WLF Circulating Opinion digested from a dissent from the denial of rehearing by The Honorable David K. Overstreet, Justice, Supreme Court of the State of Illinois. The full text of the decision, issued on July 18, 2023, is available here.

Ed. note: WLF’s “Circulating Opinion” spotlights exceptional judicial writing on compelling, timely topics. Each chosen opinion speaks for itself. No assessment, analysis, or evaluation is needed. WLF digests the chosen opinions to focus in more effectively on the issue or issues of interest. Justice Overstreet had no role in WLF’s selecting or editing this opinion for our Circulating Opinion feature.

Opinion Topic: Erroneous construction of the Illinois Biometric Information Privacy Act

Introduction to the Digested Opinion: On February 17, 2023, the Illinois Supreme Court held in Cothron v. White Castle Systems, Inc. that, for purposes of the Biometric Information Privacy Act’s (BIPA) five-year statute of limitations, a new claim arises each time an entity collects or discloses an individual’s biometric data. A plaintiff could thus claim a BIPA violation each time she and her colleagues scan their fingers during a five-year period and each time the company provides those scans to a third-party vendor. While conceding that damages in such cases could be in the billions of dollars, the court concluded that the statutory language supported its interpretation. Justice Overstreet, joined by Chief Justice Theis and Justice Holder White, dissented.

On July 18, 2023, the court denied White Castle’s rehearing petition. Justice Overstreet, again joined by Chief Justice Theis and Justice Holder White, dissented from the denial, explaining the court has a duty to correct a flawed interpretation of BIPA that “violates basic and fundamental principles of statutory construction but also raises serious due process concerns.”

Digested Opinion:

JUSTICE OVERSTREET, dissenting:

I would allow rehearing to address White Castle’s argument that this court’s opinion cemented an erroneous interpretation of the Biometric Information Privacy Act (Act) (740 ILCS 14/1 et seq. (West 2018)) that subverted the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois, and consequently raises significant constitutional due process concerns. The legislature never intended the Act to be a mechanism to impose extraordinary damages on businesses or a vehicle for litigants to leverage the exposure of exorbitant statutory damages to extract massive settlements. Yet, this court construed the Act to allow these unintended consequences, and as a result, this construction raises serious issues as to the Act’s validity.

As argued in White Castle’s initial briefing before this court, the legislature intended the Act to be a remedial statute that implemented prophylactic measures to prevent the compromise of biometrics by allowing individuals to choose to provide (or not to provide) their data after being advised that it is being collected, stored, and potentially disclosed. See McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, ¶ 48, 456 Ill.Dec. 845, 193 N.E.3d 1253; Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 36, 432 Ill.Dec. 654, 129 N.E.3d 1197 (discussing General Assembly’s goal, through the Act, of preventing problems “before they occur” by imposing safeguards to protect an individual’s privacy rights in their biometric identifiers and information). Remedial statutes “are designed to grant remedies for the protection of rights, introduce regulation conducive to the public good, or cure public evils.” Standard Mutual Insurance Co. v. Lay, 2013 IL 114617, ¶ 31, 371 Ill.Dec. 1, 989 N.E.2d 591. Remedial statutes are distinct from penal statutes, which operate as “punishment for the nonperformance of an act or for the performance of an unlawful act” and “require[ ] the transgressor to pay a penalty without regard to proof of any actual monetary injury sustained.” (Internal quotation marks omitted.) Goldfine v. Barack, Ferrazzano, Kirschbaum & Perlman, 2014 IL 116362, ¶ 28, 385 Ill.Dec. 339, 18 N.E.3d 884.

Damages under the Act are the greater of actual damages or liquidated damages. 740 ILCS 14/20 (West 2018). Arguably, this consideration is indicative of the fact that liquidated damages were intended to be awarded where actual damages were too small and difficult to prove, not as a multiplier by thousands for each time technology is used. Yet, pursuant to this court’s per-scan construction of the Act, where claims and damages accrue under the Act with each scan of a finger and each transmission to the same technology vendors, the results will vastly exceed reasonable ratios between the damages awarded and the offense at issue.

