On Oct. 12, 2022, the Illinois Biometric Information Privacy Act (BIPA), a state law that restricts collection of biometric data, made headlines again when a Chicago jury rendered a $228 million judgment against BNSF Railway Co. in the first BIPA class action to go to trial. The case, Rogers v. BNSF Railway Co., relates to the collection of fingerprints of truck drivers entering a railyard. The award is a significant development because the jury found BNSF liable even though the company had hired a third party to install and manage the automatic gate system that used biometric data for security purposes. Specifically, the jury found BNSF responsible for compliance with BIPA and recklessly or intentionally violating the law more than 45,000 times—once for each member of the putative class.
BIPA has received a significant amount of attention since 2015, when Facebook was hit with a class-action lawsuit that alleged the social media giant violated BIPA with facial recognition software in its “tag suggestions” feature. Facebook ultimately agreed to pay $650 million to resolve the class action in one of the largest BIPA-related settlements on record. BIPA class actions against other social media and tech companies soon followed, as did additional multimillion-dollar settlements, including Google’s agreement to pay $100 million to resolve BIPA class claims, TikTok’s $92 million settlement, and Snapchat’s $35 million settlement.
Already a growing cottage industry, the blockbuster $228 million jury award and other multimillion-dollar settlements will further fuel biometric class-action litigation. It is essential for businesses to understand the risks associated with using biometric data, including potential litigation and liability exposure under BIPA and emerging copycat laws in other jurisdictions.
Statutory Framework of BIPA
BIPA was the first law in the U.S. to regulate the possession, collection, capture, purchase, and receipt of biometric data, which is information derived from biometric identifiers. In the most basic terms, biometric identifiers refer to either measurable biological characteristics (fingerprints, retina scans, and scans of hands or face geometry) that can be used for identification or the automated method of recognizing an individual based on those characteristics. BIPA was passed to help protect against the rising risk of identity theft caused in part by the growing use of biometric technology to facilitate financial transactions and security screenings. Unlike a stolen credit card or compromised Social Security number, an individual’s biometric identifiers are unique to the individual and cannot be canceled or replaced. Protection of biometric data focuses on the right of individuals to control their irreplaceable personal information.
BIPA defines biometric information as data gathered from “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Under BIPA, private companies that use biometric data must maintain a written policy as well as retention and destruction schedules. Additionally, a company may not collect, capture, purchase, receive through trade, or otherwise obtain biometric data unless the company provides written notice and receives a written consent executed by the individual whose biometric data is to be collected. The law requires that the company detail the type of information gathered and disclose that the company will store the data on a database and explain the reason behind the data collection. A failure to comply with BIPA’s requirements exposes a company to litigation and potential liability.
BIPA creates a private right of action for any person aggrieved by a violation of the statute and provides for a prevailing party to recover for each violation the greater of actual damages or liquidated damages of $1,000 against an entity for a negligent violation, and $5,000 for intentional or reckless violations, in addition to reasonable attorney’s fees and costs.
The statute does not specify whether BIPA claims accrue only at the time an individual’s biometric data is first collected or every time an individual’s biometric data is collected. BIPA also does not include its own statute of limitations. BIPA plaintiffs have argued the five-year catch-all limitations period (735 ILCS 5/13-205) should apply to BIPA claims; defendants have argued the one-year statute of limitations for privacy claims (735 ILCS 5/13-201) or the two-year statute of limitations for personal injuries or violations of statutory penalties (735 ILCS 5/13-202) should apply. The potential to aggregate BIPA penalties on a class-wide basis over a substantial period of time has made BIPA an attractive statute for the plaintiffs’ class-action bar.
The Illinois Supreme Court is expected to decide the claims accrual issue and applicable statute of limitations period in Cothron v. White Castle System, Inc. (7th Cir. 2021) and Tims v. White Castle System, Inc.(Ill. 2022), respectively.
Judicial Construction of BIPA
The Illinois Supreme Court has already issued other significant decisions since the enactment of BIPA. Rosenbach v. Six Flags Entertainment Corp. (Ill. 2019), which concerned the notice and consent requirements of BIPA, is likely the most significant decision because the court interpreted BIPA to permit lawsuits even if an individual suffered no actual damages as a result of a technical BIPA violation.
In Rosenbach, the amusement park collected patrons’ fingerprints to facilitate entry to the park of season pass holders. A pass holder filed suit against the park for the unlawful collection of her son’s biometric data without providing the requisite notice or obtaining consent. The question before the Illinois Supreme Court was whether the alleged statutory violation in and of itself qualified the patron as an “aggrieved” individual entitled to file a private action under BIPA.
