On October 12, 2022, a federal jury in the U.S. District Court for the Northern District of Illinois concluded that a company violated the Illinois Biometric Information Privacy Act (Privacy Act or BIPA) 45,600 times over six years by collecting truck drivers’ fingerprints to verify identities without the informed, written consent the Privacy Act requires. This is the first jury verdict rendered under the Privacy Act following a spike in class action filings under the statute.
Responding to the questions assigned, the jury determined the company’s violation of the statute was intentional or reckless and that it violated the Privacy Act 45,600 times, a figure consistent with the class of independent contractor truck drivers whose fingerprints were scanned between April 4, 2014, and January 25, 2020, applying a five-year statute of limitations from the date the complaint was filed on April 4, 2019. The jury did not differentiate between pre-complaint violations and post-complaint violations. Thus, the jury seemingly based its finding on the drivers’ last actual fingerprint scan, which presumably occurred after the initial complaint was filed on April 4, 2019, rather than the date on which the company initially collected the drivers’ fingerprints.
Following the jury’s findings, the federal judge assigned to the case awarded $5,000 in liquidated damages for each intentional or reckless violation. Hence, the plaintiff-class received a judgment totaling $228 million.
What Is the Privacy Act?
The Privacy Act is an Illinois law enacted in 2008 that governs the use, collection, and storage of biometric data, including retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. The Privacy Act contains five sections, requiring each private entity that uses, collects, or stores biometric data to:
- “develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric [data]” in their possession;
- receive written, informed consent prior to obtaining biometric data;
- refrain from “sell[ing], leas]ing], trad[ing], or otherwise profit[ing]” from biometric data;
- refrain from disclosing or disseminating biometric data, subject to certain exceptions; and
- “store, transmit, and protect from disclosure all biometric [data]” in a manner at least as protective as it “stores, transmits, and protects other confidential and sensitive information.”
The Privacy Act provides that a prevailing party may recover actual damages or liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation, whichever is greater, in addition to injunctive relief, attorneys’ fees and costs, and expert witness fees and other litigation expenses.
Privacy Act Cases Currently Pending Before the Illinois Supreme Court
Notwithstanding the findings of the jury in the above case, there are two significant Privacy Act cases pending before the Supreme Court of Illinois that will drive the outcome of pending and future actions. In Cothron v. White Castle System, Inc., the court will decide whether section 15(b) and (d) claims accrue when biometric data is first collected or disclosed or with each subsequent scan or disclosure. The questions of when a Privacy Act violation occurs or whether each scan is an individual violation will have substantial impact on the damages plaintiffs may claim. For instance, had the jury in the above case found the defendant violated section 15(b) as to each class member with each scan, the verdict could have been in excess of $100 billion, given the multiple scans of each class member during the relevant time. Likewise, if the court concludes in Cothron that a section 15(b) violation accrues with an individual’s first scan, some class members in the above case may have their claims nullified as untimely if they first provided biometric data to the company prior to April 4, 2014.
In Tims v. Black Horse Carriers, Inc., the Illinois Supreme Court will review the Appellate Court of Illinois First District’s holding that the Privacy Act sections 15(a), (b), and (e) claims have a five-year statute of limitations and section (c) and (d) claims have a one-year statute of limitations. If the court holds that a lesser statute of limitations applies, the overall number of potential class members in pending and future claims will be reduced substantially.
One significant issue unanswered by the verdict described above is what constitutes biometric data under the Privacy Act. In that case, the defendant collected, used, and stored actual fingerprint images to identify drivers. The Privacy Act explicitly includes fingerprints in the definition of protected biometric identifiers. The case, therefore, did not address systems that encrypt or convert stored fingerprints into a mathematical representation or string of numbers. This technology question remains an important, viable defense in pending Privacy Act cases.
Nonetheless, the above verdict is a wakeup call for private entities that collect, use, or store biometric data as it demonstrates the potential exposure for failing to follow the statute’s consent requirements. Furthermore, the jury’s finding that the company’s conduct was intentional or reckless may be subject to review depending on the evidence elicited at trial. A reversal of that finding to reduce the company’s conduct to negligent may reduce the penalty assessed to $1,000 per incident or $45.6 million, an incredibly hefty, but less jaw-dropping sum.
Still, companies should be mindful that the Illinois Supreme Court in Cothron could hold that entities violate the statute each time a person scans their biometric data, rather than only upon collection. That would change when Privacy Act claims accrue for purposes of the applicable statute of limitations. James Zouras, the plaintiff’s attorney who argued Cothron before the supreme court rejected a “per scan” damages approach, due to the anticipated constitutional due process problems that would ensue. For example, if an employee using a biometric time clock scans four times a day (to start and end the day and for meal breaks), the Privacy Act arguably would be violated 20 times per week or 1,040 times per year. The liquidated damages in this circumstance quickly accrue to more than $1 million per employee per year. That makes little sense when the Illinois General Assembly contemplated $1,000 for a negligent violation and $5,000 at most for an intentional or reckless violation, not multi-million dollar verdicts for individuals with no actual damages from defendant’s failure to provide informed consent under the statute.
Lastly, the company in the above case is likely to appeal certain defenses and in limine arguments rejected by the district court, including that the plaintiffs’ claims were preempted by federal statutes and regulations and that the plaintiffs failed to plead, and cannot plead, vicarious liability under the Privacy Act.
As the verdict demonstrates, defendants may be subject to substantial liability under the statute. To avoid potential Privacy Act violations and lawsuits, companies may want to ensure receipt of informed, written consent prior to collection of biometric data and comply with all other Privacy Act requirements.
Ogletree Deakins will continue to monitor and report on developments with respect to the Privacy Act cases before the Supreme Court of Illinois and will post updates on the firm’s Illinois, Class Action, and Cybersecurity and Privacy blogs as additional information becomes available. Important information for employers is also available via the firm’s webinar and podcast programs.