The goal of construing a statute is to give effect to the intent of the legislature. Roberts v. Alexandria Transportation, Inc., 2021 IL 126249, ¶ 29, 451 Ill.Dec. 244, 183 N.E.3d 701. For the majority’s flawed construction of the Act to prevail, it must be presumed that our legislature resolutely passed the Act for the purpose of establishing a statutory landmine, destroying commerce in its wake when negligently triggered. This flawed presumption of the legislature’s intent is required under the majority’s construction because, under the majority’s view, the legislature intended for Illinois businesses to be subject to cataclysmic, jobs-killing damages, potentially up to billions of dollars, for violations of the Act. No reported case has ever made a similar assumption about our legislature’s intent in passing legislation, likely because it does not withstand reason to believe the legislature intended this absurd result. The majority’s construction of the Act does not give effect to the legislature’s true intent but instead eviscerates the legislature’s remedial purpose of the Act and impermissibly recasts the Act as one that is penal in nature rather than remedial. This construction not only violates basic and fundamental principles of statutory construction but also raises serious due process concerns that, I believe, must be addressed by this court on rehearing.

Plaintiff alleges that she scanned her finger each time she accessed a work computer and each time she accessed her weekly pay stub. Assuming plaintiff worked 5 days per week for 50 weeks per year and accessed the computer each day and her pay stub weekly, her total scans would exceed 1500 over a five-year limitations period, which may result in damages exceeding $7 million for this single employee despite the fact that plaintiff has not alleged a data breach or any costs or other damages associated with identity theft or compromised data. The excessive nature of plaintiff’s potential damages is exacerbated in the class-action context. Thus, as a result of this court’s construction of the Act in this case, this court has undermined any connection between potential damages and actual monetary injury sustained and has thus arguably mutated the Act’s provisions into ones that are penal in nature. In doing so, this court failed to interpret the Act to avoid a construction that would raise doubts as to its validity. People v. Nastasio, 19 Ill. 2d 524, 529, 168 N.E.2d 728 (1960) (it is our duty to interpret a statute so as to promote its essential purposes and to avoid, if possible, a construction that would raise doubts as to its validity).

The legislature’s authority to set a statutory penalty is limited by the requirements of due process. In re Marriage of Miller, 227 Ill. 2d 185, 197, 316 Ill.Dec. 225, 879 N.E.2d 292 (2007); St. Louis, Iron Mountain & Southern Ry. Co. v. Williams, 251 U.S. 63, 66 (1919). When a statute authorizes an award that is so severe and oppressive as to be wholly disproportioned to the offense and obviously unreasonable, it does not further a legitimate government purpose, runs afoul of the due process clause, and is unconstitutional. See St. Louis, Iron Mountain & Southern Ry. Co., 251 U.S. at 67; see also People v. Bradley, 79 Ill. 2d 410, 417, 38 Ill.Dec. 575, 403 N.E.2d 1029 (1980) (pursuant to due process clause of the Illinois Constitution, the legislature properly exercises its police power when its statute is “‘reasonably designed to remedy the evils which the legislature has determined to be a threat to the public health, safety[,] and general welfare’”) (quoting Heimgaertner v. Benjamin Electric Manufacturing Co., 6 Ill. 2d 152, 159, 128 N.E.2d 691 (1955)).

The implications of the majority’s opinion are severe and arguably oppressive, wholly disproportioned to the violations addressed in the Act, and unreasonable. As noted in the majority’s opinion, White Castle estimates that if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion. Supra ¶ 40. White Castle and amici note hundreds of pending cases involve similarly gigantic damages claims that could toll the death knell for even large, financially successful businesses.

