Privacy Litigation 2022 Year in Review: Biometric Information Privacy Act (BIPA)
Privacy Litigation 2022 Year in Review: Biometric Information Privacy Act (BIPA)
In 2022, Illinois’s Biometric Information Privacy Act (BIPA) litigation was bustling. Defendants in BIPA cases ranged from pharmacies, insurance companies, and social media platforms to software companies, schools, and airlines. Even with the steady stream of opinions in 2022, key questions about BIPA’s scope remain open for future interpretation.
In 2022, at least 90 court rulings referenced BIPA, a rise from the 74 rulings in 2021. Although there were no substantive decisions issued from any United States Court of Appeals, federal district courts issued 85 rulings. Illinois issued the most federal decisions, but we saw an increase in federal court decisions outside of that state, with five from Washington, one from Wisconsin, one from New York, one from Florida, one from Alabama, and three from California.
The range of BIPA settlement amounts broadened in 2022. Final class-wide settlements were approved in the range of $250,000[1] to $100 million,[2]an expansion from the 2021 range of $1.6 million to $10 million.[3] Notably, the first BIPA privacy class action trial resulted in a $228 million jury verdict.[4]
In 2022, the first class action jury trial on BIPA claims took place in the Northern District of Illinois. Rogers v. BNSF Railway Co. involved allegations that the defendant required plaintiffs to scan their fingertips to access the company’s facilities in violation of BIPA’s Section 15(b) requirements.[5] Plaintiffs argued that the defendant failed to obtain written consent, inform the plaintiff truck drivers about the data collection purpose, and publish a data collection and retention policy.[6] The defendant did not collect the biometric data itself, but hired a third-party vendor to maintain the scan technology.[7]
The Northern District of Illinois ruled on a motion in limine that the defendant could be liable under BIPA for the acts of the third-party vendor it hired to collect biometric data.[8] The court reasoned that Illinois statutes are interpreted under principles of common law, which imposes vicarious liability unless the statute “clearly and plainly” precludes it.[9] The court held that because BIPA does not contain an express statement that abrogates common law vicarious liability principles, a corporation can be liable for the BIPA violations of its agents, including non-employees.[10]
Furthermore, in addition to prohibiting the collection or capture of biometric information, Section 15(b) also prohibits purchasing, receiving through trade, or otherwise obtaining any individual’s biometric data. Because the defendant hired the third party for the purpose of collecting biometric data and could require the third party to provide the defendant with the data collected, the court found that defendant could be directly liable for BIPA violations.[11]
The jury found that the defendant violated BIPA 45,600 times and awarded plaintiffs $5,000 per violation, resulting in a $228 million verdict calculated on a per-class member basis.[12] Following the verdict, the defendant filed a renewed motion for judgment as matter of law and motion for new trial on November 19, 2022.[13] The plaintiff filed a motion to amend the judgment to increase the statutory damages, arguing that each fingerprint scan captured without consent constitutes a separate violation of BIPA and seeking entry of judgment in the amount of $648 million (in other words, one violation per fingerprint scan).[14] These post-trial motions remain pending.
BIPA Section 15(a) addresses the development of a data retention policy. Mora v. J&M Plating, Inc. addressed the issue of the proper timing for implementation of data retention and destruction schedules.[15]
In 2014, the plaintiff used the defendant’s fingerprint scan system to clock into work.[16] The defendant then established a data retention schedule in 2018, which the plaintiff signed.[17] After the plaintiff was terminated, they filed a class action lawsuit in 2021, alleging that the defendant collected, stored, and used employee fingerprints without first publishing a retention and destruction schedule in violation of BIPA.[18]
The Illinois Second District Court of Appeals held that private entities are required to develop a written data retention and destruction schedule before or at the time they initially possess an individual’s biometric data.[19] Thus, the court ruled that the plaintiff’s consent in 2018 did not apply retroactively when defendant failed to implement a data retention schedule prior to its collection of the plaintiff’s biometric data.[20]
