As state Supreme Court weighs another BIPA lawsuit, lawmakers mull child data privacy framework
In Springfield on Thursday, the medical industry went to court.
The Illinois Supreme Court heard oral arguments in a pair of class action suits brought by two suburban nurses, Lucille Mosby and Yana Mazya, who allege their employers violated the state’s Biometric Information Privacy Act, a landmark 2008 law that gives Illinois residents the ability to sue companies that misuse biometric data, such as fingerprints or facial scans.
It’s the same act that formed the basis of several high-profile lawsuits that have led to massive penalties or settlements, such as the $650 million Facebook agreed to pay its Illinois users after it was alleged to have misused biometric data.
The nurses allege that, by requiring the use of fingerprint scanners to open medicine cabinets, Northwestern Medicine, UChicago Medicine and Becton, Dickinson and Co. – the company that makes the medicine cabinets – violated BIPA.
According to court filings, the hospital systems did not collect written releases allowing them to use the fingerprint data, nor did the hospitals provide information about how the biometrics would be stored or eventually destroyed. They also failed to obtain consent to disclose the fingerprint data to third-party vendors that host it.
But lawyers for the defendants argued the use of biometrics to manage medicine falls under an exemption to the law because it counts as, in the words of BIPA, “health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act.”
The exact wording of the law, and the definition of “under,” faced scrutiny from lawyers on both sides of the case as they argued about the intersection of BIPA and the federal HIPAA law.
“If the defendant is correct, that means the General Assembly decided that as much as 10 percent of the Illinois workforce should have no biometric privacy protection whatsoever, simply by virtue of working in the health care field,” the nurses’ attorney, Jim Zouras, told the court Thursday.
Beyond the specifics of the case, the hospitals’ lawyers also focused on its potential industrywide impact. In their legal brief filed ahead of arguments, they said health care providers would potentially face “catastrophic liability.”
In a February decision against fast food chain White Castle, the Supreme Court ruled that each separate violation of BIPA – meaning every time the company required an employee to sign in using biometric data – represented a separate violation of the law. With penalties of $1,000 or $5,000 per violation included in BIPA, White Castle estimated the ruling could eventually cost the company $17 billion.
That level of liability could be disastrous if applied to the medical community, the defendants argued.
“Biometrics are industry standard at this point,” Matt Wolfe, a lawyer for BD, told the justices Thursday. “Over the last 15 years, this type of technology has become extremely widely used in the health care setting.”
A lower court agreed with the nurses in 2022, with Justice Sharon Oden Johnson of the First District Appellate Court writing lawmakers “did not exclude health-care employee biometric information” from BIPA protections.
The case has drawn the attention of both the wider medical industry and the business community.
Several major advocacy and trade groups filed amicus briefs in the case, generally supporting the exclusion of health care workers from BIPA protections. These include the Illinois Health and Hospital Association, the Advanced Medical Technology Association and a coalition of private hospitals including Springfield-based Memorial Health, Northshore University Health System and Rush University System for Health in the Chicago area.
The Illinois Chamber of Commerce and the U.S. Chamber of Commerce also filed briefs warning of potential “annihilative liability” for hospitals if the court rules in the nurses’ favor, referencing a line from a dissent written by Justice David Overstreet in the White Castle case.
While most of the amicus briefs supported the hospitals’ arguments, the American Nurses Association filed an amicus brief supporting the plaintiffs.
“To exempt hundreds of thousands of healthcare workers from coverage without explicit language from the legislature to that effect would be contrary to BIPA’s purpose,” the organization’s lawyers wrote in their brief.
The justices will now take the arguments into consideration, although there is no timetable for a decision being filed.
Lawmakers consider broader framework
While the high court considers the state’s existing privacy regulations, lawmakers are thinking about broader privacy frameworks. A Senate committee met in Chicago on Tuesday to discuss an unrelated proposal that would create a framework for data privacy focused on strengthening protections for minors online.
The hearing, held by the Senate Judiciary Committee, was to discuss a proposal from Sen. Sue Rezin, R-Morris, to implement an “age-appropriate design code.” The proposed policy would require companies that offer online services “likely to be accessed by children” to assess the impact of their product on children and explain privacy policies in language that children would understand.
Under Rezin’s bill as it is written currently, businesses would be liable for civil penalties of up to $2,500 per affected child for negligent violations of privacy protections and up to $7,500 per affected child for intentional violations.
The proposal would also place new privacy and data restrictions on companies, limiting their ability to profit from and share data collected from or about minors. This has drawn support from some youth activists, who say a policy like this could help curb the harmful effects of social media.
“I’m here to speak on behalf of my generation for the harm we’ve experienced,” Zamaan Qureshi, co-chair of the advocacy organization Design It For Us, told lawmakers Tuesday. “Some of our generation have developed depression, eating disorders and attempted or taken their life due to social media.”
Rezin said the proposal is “almost identical” to a similarly named California law passed in 2022. That law was inspired in turn by another similarly named policy adopted in the United Kingdom.
The age-appropriate design code would also require companies to estimate the age of their users to a “reasonable level of certainty” and apply child-focused protections based on that estimated age. Alternatively, the companies could apply those protections to all users.
But Tyler Diers, a representative of the tech industry lobbying group TechNet, argued such a requirement would encourage web companies to collect more personally identifiable information than they already do, leading to increased risks from data breaches.
TechNet’s members include Apple, Google and Meta – the owner of Facebook and Instagram – among other large tech companies.
On Monday, a federal judge in the Northern District of California granted a preliminary injunction in a lawsuit brought by tech lobbying group NetChoice that objects to California’s age-appropriate design code law. The judge found the tech industry’s argument that the law violates the First Amendment would likely prevail at trial.
When asked about the pending legal challenges to the ideas underlying her bill, Rezin said she expects to iron out some of those details in future legislation.
“The hearing was a first step in educating my colleagues on how social media companies are creating algorithms to addict minors because they view minors as a product they can advertise to, to make money off of,” Rezin told Capitol News Illinois.
Capitol News Illinois is a nonprofit, nonpartisan news service covering state government. It is distributed to hundreds of print and broadcast outlets statewide. It is funded primarily by the Illinois Press Foundation and the Robert R. McCormick Foundation, along with major contributions from the Illinois Broadcasters Foundation and Southern Illinois Editorial Association.