A KNIGHT’S REVOLT AGAINST THE CASTLE: ANSWERING THE BIPA CLAIM ACCRUAL QUESTION
By: Zach Robole, Volume 106 Staff Member
The inability of our legislatures to keep up with the boom of Internet technology has forced a conversation about privacy to the forefront of American discourse.[1] Unfortunately, even when state or federal legislatures do attempt to regulate a new technology to protect privacy rights, their solutions often contain holes or lack clarity.[2] Courts are then left with the job of filling in these holes and attempting to do the best that they can to apply old principles to new concepts.[3] An example of this comes through the Illinois Biometric Information Privacy Act (“BIPA”).[4] BIPA was enacted to regulate the collection, dissemination, and retention of individuals’ biometric information and it offers a statutory remedy against those that do so without the written consent of the individual.[5] Although remedy is offered, BIPA’s statutory language is unclear as to whether a repeated violation provides a new right of action at each instance or if the right of action is only available at first instance.[6] The Supreme Court of Illinois is now tasked with answering this question.[7] The correct interpretation is one that relies on a “traditional tort to privacy tort” comparison and concludes that repeatedly collecting identical biometric information should only be actionable at first instance and that disseminating that information is actionable for each dissemination to a new party.
I. BACKGROUND
A. Cothron v. White Castle System, Inc.
Latrina Cothron has been an employee of White Castle since 2004 and has been providing her fingerprints frequently to access work materials since shortly after beginning her tenure.[8] After each scan her fingerprints were sent to a third-party called Cross Match Technologies (“CMT”) for verification.[9] Cothron alleges that it was not until 2018 when White Castle attempted to obtain her written consent as BIPA (enacted 2008) requires.[10] Cothron filed a class action lawsuit specifically claiming a violation of BIPA §§ 15(b) and 15(d) which regulate the “collection” and “dissemination” of biometric data respectively.[11] Although White Castle maintains it did properly obtain Cothron’s consent, it focused its argument on the start of the statute of limitations period and the extent of the potential remedy.[12] Because of the repetitive nature of White Castle’s violation, Cothron argues a violation of both provisions at each instance, but White Castle argues violation at first instance only.[13] The importance of the answer to this cannot be overstated. If the statute of limitations began to run at first instance, plaintiffs like Cothron will be barred from suing, and those that are within the limitations period will receive a one-time damages award.[14] If the claims accrue and the limitations period runs with each violation, Cothron, and others, will be able to recover an extraordinary amount due to the high number of occasions they provided their fingerprints to access White Castle’s computers.[15] This question made its way from the federal district court to the Seventh Circuit Court of Appeals, which subsequently certified it and sent it to the Supreme Court of Illinois, where it now lies.[16]
B. Privacy Law in America
Although the existence of a right to privacy is recognized in the American legal system today, this has not always been the case. But, in 1890, it was famously asserted by Samuel D. Warren and Louis Brandeis that, although rarely if ever mentioned in common law cases, the right to privacy had a presence in historically accepted common law torts.[17] To sustain their assertion, Warren and Brandeis offered a comparison of the right to privacy with traditional rights such as the right to property, not to be defamed, assaulted or battered, and form contracts.[18] This “revelation” changed the American judicial system’s view on the matter, and it saw a universal adoption of privacy rights across jurisdictions.[19] The breach of privacy was further broken down into four categories: (1) intrusion upon the seclusion of another; (2) publicly disclosing embarrassing facts about another; (3) publicly placing another in false light; and (4) appropriating another’s image and likeness for personal gain.[20] It is easy to see that the protections offered by BIPA seek to remedy damages that align within these traditional categories.
II. APPLYING BIPA TO COMMON UNDERSTANDING OF PRIVACY LAW
The Supreme Court of Illinois has recognized the traditional analysis of Warren and Brandeis and should continue to do so here.[21] This recognition is exemplified through the Illinois appellate courts’ conveyances that the tort of intrusion is rooted in the traditional concept of trespass of physical property.[22] Additionally, it is clear that the Illinois legislators agree that the tort of dissemination of private information is similar to traditional defamation torts.[23] To solve the “repeated violations” question at hand, the Supreme Court of Illinois should look to precedent of repeated violations in these comparable, traditional torts. When categorizing the protections offered by § 15(b) and § 15(d) of BIPA, the former, which prohibits the “collection” of biometric data, falls into the “intrusion upon the seclusion of another” category and the latter, which prohibits the data’s “dissemination”, falls into the “publicly disclosing embarrassing facts about another” category.
