BIPA Goes on Trial
The Illinois Biometric Information Privacy Act (BIPA) has been on the books as one of the nation’s most protective biometric privacy statutes since 2008. It was also one of the first to give individuals a cause of action for monetary damages against individuals or companies that violate the law. For the first time in the Act’s 14 year history, however, a case has been tried before a jury to a verdict. The Rogers v. BNSF trial recently wrapped up in the U.S. District Court for the Northern District of Illinois, with Judge Matthew Kennelly presiding and the $228 million verdict stunning, but not surprising, many who have been following BIPA developments.
Despite BIPA’s relatively maturity, basic questions still remain as to the scope of the statute. Most pressingly, the applicable statute of limitations for violations of the Act (how many years a plaintiff has to file a lawsuit after a violation), and the number of BIPA violations that may accrue have not been decided.
What is a Viable Claim?
In 2019, the Illinois Supreme Court decided in Rosenbach v. Six Flags that a plaintiff need not suffer any real world harm to recover under BIPA and that a bare violation of the Act was enough to maintain a viable claim. In other words, a person’s biometric data need not be lost, sold, breached, or compromised. A viable claim arises when a company fails to maintain a biometric policy and/or obtain informed consent in accordance with BIPA.
Before and after Rosenbach, the threat of substantial damages awards has driven nearly every BIPA lawsuit to settle if the defendants were unable to quickly achieve dismissal of the case. Despite the uncertainty around major parts of the Act, because BIPA awards $1,000 for each negligent violation of the Act and $5,000 for each intentional or reckless violation of the Act, plus attorneys’ fees, it has long been fertile ground for the Plaintiffs bar.
The uncertainty and risks for defendants have led global power-players like Facebook and Google to settle BIPA class actions brought against them for $300 million and $100 million, respectively. Even so, these landmark settlements were, it has now been confirmed, likely worth entering to avoid the risk of a substantial jury verdict if tried on the merits.
Statute of Limitations
The statute of limitations question is expected to be answered by the Illinois Supreme Court in the pending case, Tims v. Black Horse Carriers. The Court in Tims is tasked with determining the applicable statute of limitations for BIPA cases, i.e. whether an aggrieved person must file a lawsuit within one, two, or five years after an alleged BIPA violation. Confusingly, the appellate court decision that is under review in Tims mandates that a one-year statute of limitations applies to some sections of BIPA while a five-year statute of limitations applies to other sections. Oral arguments took place in September 2022 and practitioners eagerly await a ruling from Illinois’ highest court.
In addition to the Tims case, another case pending before the Illinois Supreme Court will also have major implications for future BIPA litigation and companies’ potential liability under BIPA. In Cothron v. White Castle System Inc., the Illinois Supreme Court has been asked to determine whether a BIPA violation accrues each time an individual’s biometric information is collected or whether each plaintiff only has one claim against a company even when biometric information is collected repeatedly. This means that the Court will decide whether, for example, an employee who uses a fingerprint time clock to “punch in” to work can collect under BIPA just once, or for every time they used the time clock in violation of BIPA – $1,000 or $5,000 per punch, possibly dozens of BIPA violations per week.
Finally, a Jury Trial
In the recent jury verdict case, Rogers, BNSF Railway used an outside company, Remprex, to install and operate security screening equipment at entrances to BNSF railyards. The security equipment used individuals’ fingerprints (biometric information protected by BIPA) to grant admission to the secure facilities. Remprex collected and stored the protected biometric data and administrated the security system. Nonetheless, Judge Kennelly ruled before trial that BNSF could still be liable for BIPA violations even if BNSF was one step removed from the biometric transaction itself, i.e. BNSF was a third-party that hired Remprex to actually collect and store the biometric information (actions Remprex took on behalf of BNSF). Judge Kennelly determined that this question was not for the court to determine as a matter of law, it was for a jury to decide at a trial. The jury held BNSF responsible to the tune of $228 million.
The Rogers case confirms that third-party liability for BIPA violations is a “question of fact” that cannot be decided by a judge prior to trial. Going forward, it appears that businesses, on whose behalf biometric data is collected or obtained by a separate company, will have to go to trial to determine whether they will be liable for the third-party’s actions.
After the first jury trial and verdict in BIPA’s existence, comprehensive BIPA compliance and litigation protections are more crucial than ever for employers leveraging biometric technology to manage their workforce, especially those with biometric time clocks or access systems.
Employers who use biometric equipment – including devices that conduct retina scans, fingerprint scans, hand geometry recognition, facial recognition, among others – or who hire third-parties to implement or operate this equipment for them, are reminded to:
- Have a written BIPA policy.
- Inform biometric users that their data will be collected, for how long, and purpose for collection and storage.
- Obtain written consent from each user in compliance with the BIPA statute.