In answering this question, the court explained that BIPA generally protects individuals’ “right to privacy and control” over their biometric data, and that the notice and consent provisions of BIPA defines the contours of that right. Accordingly, the court held that a violation of one of those provisions “aggrieves” an individual within the meaning of BIPA. In other words, an individual may file a BIPA lawsuit without showing an actual injury caused by a technical violation. Following the court’s decision in Rosenbach, the amusement park ultimately agreed to settle the case on a class-wide basis and pay up to $36 million to class members.
The court’s decision in McDonald v. Symphony Bronzeville Park, LLC (Ill. 2022) is also notable. In McDonald, the court held that a claim for statutory damages for BIPA violations is not compensable under the Illinois Workers’ Compensation Act (IWCA), and, therefore, is not barred by the exclusivity provision of the act.
In McDonald, the plaintiff filed a putative class action against her former employer, alleging violation of the written policy and notice and consent provisions of BIPA relating to the collection, use, and storage of fingerprints through the employer’s authentication and timekeeping systems. The plaintiff had included claims of mental anguish and negligence in her original complaint, but withdrew those allegations with the filing of an amended complaint. The amended pleading, filed in response to the employer’s motion to dismiss, limited the plaintiff’s allegations to technical statutory violations of BIPA and to its statutory remedies. The employer moved to dismiss the amended complaint on the grounds that the IWCA preempts claims by an employee against an employer from statutory rights for damages, including damages under BIPA. The trial court rejected the preemption defense and denied the motion to dismiss. The court held that an injury arising from the loss of the ability to maintain privacy rights is distinguishable from the psychological and physical injuries recoverable under the IWCA, and, therefore, is not compensable under the act. The Illinois Appellate Court for the First District reached the same conclusion. The Illinois Supreme Court granted the employer’s petition for leave to appeal to address the IWCA preemption defense, agreed with the decision of the First District, and held that BIPA claims are not preempted by the IWCA.
Class-Action Trends and Copycat Legislation
The rejection of the IWCA preemption defense, combined with the significant amount of available statutory damages without a showing of actual damages and the potential “per scan” or continuous violation ruling from the Illinois Supreme Court, would exponentially increase liability exposure for BIPA violations, extend BIPA’s limitations period (whether the limitations period is one or five years or something in between), and make biometric class actions an even more attractive target for the plaintiffs’ class-action bar. The $228 million jury award in the BNSF litigation and other multimillion-dollar class-action settlements add to this appeal.
Businesses that use biometric technology should expect a surge of class-action biometric privacy law claims. This expectation is not limited to companies doing business in Illinois; it applies to any business that uses biometric technology because other states are following the lead of Illinois and taking steps to enact their own biometric privacy laws. For example, earlier this year, California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York introduced legislation generally based on BIPA’s statutory framework. Additionally, Washington and Texas previously enacted biometric privacy laws, albeit without a private right of action—only the state attorneys general can file a lawsuit or sanction a business for violations. This limitation narrows the scope of litigation in these two states.
However, the potential liability exposure remains significant, as aptly demonstrated by the lawsuit recently filed by Texas Attorney General Ken Paxton against Google. The lawsuit, which was filed only a few weeks after Google agreed to pay $100 million to settle a BIPA class action, alleges that Google violated Texas’s Capture or Use of Biometric Identifier (CUBI) Act by capturing millions of users’ facial and voice data without consent. The suit seeks injunctive relief and imposition of civil penalties of up to $25,000 per violation of CUBI—a potentially staggering amount given the millions of Texan users referenced in the Paxton’s complaint for whom he seeks redress.
To illustrate, the $228 million verdict in the BNSF case was based on BIPA’s $5,000 statutory damages per intentional or reckless violation, multiplied by 45,600 putative class members. A damages award of $25,000 per CUBI violation multiplied by millions of Texan users would result in a multibillion-dollar award. As they say, “Everything’s bigger in Texas!”
Best Practices
Biometrics privacy litigation is the newest trend in class-action litigation. BIPA class claims and litigation will likely increase due to the recent $228 million jury verdict and high-dollar class-action settlements. Given the increasing focus on biometric privacy issues in other states, businesses should expect that legislation like BIPA will pass in other jurisdictions with class claims and litigation to follow. Businesses employing biometric technologies, directly or indirectly, should remain cognizant of biometric privacy laws and implement an effective compliance program to minimize legal risks and potential liability