As we discussed, the Tims and Cothron decisions made BIPA an unwieldly monster for Illinois employees. The Illinois Supreme Court in Tims held that a 5 year statute of limitations applies to BIPA claims and, in Cothron, the court held that a BIPA violation accrues with each unauthorized use of a biometric device. BIPA allows statutory damages amounts of $1,000 per violation for negligent violations and $5,000 per violation for intentional or reckless violations. Applied to the Rogers case in which Judge Kennelly used the $5,000 reckless standard, the statutory damages award under the Cothron method would have multiplied considerably from the $228 million. In Rogers, the jury held that 45,600 individuals had their biometric information used in violation of the Act, but the number of distinct violations was not calculated.
However, in June 2023, Judge Kennelly vacated his $228 million damages award upon further argument of this issue. He held that the jurors should have determined the award, not the court. Judge Kennelly set the case for a second trial on the issue of damages only. On one hand, this was a tremendous victory for BNSF – the $228 million award disappeared. On the other hand, a damages trial subject to the Illinois Supreme Court’s Cothron interpretation of BIPA could subject BNSF to an even greater damages award (45,600 individuals multiplied by the number of times each individual used the biometric device, multiplied again by the amount of damages the jury could award for each violation).
Considering the legal developments of the Rogers case and the Tims and Cothron decisions in the last year and half, the BIPA landscape still presented risks for both the Rogers class action plaintiffs and BNSF. As a result, the parties agreed to a $75 million settlement in lieu of a damages trial. The settlement amount will be divided between the 46,500 class members after attorneys’ fees and costs.
Employers nationwide remain hopeful for legislative solutions to BIPA’s draconian damage regime, though none immediately materialized in the wake of Tims and Cothron. It has been reported, however, that the Illinois General Assembly is considering the way liability accrues under BIPA.
If you have any questions about BIPA, please reach out to Matthew Luzadder.
]]>BIPA provides statutory damages of $1,000 per violation for negligent violations of the Act and $5,000 for willful or reckless violations. This remains true even if no biometric data was lost, sold, or compromised. The mere violation of BIPA is sufficient for liability. After Cothran, an employee who uses a biometric-based time clock twice per shift (once to clock in and out, not including unpaid breaks) and works all 260 weekdays per year, would rack up $520,000 in damages for negligent violations, plus attorneys’ fees. If the employee clocks out and back in again for lunch each shift, the damages double to $1,040,000 based on the additional use of the biometric time clock. The employer’s liability further expands if a class of employees bring a BIPA lawsuit.
The Court explicitly placed the ball back in the Illinois General Assembly’s court to clarify the legislature’s intentions under the Act if the Court’s interpretation of the legislature’s intent is incorrect. Although several attempts have been made over the years, the state legislature has not successfully enacted any amendments to BIPA, first enacted in 2008, to reduce the draconian statutory penalties. Businesses with an Illinois presence hope that changes, and soon.
In short, the Court’s ruling in Cothron has drastically increased employers’ potential exposure by many multiples and will be fertile ground for litigation. This is especially true when coupled with the Illinois Supreme Court’s confirmation that BIPA claims may be brought up to five years after an alleged violation in Tims v. Black Horse Carriers, Inc. In Tims, the Illinois Supreme Court addressed the statute of limitations (i.e. the time limit to bring a legal claim) for a BIPA claim and declared that a claim may be filed within five years of the alleged violation. Parties to BIPA litigation[1] have questioned the applicable statute of limitations since the law’s enactment in 2008. The Tims holding overturns a lower court ruling that applied varying statutes of limitation to different sections of BIPA – including limitations as short as one year for violations of privacy rights but applying a longer, five-year period for claims under other provisions of the statute.
The Court held “that applying two different limitations periods or time-bar standards to different subsections of section 15 of the Act[2] would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.” The five-year statute of limitations is Illinois’ “catch-all” limitations period and many claims in the state are subject to shorter limitations periods, including one year for violations of privacy rights and two years for injury claims. BIPA Defendants have argued that these shorter periods applied to foreclose claims and limit damages that already appear punitive.
These decisions continue to bring clarity regarding the requirements and limitations of BIPA, but the trend has been unfavorable to employers leveraging biometric technologies. Please refer to our recent BIPA publication for discussion of the first ever jury trial in a BIPA lawsuit and third-party liability under BIPA.
BIPA and the case law interpreting it continues to favor employees and creates significant exposure for employers even in the context of negligent non-compliance. This exposure exists even when no biometric data is lost or compromised and the plaintiffs are unable to show actual injury. Given the evolving application of BIPA, pressure on the Illinois General Assembly will increase to make the potential damages proportional to violations. Businesses of all sizes argue that the application of BIPA remains “inconvenient” and “unworkable” for those employers working to comply with BIPA while leveraging a growing array of technologies that utilize biometric data for accurate time-keeping and security.
The full opinion in Tims v. Black Horse Carriers, Inc. may be found here and Cothron v. White Castle System Inc. may be found here.
[1] Including state and federal courts nationwide who are interpreting BIPA in various jurisdictions.
[2] This is the section providing for a private right of action and outlining damages.