This court’s opinion has only exacerbated the confusion regarding the potential for exorbitant damages. In Rogers v. BNSF Ry. Co., No. 1:19-cv-03083, 2019 WL 13231781 (May 7, 2019), for example, the jury found in favor of a class of 45,600 truck drivers alleging that the defendant violated the Act on 45,600 occasions, despite no evidence that class members’ alleged biometric data was compromised or improperly used. Notification of Docket Entry, ECF No. 223, Rogers v. BNSF Ry. Co., No. 1:19-cv-03083, 2022 WL 16721966 (N.D. Ill. Oct. 12, 2022). The federal district court entered judgment on the verdict and assessed damages of $228 million against the defendant based on the Act’s provision for statutory damages of $5000 for each intentional or reckless violation of the Act identified by the jury. Id. After this court’s decision in this case, the plaintiff argued that the amount should be multiplied. See Response at 2, ECF No. 256, Rogers v. BNSF Ry. Co., No. 1:19-cv-03083 (N.D. Ill. Mar. 3, 2023) (stating that the language in this court’s opinion regarding the “discretionary” nature of damages “is dictum stacked upon dictum and is not precedential”); Plaintiff’s Rule 59 Motion to Amend Judgment at 1, ECF No. 236, Rogers v. BNSF Ry. Co., No. 1:19-cv-03083 (N.D. Ill. Nov. 9, 2022) (“The sole purpose of this [m]otion is to ask the [c]ourt to adjust the statutory damages to conform to the undisputed evidence that there were actually 136,800 violations ***.”). Likewise, cases alleging violations of the Act reportedly jumped 65% in Illinois circuit courts in the two months since this court’s ruling. See, e.g., Stephen Joyce & Skye Witley, Illinois Biometric Privacy Cases Jump 65% After Seminal Ruling, Bloomberg L. (May 2, 2023), https://news.bloomberglaw.com/privacy-and-data-security/illinois-biometric-privacy-cases-jump-65-after-seminal-ruling [https://perma.cc/BQT8-7QKR] (noting that many smaller companies implemented the biometric technology to gain efficiencies with fewer resources, now those resources are being spent defending litigation, and growing liability risks may push more businesses into settlement agreements).

The parties’ pleadings highlight that the potential ramifications for businesses operating in Illinois may be catastrophic. If an employee scans his finger (or hand, face, retina, etc.) on a timeclock four times per day—once at the beginning and end of each day and again to clock in and clock out for one meal break—over the course of a year, a single employee would have scanned alleged biometric identifiers or information more than 1000 times. Where a new claim accrues each time the employee scans on the system and the employee can recover a separate award of statutory liquidated damages for each scan, the potential damages for a single employee over the course of a year against a business negligently violating the Act would approximate $1 million. The potential damages against a defendant acting intentionally or recklessly would approximate $5 million. A small business with 50 such employees would face staggering statutory liquidated damages.

Moreover, an employer who employs 100 employees in a given year and who secures consent forms from 95% of its employees before using a biometric time clock could face statutory liquidated damages of $100,000 if the remaining five employees use the timeclock for a single week before the employer secures consent forms from them. Multiplied over a five-year period, the potential exposure would be $500,000 for an employer who is working diligently to ensure compliance with the Act while also juggling staffing issues and high turnover during a volatile labor market.

Amici note that the risk of harm the Act was enacted to prevent has not materialized in the 15 years since it was passed into law: in the more than 1700 cases filed since 2019, no case involved a plaintiff alleging that his or her biometric data has been subject to a data breach or led to identity theft. Thus, the potential astronomical damages awards under the majority’s construction of the Act would be grossly disproportionate to the alleged harm the Act seeks to redress.

In egregiously expanding a business’s potential liability, this court suggested that the legislature review these policy concerns and clarify its intent regarding the assessment of damages under the Act. See supra ¶ 43. As I noted in my initial dissent, the legislature’s intent regarding the assessment of damages involved a one-time scan interpretation and was clear. Supra ¶ 65. Notwithstanding the majority’s inconsistent conclusions that the Act’s language was clear and simultaneously in need of clarification by the legislature (supra ¶ 43), it was the majority’s interpretation that caused the ambiguity for which it needed clarification by the legislature. It was the majority’s interpretation that raised constitutional issues contemplated by White Castle during initial briefing before this court but not addressed in this court’s opinion.