A. Section 15(b) – Collection
The collection of biometric data is categorically an intrusion into the personal belonging of another. Intrusion of privacy has long been compared to trespass of real property.[24] Therefore, the court should look to precedent in this area for guidance.
Many courts (including the Supreme Court of Illinois) have noted that, when evaluating the statute of limitations period for trespass cases, the violation can further be broken down into two subcategories: permanent trespass and continuing trespass.[25] The former having a statute of limitations starting at first instance and the latter at each instance.[26] A permanent trespass is one in which a single isolated event causes the damage and starts the statute of limitations.[27] A continual trespass is one that happens “everyday” and every moment is arguably a new tort.[28] In Chicago & E.I.R. Co. v. McAuley, the Supreme Court of Illinois saw a case where the defendant railroad operator had built and completed its railroad on the plaintiff’s land.[29] The Court held that this was a permanent trespass and that the statute of limitations started upon the completion of the railroad even though the train would continue to run on the property.[30] Over a century later, the Court examined Meyers v. Kissner where the defendants had built levees on their land which caused yearly flooding on the plaintiff’s land.[31] The Court held that this was a continuous trespass and that the statute of limitations did not begin to run at the levees’ completion but, rather, it was an invasion of the plaintiff’s right “day to day.”[32]
It could be argued that Meyers overruled McAuley, but that was never held, and subsequent Illinois Appellate cases appear to still rule in accordance with McAuley.[33] To reconcile the cases, a clear distinction between a permanent and continuing trespass is needed. Although never offered by this Court, the Supreme Court of Georgia has provided an excellent explanation through consideration of the Restatement.[34] That court stated that a permanent trespass is one that cannot be “abated” whereas a continuing trespass is one that can.[35] This explanation succeeds in reconciling the two cases. In McAuley, once the railroad was complete, the damage was done and could not be lessened even by destruction of the railroad. In contrast, the levees caused a flooding on the plaintiffs’ property that could be abated by destruction of the levees.
Applying this principle to Cothron, the Court should conclude that the damages caused by the collection of the same biometric information is a permanent intrusion. Once White Castle collected Cothron’s personal information the intrusion and damages had been done; collecting the same identical information the next day or the day after did not create a new harm and stopping it would not lessen the harm done already.
Consider an analogy of a synonymous act to BIPA that regulated stalkers taking unsolicited pictures of their victims. A stalker taking a picture of their victim would be violating the act at first instance. However, if the stalker returned home where they had a photocopier and reproduced the same photo every day, there would not be new violations of the victim’s privacy.
A counter to this analysis could be that this situation is more akin to the stalker taking a new photo of the victim every day because White Castle did not reproduce Cothron’s fingerprints but took new ones. This would be a fair argument if White Castle took a new form of biometric data every day, but it did not. Unlike a new photo every day, Cothron’s fingerprints, by their nature, were exact copies. Therefore, the violation of a privacy right described in BIPA § 15(b) should be actionable at first instance only, not with each recurring instance.
B. Section 15(d) – Dissemination
The dissemination of the fingerprints falls into the second category of privacy violations. This type of violation finds itself often compared to defamation.[36]
As White Castle has pointed out, the Illinois state precedent is relatively clear that perpetuation of libel and slander follows a single publication rule.[37] This means that each individual copy of a material containing libelous statements does not provide a new cause of action.[38] This common law concept was codified in Illinois but only includes a list of traditional materials and it is unclear if the dissemination of biometric data falls within the definition of “publication” under this portion of the Illinois code.[39] However, it does not matter. The single publication rule was a common law principle in Illinois before its codification[40] and even if the dissemination of biometric data does not meet the statutory definition of “publication” under the statute it is certainly comparable to the common law principle and should be treated as such for the purposes of this analysis.
