In 2022, in the first jury trial in a Biometric Information Privacy Act (BIPA) class action lawsuit, a $228 million judgment was entered against the defendant. Richard Rogers v. BSNF Railway Company, Case No. 19-cv-03083, Dkt. No. 3868 (N.D. Ill. Oct. 12, 2022). In that case, the plaintiff alleged the defendant required truck drivers to scan their fingerprints when entering the defendant’s railyards to pick up and drop off cargo.
The jury found that the defendant violated BIPA 45,600 times — one time per each class member — by failing to provide and obtain the required informed consent. This article, the second of a three-part series, offers insights and exposition of the state of BIPA class actions in this regard. Part one of this series provided an overview of BIPA and other states’ biometric privacy laws.
BIPA provides for statutory damages of $1,000 for each negligent violation and up to $5,000 for reckless or intentional violations. When you do the math, 45,600 (per violation/class member) multiplied by $5,000 totals $228 million. However, as discussed below, a recent decision by the Illinois Supreme Court could serve as a basis to furtherincrease the award based on its statutory interpretation of damages allowed under BIPA.
In an unprecedented decision issued earlier this year, the Illinois Supreme Court held that a company can be subject to violations of BIPA each time it scans or transmits biometric data without an individual’s prior informed consent — potentially leading to financially crippling statutory damages for companies. Cothron v. White Castle Systems, 2023 IL 128004 (Ill. Feb. 17, 2023).
The plaintiff in White Castle alleged that a new claim accrued in violation of the Act each time she scanned her fingerprints, which the employer then sent to a third-party authenticator. The Illinois Supreme Court concluded that aparty violates BIPA each and every time it collects, captures, and/or transmits a person’s biometric information without prior informed consent.
While the “potential for significant damage awards under the Act” is a deterrent to companies, the court recognized the absence of legislative intent to award damages “that would result in the financial destruction of a business.” Nonetheless, the court concluded that such public-policy concerns were best left to the legislature and encouraged the state Legislature to “review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” However, unless and until BIPA is modified to limit recoverable damages, companies will continue to face the threat of exponential damages.
Proposed amendments to BIPA are currently pending that would require a potential claimant to make a pre-suit demand on the company with an opportunity to cure the violation within 15 days. If the company provides an express written statement confirming that the violation has been cured within 15 days, then the company cannot be sued for individual statutory damages or class-wide statutory damages.
Notably, however, the proposed amendments do not eliminate a private right of action or limit class-wide damages. Under the circumstances, the amendments will not likely provide much solace to companies seeking to avoid potentially significant exposure.
In yet another landmark BIPA decision in 2023, the Illinois Supreme Court addressed the applicable statute of limitations that applies to BIPA claims. Tims v. Black Horse Carriers, 2023 IL 127801 (Feb. 2, 2023). In that case, the plaintiff filed a class action lawsuit against his employer for violating the statute in connection with the collection of employee fingerprints.
Specifically, the plaintiff alleged that the defendant violated BIPA because it (1) failed to institute and maintain a publicly available retention and destruction policy for biometric information as required by section 15(a) of the Act; (2) failed to provide notice and to obtain consent when collecting plaintiff’s biometric data as required by section 15(b); and (3) disclosed plaintiff’s biometric information to third parties without his consent in violation of section 15(d).
The issue before the Supreme Court was whether a one-year or five-year statute of limitations period applied to BIPA claims.
The Illinois Supreme Court agreed with plaintiffs that the five-year statute of limitations period applied to BIPA claims. First, Illinois courts routinely apply the five-year catchall limitations period when a statute lacks a specific limitations period. Second, the court opined that a shorter limitations period would “thwart legislative intent” and “prejudice those whom the Act is intended to protect.” Moreover, “it is unclear when or if an individual would discover evidence of the disclosure of his or her biometrics in violation of the Act.” In short, there is clearly a long tail on potential BIPA claims in light of the applicable five-year statute of limitations period.
In the Rogers case discussed above, the defendant attempted to shift the blame to a third-party technology vendor hired by the defendant pursuant to a contract to collect and process drivers’ fingerprints. The defendant argued that the vendor failed to follow the consent requirements under section 15(b) of BIPA, and that the defendant could not be held liable under the statute for the acts of any third party.
However, the court disagreed, finding that the defendant could be held vicariously liable for the acts of third parties under BIPA. In short, companies cannot escape liability or damages under BIPA by relying on third-party vendors to collect, process or store biometric information.
On March 23, 2023, the Illinois Supreme Court continued its recent string of BIPA rulings by addressing whether section 301 of the Labor Management Relations Act (LMRA), 29 U.S.C. § 185 preempts BIPA claims asserted by employees covered by a collective bargaining agreement. See Walton v. Roosevelt University, 2023 IL 128338 (Ill. 2023).
Section 301 of the LMRA states that suits for violations of contracts between an employer and a labor organization representing employees shall be brought in federal district court.
In the Walton case, the plaintiff, a former union employee, filed a class action against the University alleging that it collected, used, stored and disclosed employees’ biometric data in violation of BIPA. As a condition of employment, the University allegedly required employees to enroll scans of their hand geometry onto a biometric time-keeping device as a means of clocking in and out of work.
In the complaint, the plaintiff alleged that the University failed to (1) provide him with (or obtain) a release consenting to the collection and use of his biometric data, (2) provide information concerning the University’s retention policy for biometric data or (3) provide information regarding the specific purpose or length of time for which the University stored biometric data.
The University sought dismissal of the complaint on the grounds that the BIPA claims were preempted by section 301 of the LMRA. In particular, the University observed that the plaintiff was a member of a collective bargaining unit while he was employed, and thereby agreed to the terms of the Collective Bargaining Agreement (CBA) between the University and the employees’ union. The University further argued that the broad management-rights clause in the CBA governed the manner in which union employees clocked in and out of work.
The Illinois trial court denied the defendant’s motion to dismiss. The Illinois court of appeals reversed, finding that BIPA claims were covered under the CBA and preempted by federal law, citing the 7th U.S. Circuit Court of Appeals’ decision in Fernandez v. Kerry, Inc., 14 F.4th 644 (7th Cir. 2021).
In Fernandez, the 7th Circuit opined that BIPA claims by union employees were preempted by LMRA. See also Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019) (finding that a BIPA claim was similarly preempted under the Railway Labor Act, 45 U.S.C. § 152). As such, the Illinois appellate court held that the plaintiff and other unionized employees could pursue their claims under the grievance procedures outlined in the CBA, as opposed to pursuing litigation in state court.
The Illinois Supreme Court allowed plaintiff’s petition for leave to appeal and certified the following question:
Does section 301 of the Labor Management Relations Act (29 U.S.C. § 185) preempt [BIPA Privacy Act] claims (740 ILCS 14/1 [West 2018] asserted by bargaining unit employees covered by a collective bargaining agreement?
In reliance on the 7th Circuit’s rulings in Fernandez and Miller, the Illinois Supreme Court held, “it is both logical and reasonable to conclude any dispute must be resolved according to federal law and the agreement between the parties.” As such, the Supreme Court concluded that since the parties’ CBA contained a broad management-rights clause, the claims were preempted by LMRA.
In light of the Illinois Supreme Court’s ruling in Walton, it will be an uphill battle for union employees to file BIPA claims against their employers in the face of a collective bargaining agreement containing a broad management rights clause governing the terms and conditions of employment. Of course, this decision has limited application and will not stop the steady flow of BIPA claims by non-unionized workers in the absence of a CBA.