?A federal jury in the U.S. District Court for the Northern District of Illinois recently concluded that a company violated the Illinois Biometric Information Privacy Act (BIPA) 45,600 times over six years by collecting truck drivers’ fingerprints without the informed, written consent the law requires. This is the first jury verdict rendered under BIPA, following a spike in class-action filings under the statute.
The jury determined the company’s violation of the statute was intentional or reckless and that it violated BIPA 45,600 times, a figure consistent with the class of truck drivers whose fingerprints were scanned between April 4, 2014, and Jan. 25, 2020, applying a five-year statute of limitations from the date the complaint was filed on April 4, 2019.
The jury did not differentiate between pre-complaint violations and post-complaint violations. Thus, the jury seemingly based its finding on the drivers’ last fingerprint scan, which presumably occurred after the initial complaint was filed on April 4, 2019, rather than the date on which the company initially collected the drivers’ fingerprints.
The federal judge assigned to the case awarded $5,000 in liquidated damages for each intentional or reckless violation. Hence, the plaintiff-class received a judgment totaling $228 million.
What Is BIPA?
BIPA is an Illinois law enacted in 2008 that governs the use, collection and storage of biometric data, including retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. The law requires private entities that use, collect, or store biometric data to:
- Receive written, informed consent prior to obtaining biometric data.
- Develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric data.
- Refrain from selling, leasing, trading or otherwise profiting from biometric data.
- Refrain from disclosing or disseminating biometric data.
- Store, transmit and protect from disclosure all biometric data in a manner at least as protective as it stores, transmits, and protects other confidential and sensitive information.
Under BIPA, individuals may recover actual damages or liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation, whichever is greater, in addition to injunctive relief, attorneys’ fees, expert witness fees and other litigation expenses.
State Supreme Court Cases
Beyond the above case, there are two significant BIPA cases pending before the Illinois Supreme Court that will drive the outcome of pending and future actions.
In Cothron v. White Castle System, Inc., the court will decide whether BIPA section 15(b) and (d) claims accrue when biometric data is first collected or disclosed, or with each subsequent scan or disclosure. The questions of when a BIPA violation occurs, or whether each scan is an individual violation, will have substantial impact on the damages plaintiffs may claim.
For instance, if the jury in the above case had found the defendant violated section 15(b) as to each class member with each scan, the verdict could have been in excess of $100 billion, given the multiple scans of each class member during the relevant time. Likewise, if the court concludes in Cothron that a section 15(b) violation accrues with an individual’s first scan, some class members in the above case may have their claims nullified as untimely, if they first provided biometric data to the company prior to April 4, 2014.
In Tims v. Black Horse Carriers, Inc., the Illinois Supreme Court will review an appellate court’s holding that claims related to BIPA sections 15(a), (b), and (e) have a five-year statute of limitations, and claims related to BIPA section (c) and (d) have a one-year statute of limitations. If the court holds that a lesser statute of limitations applies, the overall number of potential class members in pending and future claims will be reduced substantially.
Key Takeaways
One significant issue unanswered by the above verdict is what constitutes biometric data under BIPA. In that case, the defendant collected, used, and stored actual fingerprint images to identify drivers. BIPA includes fingerprints in the definition of protected biometric identifiers. The case did not address systems that encrypt or convert stored fingerprints into a mathematical representation or string of numbers. This technology question remains an important, viable defense in pending BIPA cases.
The above verdict is a wakeup call for employers that collect, use, or store biometric data, as it demonstrates the potential exposure for failing to follow the statute’s consent requirements. The jury’s finding that the company’s conduct was intentional or reckless may be subject to review, depending on the evidence elicited at trial. A reversal of that finding to reduce the company’s conduct to negligent may reduce the penalty assessed to $1,000 per incident or $45.6 million, an incredibly hefty, but less jaw-dropping sum.
Companies should be mindful that the Illinois Supreme Court in Cothron could hold that entities violate the statute each time a person scans their biometric data, rather than only upon collection. That would change when BIPA claims accrue for purposes of the applicable statute of limitations.
James Zouras, the plaintiff’s attorney who argued Cothron, rejected a “per scan” damages approach, due to the anticipated constitutional due process problems that would ensue. For example, if an employee using a biometric time clock scans four times a day (to start and end the day and for meal breaks), BIPA arguably would be violated 20 times per week or 1,040 times per year. The liquidated damages in this circumstance quickly accrue to more than $1 million per employee per year. That makes little sense when the Illinois General Assembly contemplated $1,000 for a negligent violation and $5,000 at most for an intentional or reckless violation.
To avoid potential BIPA violations and lawsuits, companies may want to ensure receipt of informed, written consent prior to collection of biometric data and comply with all other statutory requirements.
Anne E. Larson, Harry J. Secaras and Zachary A. Pestine are attorneys with Ogletree Deakins in Chicago. © 2022. All rights reserved. Reprinted with permission.