For guidance on how to apply this principle, the Court should turn to its recent case of Ciolino v. Simon.[41] Ciolino centered around the screenings of a film alleged to be defamatory.[42] The film was shown at multiple festivals across the country.[43] The Court held that each new screening was an independent instance of defamation that created a new claim and commenced a new statute of limitations period.[44] It came to this conclusion not because films were not covered by the Illinois single publication rule statute, but by determining that the screenings fell outside the first publication rule as they were intended for a new audience each time they were shown.[45] It would appear that a new publication is created when: (1) the information is conveyed at a different time; and (2) it is conveyed to a new audience. This makes logical sense. To continue with the “stalker” analogy above, this would be like if the stalker photocopied their photo of the victim every day and sent it to a new friend. It makes sense to conclude that each time they sent the photo there was a new violation of privacy. However, if the stalker reproduced the photo and sent it to the same friend everyday it likely would only be a violation the first time it was sent as there was no subsequent new audience.
The Court should see that § 15(d) does not allow for a “one-size fits all” rule. Within the fact pattern of Cothron, White Castle sent Cothron’s fingerprints to the same third-party every day. However, if White Castle had switched up its third-party verifier in 2013, then Cothron would have a new right of action under § 15(d). But it did not, and White Castle’s actions should fall within the precedent of the single publication rule even if it does not classify as a “publication” under the statute. Therefore, the statute of limitations for § 15(d) should have started to run upon the first time White Castle disseminated Cothron’s fingerprints to CMT after the enactment of BIPA.
CONCLUSION
There is a concern in America about what big companies are doing with individuals’ data.[46] Although it is certainly a well-founded concern, as it feels the scales of justice too often tip in favor of corporations, the judicial system needs to be careful and not allow the balance to fall uneven in the opposite direction by awarding damages to individuals that are not deserved. The conclusions found above are logical and fair considering that BIPA allows for remedy of actual damages too.[47] If White Castle mishandled Cothron’s biometric data and caused her $100,000 of actual damages she would be able to receive remedy equal to that value. Although there was undoubtedly a privacy violation here, the remedy for that violation alone (without actual damages) is fair at the $1,000-5,000 allowed for by BIPA.[48]
Even though the pace of legislation will likely never keep up with the pace of technological advancement, courts will be able to use common principles to come to sensible solutions on new issues. In Cothron, the Supreme Court of Illinois has the opportunity to do this as it examines the right of action for the “collection” and “dissemination” of biometric information. The Court should conclude, after applying standard privacy principles, that Cothron’s right of action started from the first instance and has not accrued since. Therefore, Cothron is outside the statute of limitations period and her case should be dismissed.
[1] See, e.g., Cecilia King, Four Attorneys General Claim Google Secretly Tracked People, N.Y. Times (Jan. 24, 2022), https://www.nytimes.com/2022/01/24/technology/google-location-services-lawsuit.html [https://perma.cc/9JKB-H9PY]; see also Regulation and Legislation Lag Behind Constantly Evolving Technology, Bloomberg L. (Sept. 27, 2019), https://pro.bloomberglaw.com/brief/regulation-and-legislation-lag-behind-technology [https://perma.cc/7WUE-QPLF] (highlighting that the Maryland Attorney General’s office alone gets 40,000 calls per year complaining about robocalls).
[2] See infra Part I.A.
[3] Id.
[4] Cothron v. White Castle Sys., Inc., 20 F.4h 1156 (7th Cir. 2021); see also 740 Ill. Comp. Stat. 14/1 et seq.
[5] 740 Ill. Comp. Stat. 14/5, 14/20.
[6] Cothron, 20 F.4th at 1159–60.
[7] Id. at 1166–67.
[8] Id. at 1159.
[9] Id.
[10] Id.
[11] Id.; see also 740 Ill. Comp. Stat. 14/15(b), 14/15(d).
[12] Cothron, 20 F.4th at 1161–62.
[13] Id. at 1162–63.
[14] Id. at 1160.
[15] Id. at 1165 (“If a new claim accrues with each scan, as Cothron argues, violators face potentially crippling financial liability.”).
[16] Id. at 1166–67.
[17] Louis D. Brandeis & Samuel D. Warren, The Right to Privacy, 4 Harv. L. Rev. 193 (1890).
[18] Id. at 193–94, 203, 209.