In 2022, the Illinois Supreme Court rejected the argument that BIPA was preempted by the Illinois Worker’s Compensation Act. In McDonald v. Symphony Bronzeville Park, LLC, employees of a nursing home alleged that their employer violated BIPA through the practice of using employee finger scans for timekeeping.[21] The defendant argued that BIPA was preempted because the violation occurred during work hours, and plaintiffs could seek relief only under the Illinois Workers’ Compensation Act.[22]
The court held that because the purpose of the Workers’ Compensation Act and BIPA are different, the Act did not preempt plaintiffs’ BIPA claims.[23] The court reasoned that the personal and societal injuries compensable under BIPA are “different in nature and scope from the physical and psychological work injuries” that are compensable under the Workers’ Compensation Act.[24] Further, the court determined that allowing the Worker’s Compensation Act to preempt BIPA would be contrary to BIPA’s legislative intent because the legislature had accounted for BIPA’s application to the employment context.[25]
Right at the end of the year, the Illinois First District Court of Appeals determined that a defendant’s face and fingerprint scan tools did not violate BIPA when the plaintiffs’ biometric information was solely stored on their own device,[26] the plaintiffs were in control of the retention of their data,[27] and they had the option to opt-out of participating in scans.[28] In Barnett v. Apple, plaintiffs alleged that defendant violated BIPA Section 15(a) by offering users the option to use face and fingerprint recognition features without first implementing a written policy regarding the retention and destruction of users’ biometric data, as well as Section 15(b) by failing to obtain users’ written consent.[29] The court held that defendant did not take possession, capture, or collect any biometric data within the meaning of BIPA[30] because the fingerprint and face scans never transferred to the defendant’s servers and remained on each user’s device.[31]
The Illinois Supreme Court is currently considering key claim accrual and statute of limitations issues. In Cothron v. White Castle System, the Illinois Supreme Court is set to decide if each fingerprint scan of an individual and each transmission of such a scan is a “distinct and separately actionable” violation of Section 15(b) and Section 15(d), respectively.[32] The Illinois Supreme Court held oral argument on May 17, 2022.[33]
In Tims v. Black Horse Carriers, the court is reviewing the prior appellate court ruling that BIPA Sections 15(c) and (d) claims have a one-year statute of limitations period and that Sections (a), (b), and (e) claims have a five-year statute of limitations period.[34] In Tims, the defendant argued that a one-year statute of limitations period applies to all BIPA claims.[35] The Illinois Supreme Court heard oral argument on September 22, 2022.
2023 is set to be another active year for BIPA litigation.
[1] See Sherman v. Brandt Industries USA LTD, No. 1:20-cv-01185-MMM-JEH (C.D. Ill. July. 26, 2022) (EFC No. 85, Final Approval of Settlement).
[2] See Rivera v. Google LLC, No. 2019-CH-00990 (N.D. Ill. Sept. 28, 2022) (EFC No. 267, Final Approval of Settlement).
[3] See Rapai v. Hyatt Corp., No. 17-CH-14483 (Ill. Ct. Cl. Oct. 30, 2017); Roach v. Walmart, Inc., No. 2019-CH-01107 (Ill. Ct. Cl. Jan. 18, 2019).
[4] See Rogers v. BNSF Ry. Co., No. 1:19-cv-03083 (N. D. Ill. Oct. 12, 2022) (EFC No. 225).
[5] Rogers v. BNSF Ry. Co., No. 1:19-cv-03083, 2019 WL 5635180, at *1 (N.D. Ill. Oct. 31, 2019).
[6] Id.
[7] Id.
[8] Rogers v. BNSF Ry. Co., No. 1:19-cv-03083, 2022 WL 4465737, at *3 (N.D. Ill. Sept. 26, 2022).
[9] Id. at *2.
[10] Id.
[11] Id.
[12] Rogers v. BNSF Ry. Co., No. 1:19-cv-03083 (N.D. Ill. Oct. 12, 2022).
[13] Rogers v. BNSF Ry. Co., No. 1:19-cv-03083 (N.D. Ill. Nov. 9, 2022) (ECF No. 235).
[14] Rogers v. BNSF Ry. Co., No. 1:19-cv-03083 (N.D. Ill. Nov. 9, 2022) (ECF No. 236).
[15] Mora v. J&M Plating, Inc., 2022 IL App (2d) 210692, ¶ 1 (2022).
[16] Id. ¶ 13.
[17] Id.
[18] Id.
[19] Id. ¶ 39.
[20] Id. ¶ 13.
[21] McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, ¶ 1 (2022).
[22] Id. ¶ 33.
[23] Id. ¶ 43.
[24] Id.
[25] Id. ¶ 45.
[26] Barnett v. Apple Inc., 2022 IL App (1st) 220187, ¶ 43 (2022).
[27] Id. ¶50.
[28] Id. ¶44.
[29] Id. ¶18.
[30] Id. ¶57.
[31] Id. ¶44.
[32] Cothron v. White Castle Sys., Inc., No. 20-3202, 2021 WL 5998537, at *1 (7th Cir. Dec. 20, 2021).
[33] Id.
[34] Tims v. Black Horse Carriers Inc., 2021 IL App (1st) 200563, ¶ 5 (2021).
[35] Id.