A federal judge in the Northern District of Illinois vacated a $228 million damages award issued following the first-ever jury verdict in an Illinois Biometric Information Privacy Act (Privacy Act or BIPA) class action and ordered a new trial on the issue of damages. However, in doing so, the judge refused to overturn the jury’s finding that the company’s Privacy Act violations were intentional or reckless.

Quick Hits

• An Illinois federal judge vacated a $228 million damages award issued after the first-ever jury verdict in an Illinois Privacy Act class action.
• The judge held that damages under the Privacy Act are discretionary and should be determined by a jury.
• The judge refused to overturn the jury’s findings that the company’s violations were intentional or reckless even though the company contracted with a third party to install and manage the biometric technology at issue.

In the June 30, 2023, ruling, the federal district court judge determined that there was sufficient evidence presented to the jury to find that the company was directly or vicariously liable for Privacy Act violations and to find that those violations were intentional or reckless. The judge further ruled that Privacy Act damages are discretionary and “that a damages award after a finding of liability is a question for the jury.” As such, the judge granted the company’s post-trial motion for a new trial on the issue of damages, which according to court records is set to commence in October 2023.

Background

In October 2022, a federal jury found that a company had violated the Privacy Act at least 45,600 times over a six-year period with the use of a fingerprint-scanning automated gate system for third-party truck drivers to gain access to four of the company’s Illinois facilities. The system, which the company contracted with a third-party entity to install and manage, required the drivers to scan their fingerprints to verify their identity and gain access to the facilities. The system allegedly did not collect informed, written consents from the drivers as required by the Privacy Act. According to the decision, testimony at trial indicated that the company left legal compliance to that third-party entity even though it was run by only two individuals and did not have in-house legal counsel.

The jury determined that the company itself could be held liable under the Privacy Act and that its violations were intentional or reckless. The judge assigned to the case then awarded $5,000 in statutory damages for each intentional or reckless violation, totaling $228 million ($5,000 multiplied by 45,600 violations.)

The company filed a post-trial motion seeking to overturn the jury’s verdict, or in the alternative, to alter or amend the sizable damages award.

Privacy Act

The Illinois Privacy Act, passed in 2008, prohibits the use, collection, and storage of biometric data, including fingerprint scans without written, informed consent prior to obtaining biometric data. Section 20 of the Privacy Act states that “[a]ny person aggrieved by a violation” of the act “shall have a right of action” in which “[a] prevailing party may recover [damages] for each violation.” Specifically, Section 20 states that a prevailing party may recover the greater of either actual damages or statutory damages in the amount of $1,000 for each negligent violation or $5,000 for each intentional or reckless violation.

Discretionary Damages

In awarding damages, the judge had interpreted Section 20 to mean that a prevailing party could recover the greater of either actual damages or $1,000 or $5,000 per violation in statutory damages depending on the level of intent found by a jury.

In vacating that award, the judge pointed to the subsequent February 2023 ruling by the Supreme Court of Illinois in Cothron v. White Castle. In that case, the Illinois Supreme Court held that Privacy Act claims accrue on each and every scan or collection, but in doing so, observed that a judge has the discretion to fashion damages so as not to result in “annihilative liability.” The judge in the present case stated that this observation “suggests how the Illinois Supreme Court is likely to rule if it were to address this question [of Privacy Act discretionary damages] in the future.”

The plaintiff in the present case had argued that the discretion referred to in Cothron is only meant to apply in situations where multiple repeated violations would lead to “astronomical” damages. The judge disagreed, stating that would mean discretion over damages would apply only when the cumulative number of each claimant’s alleged violations could lead to “annihilative damages” for defendants.

The judge stated that the use of the word “may” and “each violation” in Section 20 clearly indicates “that to the extent that damages are discretionary, the discretion does not depend on the number of violations.” The judge concluded that damages under the Privacy Act are discretionary, and “a damages award after a finding of liability is a question for the jury.”

Intentional or Reckless

Drawing reasonable inferences in the prevailing party’s favor, the judge declined to conclude that the company “could not have acted recklessly because it did not know of a law that, at the time of the first violations at issue, had been in effect for at least six years.”

The judge highlighted specific points of evidence that leaned toward its reckless intent, specifically that the company: “(1) sought proposals from vendors for an automated gate system, (2) required that the system include biometric capabilities, (3) licensed the software and purchased the hardware and servers used to capture the data, and (4) owned—or at least led [the third-party operator] to believe it owned—the biometric data.”

Further, the judge also pointed out that the company, despite having its own legal department, “outsourced compliance” to the third-party operator, knowing that it was “a newly formed, two-person operation.” According to the ruling, testimony at trial had revealed that neither the company nor the third party put a system in place to obtain consents from the drivers. The judge noted that the company continued to collect drivers’ fingerprints without obtaining informed consents for nearly one year after being sued and learning that there were potential compliance concerns with the system under the Privacy Act and only appeared to stop due to the COVID-19 pandemic. (The difficulty in finding a workable system to collect consents from third-party drivers likely contributed to the delay and eventual decision to stop the use of biometrics.)

Next Steps

It is not clear whether a jury will ultimately uphold the $228 million damages award in the case, but the ruling is nevertheless significant in that it suggests that damages are not simply a strict calculation of a statutory damages amount multiplied by the number of violations. This is especially important for companies following the Cothron ruling, which found that Privacy Act violations accrue on each scan. With violations occurring per scan, which may occur regularly (potentially multiple times per day), and a five-year statute of limitations, Privacy Act damages have the potential to skyrocket, which could also open the floodgates for more Privacy Act class actions.

While the holding is not binding on Illinois courts, the ruling highlights the language from the Cothron decision suggesting that Privacy Act damages are discretionary. That interpretation may be persuasive on other courts to hold that juries should fashion “appropriate” damage awards in Privacy Act class actions.

The ruling further underscores how a company’s failure to ensure there was a system in place to obtain requisite consents under the Privacy Act may be considered “reckless.” Companies in Illinois may want to review their use of biometric technology in light of this ruling.