[19] June Mary Z. Makdisi, Genetic Privacy: New Intrusion a New Tort?, 34 Creighton L. Rev. 965, 982 n.96 (2001).
[20] See William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 389 (1960). Prosser’s categories were later implemented into the Restatement of Torts. See Restatement (Second) of Torts § 652B–E (Am. L. Inst. 1977).
[21] E.g., People v. Austin, 155 N.E.3d 439, 460 (Ill. 2019).
[22] Benitez v. KFC Nat’l Mgmt. Co., 305 714 N.E.2d 1002, 1034 (Ill. App. Ct. 1999) (“In particular, the fact that the elements of intrusion upon seclusion may overlap with the elements of other torts (trespass, for example) is no reason to reject intrusion upon seclusion as a viable cause of action.”); Green v. Chicago Tribune, 675 N.E.2d 249, 259 (Ill. App. Ct. 1996) (Cahill, J., dissenting) (speculating that the Supreme Court of Illinois’ reluctance of the time to recognize a cause of action for intrusion was a possible “awareness that elements of the tort overlap established common law actions (trespass, for example)”).
[23] See 735 Ill. Comp. Stat. 5/13-201 (grouping the right of action for publication of private facts with that of slander and libel in a general statute of limitations). This is not an uncommon line of thought. See Barber v. Time, Inc. 159 S.W. 291 (Mo. 1942) (comparing the public concern prong of a publication of private facts tort to that of the “qualified privilege” prong in libel); Bremmer v. Journal-Tribune Publishing Co., 76 N.W.2d 762 (Iowa 1956) (same).
[24] Prosser, supra note 20, at 389–90 (“The privacy action which has been allowed in such cases will evidently overlap, to a considerable extent at least, the action for trespass to land or chattels.”).
[25] Eric C. Surette, Annotation, Accrual of Claims for Continuing Trespass or Continuing Nuisance for Purposes of Statutory Limitations, 14 A.L.R. 7th Art. 8 § 2 (2016).
[26] Id.
[27] Id.
[28] Id.
[29] Chicago & E.I.R. Co. v. McAuley, 11 N.E. 67, 67 (Ill. 1887).
[30] Id. at 69.
[31] Meyers v. Kissner, 594 N.E.2d 336, 337 (Ill. 1992).
[32] Id. at 340.
[33] Bank of Ravenswood v. City of Chicago, 717 N.E.2d 478 (Ill. App. Ct. 1999) (holding in a similar manner to McAuley, 11 N.E. 67 when examining a subway tunnel built under plaintiff’s property).
[34] Oglethorpe Power Corp. v. Forrister, 711 S.E.2d 641, 643 (Ga. 2011) (citing Restatement (Second) of Torts § 899 cmt.d (Am. L. Inst. 1979)).
[35] Id.; see also Abate, Merriam-Webster, https://www.merriam-webster.com/dictionary/abate [https://perma.cc/5KPV-DA8F] (“[T]o become weaker; to decrease in strength.”).
[36] Prosser, supra note 20, at 398 (“The interest protected is that of reputation, with the same overtones of mental distress that are present in libel and slander.”).
[37] Cothron v. White Castle Sys. 20 F.4th 1156, 1163 (7th Cir. 2021).
[38] Id.
[39] Id.; see also 740 Ill. Comp. Stat. 165/1.
[40] Winrod v. Time, Inc., 78 N.E.2d 708 (Ill. App. Ct. 1948).
[41] Ciolino v. Simon, No. 126024, 2021 WL 1031371 (Ill. Mar. 18, 2021).
[42] Id. at *2–3.
[43] Id.
[44] Id. at *7–8.
[45] Id. (citing Restatement (Second) of Torts § 577A(3) cmt.d (Am. L. Rev. 1979)) (“‘[I]f the same defamatory statement is published in the morning and evening editions of a newspaper, each edition is a separate single publication and there are two causes of action.’”).
[46] E.g., Geoffrey A. Fowler, There’s No Escape from Facebook, Even if You Don’t Use It, Wash. Post (Aug. 29, 2021), https://www.washingtonpost.com/technology/2021/08/29/facebook-privacy-monopoly [https://perma.cc/5A5J-5T96].
[47] 740 Ill. Comp. Stat. 14/20.
[48] Id.