In this court’s opinion, the majority acknowledged that the consequences of its holding were “harsh, unjust, absurd[,] or unwise” (internal quotation marks omitted) (supra ¶ 40) and that no language in the Act suggested a legislative intent to authorize a damages award that would result in the financial destruction of a business (supra ¶ 42). In nevertheless holding as appropriate a per-scan interpretation of the Act, which thereby authorized exorbitant damages awards threatening financial ruin for some businesses, this court has raised constitutional due process concerns threatening the Act’s validity. Considering that the damage awards will now be arbitrary, unclear, and potentially exorbitant, is the statute reasonably designed to remedy the evils that the legislature determined to be a threat to the public health, safety, and general welfare? See Heimgaertner, 6 Ill. 2d at 159, 128 N.E.2d 691.

Accordingly, I would vote to grant rehearing to determine if the resulting penalty to Illinois businesses passes constitutional scrutiny. See Bradley, 79 Ill. 2d at 418, 38 Ill.Dec. 575, 403 N.E.2d 1029 (holding statute violated due process where penalty was “not reasonably designed to remedy the evil” the legislature identified); People v. Morris, 136 Ill. 2d 157, 162, 143 Ill.Dec. 300, 554 N.E.2d 235 (1990) (holding statutory penalty unconstitutional where it did not advance legislature’s stated purpose in enacting statute).

At a minimum, I would grant White Castle’s request for rehearing to allow this court to clarify paragraphs 40 through 43 of the opinion and provide guidance to the lower courts regarding the imposition of damages under the Act. These paragraphs highlight the conflicts that result from the opinion’s accrual construction: Section 20 permits recovery for “each violation,” damages “appear[ ]” to be discretionary, class members should be compensated and future violations deterred “without destroying defendant’s business,” and policy concerns exist over “excessive damage awards.” Supra ¶¶ 40-43. As noted by White Castle in its petition for rehearing, no guidance or criteria remain for who pays nothing and who suffers annihilative liability. See supra ¶ 40.

Although the majority recognized that it “appear[ed]” that these awards would be discretionary, such that lower courts may award damages lower than the astronomical amounts permitted by its construction of the Act (supra ¶ 42), the court did not provide lower courts with any standards to apply in making this determination. This court should clarify, under both Illinois and federal constitutional principles, that statutory damages awards must be no larger than necessary to serve the Act’s remedial purposes and should explain how lower courts should make that determination. Without any guidance regarding the standard for setting damages, defendants, in class actions especially, remain unable to assess their realistic potential exposure.

Despite legislative language suggesting otherwise, this court’s opinion authorized the Act’s imposition of damages wildly exceeding any remotely reasonable estimate of harm. As noted by amici, for businesses facing this draconian exposure, it is cold comfort that this job-destroying liability only “may” be imposed—if the actual amount depends on the decisions of individual trial judges applying their own standards, formulated without any guidance from this court or the legislature.

This court’s opinion leaves a staggering degree of uncertainty for courts and defendants. “Elementary notions of fairness enshrined in our constitutional jurisprudence dictate that a person receive fair notice not only of the conduct that will subject him to punishment, but also of the severity of the penalty that a State may impose.” BMW of North America, Inc. v. Gore, 517 U.S. 559, 574 (1996). This court has been willing to reconsider its earlier decision in circumstances where the result of the prior decision would amount to “legalized extortion and a crippling of *** commerce as we know it.” American Telephone & Telegraph Co. v. Village of Arlington Heights, 156 Ill. 2d 399, 409, 189 Ill.Dec. 723, 620 N.E.2d 1040 (1993). Accordingly, I implore my colleagues to reconsider the court’s earlier decision and allow White Castle’s petition for rehearing.