run to $20,000 per violation, and provide cure for employers who didn’t follow the law because they didn’t know about it. 

Under the Biometric Privacy Act (BIPA), an employer that scans fingers for time keeping and other purposes must notify an employee of its duty to protect privacy and must obtain consent. 

Some business owners didn’t know about the law until an employee sued, witnesses at Monday’s hearing said. 

A cure would allow compliance without a “gotcha” lawsuit following, defense attorney Melissa Siebert of Shook Hardy Bacon in Chicago told the Senate judiciary subcommittee on privacy. 

Siebert represents White Castle restaurants at the U.S. Seventh Circuit appellate court, seeking to overturn a ruling on penalties.

She told senators that BIPA is not a breach statute; other laws apply in the event of a breach. 

She said a cure would mean an employer could disclose its privacy protection requirements after the fact. 

She also said finger scan data is not fingerprints.

“It’s a misconception,” she said. “It can’t be reverse engineered into prints.

“Not one case says there was a breach, misuse, or misdisclosure.”

Boill sponsor Sen. Jason Barickman (R-Bloomington) compared it to walking on black ice in a parking lot.

“I didn’t fall but I could have so I’ll sue,” he said.

Someone asked why anyone would settle and Siebert responded, “What’s their defense? Case law dictates settlement.” 

Someone earlier had said settlements averaged $1,500, and she said $1,000. 

Satna Khatri opposed the bill on behalf of American Civil Liberties Union, telling senators the law doesn’t need any amendment. 

Khatri said privacy deserves utmost protection and the law Illinois passed in 2008 is the most effective in the country. 

“It has been working as intended since the day it passed. It protects vulnerable people,” she said.

She said injury occurs when an employee loses control of data. 

She named big tech companies and said the bill would fill their pockets. 

She proposed development of an information pipeline to employers, as simple as posters for workplaces and information for new employees.

She offered to work with others to put together resources for sharing information. 

Siebert said she disagreed about the law working well for employees.

“It works well for defense attorneys like me and plaintiff attorneys,” Siebert said. 

She said it would be great if there were more information.

“It is crippling business,” she said. “My clients don’t have the money.” 

The subcommittee took no action. The House judiciary civil committee passed a similar bill in March.

White Castle brief

Siebert filed White Castle’s appeal brief at the Seventh Circuit on March 29, challenging a ruling of District Judge John Tharp of Chicago that for purposes of statutes of limitations, data privacy claims accrue at each violation.

In the brief, Siebert argues that Tharp's opinion could lead to damages exceeding $3 million for plaintiff Latrina Cothron.

She wrote that more than 780 suits have been filed in state and federal courts under the Act since 2016.

She argues that it would be catastrophic for any company, as claims accrue upon a first violation, and many wouldn’t survive.

The brief states that the Illinois Supreme Court defines an injury under the Act as loss of control over biometric information, and that under the Act, an individual has been aggrieved when the individual loses that control.

“An individual cannot lose control or be aggrieved a second time,” Siebert wrote. 

She argues the invasion of a plaintiff’s interest and the injury are one and the same, and happen in the same moment.

She argues that Tharp exposed employers to potential damages enough to chill the use of biometrics in workplaces.

She claims the Act wasn’t designed to discourage the use of biometrics or make it so risky that companies avoid it altogether.

“Quite the opposite,” she wrote. 

More News