What is the purpose of punishment?
Not to get all “moral philosophy professor” on everyone, but that question is the foundation of a great many things legislators consider. For today, the focus is the Biometric Information Privacy Act, but keep it in mind any time you hear about the General Assembly writing laws: is there a penalty for violating that law, and if so, what purpose does the penalty serve?
Hannah Meisel, of Capitol News Illinois, reported Thursday about proposed changes to soften penalties under the 2008 law, written from concerns over identity theft linked to then-nascent technology like facial recognition, fingerprint scanners and voice pattern detection.
I wrote about the issue last February following Illinois Supreme Court Justice David Overstreet’s thoughtful dissenting opinion in Cothron v. White Castle System. The U.S. Seventh Circuit Court of Appeals asked the Supreme Court to answer whether the initial collection of personal data (a fingerprint, face scan, etc.) is the only time at which a company can violate BIPA, or whether each individual scan can constitute an independent violation.
For instance, was the only possible violation when my family gave our fingerprints to Six Flags upon activating our season passes, or could we count each subsequent time we entered Great America using the scanner? Specific to the burger chain, is the concern setting up employees in the system or every time they clocked in or accessed a checkout terminal?
As Meisel explained, Democrats are exploring addressing these questions, hopeful to retain enough potential punishment to keep corporations adhering to BIPA standards for informed consent, data retention and more without something state Sen. Bill Cunningham, D-Chicago, called “annihilative liability,” financial penalties so severe companies would go out of business.
We have criminal penalties so severe they permanently remove convicted offenders from society and scores of experts willing to debate the application of those principles. Such discussions are far less common when businesses violate a law – especially one such as BIPA, where the enforcement mechanism isn’t a state regulatory agency but civil litigation. (Imagine if you could file a lawsuit against everyone who runs the stop sign at the end of your block.)
As I wrote last year, many people argue trial lawyers fund Democratic politicians who write laws making businesses subject to large payouts, as large percentages go to the lawyers. The counterpoint is penalties on corporations protect workers and customers.
The original sin of BIPA wasn’t the imposition of steep fines to discourage cavalier handling of irreplaceable personal data, or even the private enforcement approach, but leaving open the question of penalty accrual. It’s long past time for certainty. All the better if we reach that conclusion through frank discussion about the purpose of punishments.