]]>Despite BIPA’s relatively maturity, basic questions still remain as to the scope of the statute. Most pressingly, the applicable statute of limitations for violations of the Act (how many years a plaintiff has to file a lawsuit after a violation), and the number of BIPA violations that may accrue have not been decided.
What is a Viable Claim?
In 2019, the Illinois Supreme Court decided in Rosenbach v. Six Flags that a plaintiff need not suffer any real world harm to recover under BIPA and that a bare violation of the Act was enough to maintain a viable claim. In other words, a person’s biometric data need not be lost, sold, breached, or compromised. A viable claim arises when a company fails to maintain a biometric policy and/or obtain informed consent in accordance with BIPA.
Before and after Rosenbach, the threat of substantial damages awards has driven nearly every BIPA lawsuit to settle if the defendants were unable to quickly achieve dismissal of the case. Despite the uncertainty around major parts of the Act, because BIPA awards $1,000 for each negligent violation of the Act and $5,000 for each intentional or reckless violation of the Act, plus attorneys’ fees, it has long been fertile ground for the Plaintiffs bar.
The uncertainty and risks for defendants have led global power-players like Facebook and Google to settle BIPA class actions brought against them for $300 million and $100 million, respectively. Even so, these landmark settlements were, it has now been confirmed, likely worth entering to avoid the risk of a substantial jury verdict if tried on the merits.
Statute of Limitations
The statute of limitations question is expected to be answered by the Illinois Supreme Court in the pending case, Tims v. Black Horse Carriers. The Court in Tims is tasked with determining the applicable statute of limitations for BIPA cases, i.e. whether an aggrieved person must file a lawsuit within one, two, or five years after an alleged BIPA violation. Confusingly, the appellate court decision that is under review in Tims mandates that a one-year statute of limitations applies to some sections of BIPA while a five-year statute of limitations applies to other sections. Oral arguments took place in September 2022 and practitioners eagerly await a ruling from Illinois’ highest court.
Violation Accrual
In addition to the Tims case, another case pending before the Illinois Supreme Court will also have major implications for future BIPA litigation and companies’ potential liability under BIPA. In Cothron v. White Castle System Inc., the Illinois Supreme Court has been asked to determine whether a BIPA violation accrues each time an individual’s biometric information is collected or whether each plaintiff only has one claim against a company even when biometric information is collected repeatedly. This means that the Court will decide whether, for example, an employee who uses a fingerprint time clock to “punch in” to work can collect under BIPA just once, or for every time they used the time clock in violation of BIPA – $1,000 or $5,000 per punch, possibly dozens of BIPA violations per week.
Finally, a Jury Trial
In the recent jury verdict case, Rogers, BNSF Railway used an outside company, Remprex, to install and operate security screening equipment at entrances to BNSF railyards. The security equipment used individuals’ fingerprints (biometric information protected by BIPA) to grant admission to the secure facilities. Remprex collected and stored the protected biometric data and administrated the security system. Nonetheless, Judge Kennelly ruled before trial that BNSF could still be liable for BIPA violations even if BNSF was one step removed from the biometric transaction itself, i.e. BNSF was a third-party that hired Remprex to actually collect and store the biometric information (actions Remprex took on behalf of BNSF). Judge Kennelly determined that this question was not for the court to determine as a matter of law, it was for a jury to decide at a trial. The jury held BNSF responsible to the tune of $228 million.
The Rogers case confirms that third-party liability for BIPA violations is a “question of fact” that cannot be decided by a judge prior to trial. Going forward, it appears that businesses, on whose behalf biometric data is collected or obtained by a separate company, will have to go to trial to determine whether they will be liable for the third-party’s actions.
Conclusion
After the first jury trial and verdict in BIPA’s existence, comprehensive BIPA compliance and litigation protections are more crucial than ever for employers leveraging biometric technology to manage their workforce, especially those with biometric time clocks or access systems.
Employers who use biometric equipment – including devices that conduct retina scans, fingerprint scans, hand geometry recognition, facial recognition, among others – or who hire third-parties to implement or operate this equipment for them, are reminded to:
Finally tested at trial, Illinois’ BIPA has materialized into the big-money threat that national legal observers feared it to be. If you have questions about compliance and other requirements of BIPA, please contact Kelley Drye’s Chicago-based labor and employment team.
]]>Liability for breaches will vary by state law. In 2017, two Pennsylvania courts shined some light on this issue. In both cases, which involved large-scale data breaches affecting thousands of employees, the courts absolved the employers of any potential liability because either (1) they owed no duty in tort to their employees to protect PII against data breaches or (2) the employer had no express or implied contractual obligation to protect the PII. See Enslin v. Coca-Cola Co. (E.D. Pa. Mar. 31, 2017); Dittman v. UPMC (Pa. Sup. Ct. Jan. 12, 2017), reargument denied Mar. 20, 2017. It’s important to remember these laws are in their infancy and results will vary by state.
In 2016, Illinois expanded its employer data breach notification with the passage of the Personal Information Protection Act (effective January 1, 2017). See 815 ILCS 530/10(a)(2). The updates include the following:
In addition to monitoring the laws, employers should consider implementing the following: