The Illinois Biometric Information Privacy Act (“BIPA”)
Is BIPA the Proverbial “Next Big Thing”?
Plaintiffs’ lawyers are always on the lookout for “the next big thing.” It may be here. In 2008, Illinois became the first state to enact a biometric privacy law that prohibits private companies from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s biometric information without informing and receiving written consent. Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (West 2018) (“BIPA”). Biometric information protected under BIPA includes facial-recognition technology, fingerprint scans, iris and retina scans, palm-print readings, and voiceprints. BIPA seeks to safeguard the heightened risk of identity theft when biometrics are linked to finances and other personal information.
The exponential growth in the use of biometric data in the last decade has increased companies’ potential BIPA exposure and caught the attention of the plaintiffs’ class action bar. Possibly due to the novelty of BIPA, many companies – including some of the biggest in the world – apparently failed to appreciate the scope and onerous penalties imposed by the statute.
While states like Texas and Washington have enacted similar biometric privacy laws, BIPA is unique in that it creates a private right of action with onerous statutory fines. Anyone who violates BIPA may be subject to $1,000 fines per negligent violation, $5,000 fines per intentional or reckless violation, and attorneys’ fees and costs all with no cap. Maryland and other states have followed Illinois’ lead by including a private right of action in their biometric information privacy laws.
Currently, there are reportedly 2,000 class action lawsuits. BIPA lawsuits have resulted in some dramatic settlements. In 2020, Meta (formerly Facebook) settled a BIPA class action suit for $650M.
Potential Damages: Every Scan is an Independent Statutory Violation: On February 17, 2023, in Cothron v. White Castle System, Inc., the Illinois Supreme Court, in a 4 to 3 opinion, held that causes of action under BIPA “apply to every capture and use of a person’s fingerprint or hand scan.” In other words, BIPA claims accrue each and every single time a business scans a person’s biometric information. White Castle had introduced a system that required its employees to scan their fingerprints to access their pay stubs and computers. Thus, there was an independent BIPA violation every single time a worker scanned its fingerprints. White Castle had argued that allowing recovery of “each violation” could potentially result in “astronomical” damage awards that could constitute “annihilative liability.” The Court rejected White Castle’s argument and held that “where statutory language is clear, it must be given effect, even though the consequences may be harsh, unjust, absurd, or unwise.” Ultimately, the Court deferred to the Illinois legislature: “[W]e continue to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature.”
Are BIPA Damages Discretionary? Dicta in the Supreme Court’s White Castle opinion suggests that a trial court “would certainly possess the discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying defendant’s business.” The first ever BIPA trial that went to verdict, Rogers v. BNSF Railway Company, resulted in a $228M verdict in October 2022. The jury found BNSF liable for reckless or intentional BIPA violations. The federal court calculated damages by multiplying the statutory $5k damages times the 45,600 class members. Relying upon the Supreme Court’s White Castle damages comments, the federal court granted BNSF’s motion for a new trial in which the jury will determine the measure of damages. It is expected that BNSF will argue that there was no actual harm as there was no evidence of an actual security breach. Plaintiffs are expected to counter that BNSF is a large company that was in clear violation of the statute and the verdict needs to serve as a future deterrent.
Insurance: In the past two years, there have been dozens of state and federal opinions addressing insurance coverage issues posed by BIPA. (see BIPA Insurance Bytes summary). In May 2021, the Illinois Supreme Court ruled on the seminal Illinois insurance coverage case for underlying actions alleging violations of BIPA. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978. The Court determined the insurer had a duty to defend because the disclosure of fingerprint data to a third party constitutes “publication” as required for “personal injury” coverage under the general liability policy. Additionally, the Illinois Supreme Court concluded coverage was not excluded by the policy’s distribution of material in violation of statutes exclusion, because it excluded coverage for statutes that regulate the method of communication, not the dissemination of information, like BIPA. Since the ruling in West Bend, the courts continue to work, on a case-by-case basis, on whether insurers have a duty to defend underlying actions that allege BIPA violations. The most common exclusions impeding coverage are the following: employment-related practices exclusion, distribution of material in violation of statute exclusion, and access or disclosure of confidential or personal information exclusion.