[co-author: Sarah Wood, Summer Associate]

Decision may provide relief from the specter of "ruinous" damage verdicts stemming from the Illinois Biometric Information Privacy Act

The U.S. District Court for the Northern District of Illinois, Eastern Division, issued an order on June 30, 2023, that may substantially alter the risk exposure for entities sued for violations of the Illinois Biometric Information Privacy Act ("BIPA"), currently the most stringent of the state biometric privacy laws and the only one with a private right of action.[1] The Court held that statutory damages under BIPA are discretionary rather than fixed in amount for each violation. In doing so, the Court vacated a damages award of $228 million and set the case for a new jury trial limited to the issue of damages. While this ruling provides some potential relief for BIPA defendants, we also want to highlight that BIPA is not the only biometric privacy law despite the attention given to it, and companies need to be mindful of other state laws focused on collecting, processing, or disclosing biometric data.

Background

BIPA is the most highly litigated biometric privacy law in the U.S. As we noted in a prior blogpost,[2] plaintiffs have filed more than 2,000 individual and class action lawsuits invoking BIPA's private right of action and seeking statutory damages of up to $1,000 per negligent violation and $5,000 per intentional or reckless violation. Adding to a defendant's plight, a plaintiff is not required to show or even allege actual harm to recover statutory damages.[3] Rather, the "violation, in itself, is sufficient to support the individual's or customer's statutory cause of action."[4] This lack of harm coupled with substantial statutory damages that can be assessed for each violation has allowed for "ruinous" damage awards.[5] These cases are now moving through the judicial system, and at least one court has taken to heart dicta in an Illinois Supreme Court ruling that an award of BIPA damages is discretionary, not mandatory.

One of these recent cases, Rogers v. BNSF Ry. Co.,[6] provides critical new insights on how statutory damages may be awarded. In Rogers, defendant BNSF engaged a vendor to install and manage gate control systems that provided third-party truck drivers with self-service access to BNSF facilities in Illinois so they could drop off and pick up freight from BNSF railcars. The gate control system allowed automated entry after scanning the drivers' fingerprints and comparing them to the registered drivers' fingerprints in the database maintained by BNSF's security vendor. However, the system registration process did not provide notice of the purpose for which the fingerprint data was being kept, require written consent from the drivers, or inform the drivers where and for how long their fingerprint data would be stored.[7]

The Rogers court concluded, pre-trial, that the plaintiffs were entitled to damages as a matter of law but instructed the jury to determine (1) the number of violations that had occurred, and (2) the level of BNSF's intent in order to select the lower or higher of the statutory damage amounts. It only took the jury about an hour to find that BNSF violated BIPA 45,600 times and that it did so intentionally or recklessly. Based on this jury finding, the judge multiplied the number of violations by $5,000 for each intentional or reckless violation and entered a $228 million judgment against BNSF.

Plaintiff and BNSF filed post-trial motions to alter or amend the judgment or for a new trial. While the post-trial motions were pending, the Illinois Supreme Court rendered its decision in Cothron v. White Castle Systems, which resolved a certified question from the Seventh Circuit specifically asking the Illinois Supreme Court to determine whether claims under BIPA "accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission[.]"[8] The court resolved the certified question finding that "[a] party violates Section 15(b) when it collects, captures, or otherwise obtains a person's biometric information without prior informed consent. This is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection." However, the court in Cothron noted that the plain language in BIPA's Section 20 appeared to leave damages to the discretion of the fact finder.[9] The Cothron court based this conclusion on the legislature's use of the mandatory phrase "shall have a right of action," compared to its use of the permissive phrase "may recover damages." [10] While the issue of discretionary damages was not before the Illinois Supreme Court, and the ruling on the issue is essentially dicta, BNSF argued that federal courts should apply a similar plain language analysis.

In late June, the Rogers court agreed by partially reversing course based in part on the Cothron dicta, noting that "[d]icta from a state supreme court is good evidence of how the court would decide an issue it has not yet directly encountered . . . . [and] offers the clearest insight into how the court would rule[.]"[11] The court upheld the jury's assessment of intent but granted BNSF's motion for a new trial on the grounds that once a finding of liability is made, the damage award is discretionary. [12] As such "BNSF is entitled to have a jury determine the appropriate amount of damages."[13] The retrial on damages is set for October 2, 2023.

Going Forward

The Rogers decision should offer a ray of hope for BIPA defendants, but much is left unclear. While this marks the first time that a trial court has held that BIPA damages are discretionary, the court offered no guidance as to what a jury might consider when exercising its discretion. This suggests that the jury could return an identical damages award, a significantly lesser award, or even a nominal award, although that is unlikely as the court left undisturbed the jury's finding that BNSF violated BIPA recklessly or intentionally.

Biometric Privacy Laws Elsewhere

BIPA draws the most litigation because of its private right of action, but companies should not forget that Washington and Texas also have biometric privacy laws enforceable by the state attorney general.[14] And Washington's new My Health My Data Act (MHMD), which takes effect next year and has onerous restrictions on the collection and use of biometric data, recognizes a private right of action but without statutory damages, as our prior blog post explains.[15] Any determination of how a company will possess, collect, and use biometric data must take laws such as these into account as well.

Sarah Wood, a rising third-year law student at Seattle University School of Law, was a 2023 Summer Associate at DWT.

[View source.]