2022 has been a record year for Illinois Biometric Information Privacy Act (“BIPA”) litigation. Since its enactment in 2008, BIPA has been one of the most litigated privacy-related laws with some of the highest penalties. However, it wasn’t until last month that the first BIPA jury verdict was ever rendered.  The award, a whopping $228 million, cements BIPA as one of the most important laws for businesses to be aware of when shaping their privacy practices.  Indeed, companies should take note, because the settlement amounts in BIPA lawsuits are dwarfing fines from US regulators. 

Notwithstanding, 2022 has provided much needed insight on questions that will continue to shape BIPA litigation including the extent of coverage, vicarious liability, its territorial scope, when claims accrue, and the statute of limitations.

Who is covered by BIPA?

BIPA exempts certain types of entities, namely, organizations that are governed by certain federal laws including the X-Ray Retention Act, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the Gramm-Leach-Bliley Act (“GLBA”). 740 ILCS 14/25(b)-(c). But the scope of those exemptions continue to be defined.  A recent opinion from the Northern District of Illinois suggests that, in the GLBA context, that exemption may be read broadly.

The U.S. District Court for the Northern District of Illinois recently dismissed a case against DePaul University for its use of testing software, finding that public universities that participate the U.S. Department of Education’s Federal Student Aid Program are “financial institutions” governed by GLBA. To determine whether DePaul was a financial institution under GLBA (and therefore exempt from BIPA), the court had to determine whether it was “significantly engaged in financial activities.” To that end, the court considered other court decisions and guidance from the Federal Trade Commission, which stated colleges and universities are financial institutions for GLBA purposes because they are “significantly engaged in lending funds to consumers.”  Perhaps more surprising, however, is that the allegations in the BIPA complaint were not connected to DePaul’s federal student aid program, they were regarding DePaul’s use of testing software. 

The big takeaway here is that even businesses that are not primarily engaged in financial services may still find themselves covered by GLBA and shielded from BIPA because “significantly [engaged] means something less than primary.” Powell v. DePaul University, Case No. 21C3001 at 5 (N.D. Ill Nov 4, 2022). In other words, even if financial services isn’t the primary purpose of an entity, it may still fall under GLBA rather than BIPA.

Vicarious Liability

In October, a jury in the U.S. Court for the Northern District of Illinois awarded $228 million to plaintiffs in their suit against BNSF Railway Company.  Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.). Plaintiffs alleged that BNSF unlawfully scanned trick drivers’ fingerprints for identity verification purposes upon visiting BNSF rail yards. The crux of the claim was that BNSF did not provide notice or consent prior to scanning the drivers’ fingerprints as required by BIPA. In its defense, BNSF claimed that its third-party vendor, not BNSF itself, actually scanned and processed the fingerprints and that the vendor therefore had the obligation to provide notice and consent.

Here, the court addressed one of the most pressing questions that arise in the BIPA context: Who has the burden of providing notice and obtaining consent: The company directing the processing or the vendor that actually collects or processes the biometrics? The court found that even though the third party vendor actually collected and processed the fingerprints, BNSF was still responsible for BIPA compliance.

Another critical aspect of this case was that it actually went to trial.  In the verdict, the jury awarded damages in the amount of $5,000 per each of the 45,600 class members. This is important for several reasons.

  • The $5,000 per violation amount is the statutory penalty for reckless or intentional BIPA violations (as opposed to a $1,000 per violation penalty for negligent violations). This suggests that a “reckless” or “intentional” threshold is not necessarily a steep one, even where the defendant is not actually the party that collects/processes the data.
  • The $5,000 damages amount was awarded once per class member, as opposed to once per collection per class member.

Territorial Scope

On the applicability front, the U.S. District Court for the Western District of Washington granted summary judgment in two separate class actions brought by the same plaintiffs against Amazon and Microsoft respectively. In both actions, the plaintiffs claimed that Amazon and Microsoft used plaintiffs’ photos purchased from IBM’s facial recognition platform to train their own facial recognition technologies without providing notice and obtaining informed consent.

In granting summary judgment for the defendants in both actions (although the order in the Amazon case is still sealed), the court explained that BIPA does not apply to conduct that occurred outside Illinois. As a matter of law, state statutes do not have extraterritorial effect unless explicitly stated in the statute. BIPA does not contain this express provision, so it does not apply extraterritorially. In determining the location of the conduct, the court ultimately found that the plaintiffs did not provide sufficient evidence to demonstrate that the alleged violations occurred “primarily and substantially” in Illinois.

In both cases, the crux of the action (the actual processing and analyzing of the data) took place at data centers in Washington (where both defendants are headquartered) and New York. This may signify that that a successful BIPA suit may require more than merely plaintiffs based in Illinois. Rather, plaintiffs may need to show that the business may need to have some operations within Illinois or at the very least, intentionally target Illinois residents. (In contrast, BNSF, discussed above is headquartered in Texas but operates at least four (4) facilities in Illinois where the fingerprints of Illinois plaintiffs were collected.)

Open Questions

There are still several pending cases that are expected to address claims accrual and BIPA’s statute of limitations. Here are some cases to watch out for in the next few months:

  • Cothron v. White Castle Sys., 20 F.4th 1156 (7th Cir. 2021). The central issue in Cothron is claims accrual i.e., whether BIPA claims accrue once, at the first instance of collection per class member; or multiple times, at each instance of collection per class member.
  • The court in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, addressed the question of statute of limitations for BIPA claims. The question stems from the fact that BIPA itself does not have a statute of limitations attached to its private right of action. In response, plaintiffs have claimed the period should be five years under section 13-205 of Illinois’ Code of Civil Procedure (for damages related to “all civil actions not otherwise provided for”) whereas defendants have claimed that the one-year period in section 13-201 of Illinois’ Code of Civil Procedure (for damages related to violating the right of privacy) should apply. In September 2021, the court found that the five-year statute of limitations applies to violations related to the sale and disclosure of biometric data and the one-year statute of limitations shall apply to violations related to the collection and storage of biometric data. The defendants appealed in January of this year and the appeal is still pending before the court.

Takeaways

These are the most important points to take away from recent BIPA litigation:

  • The settlements and verdicts are big, like really big, often over 100 million dollars.
  • Courts recognize vicarious liability in BIPA claims where a company that directs the collection and processing of biometric identifiers and biometric information is ultimately responsible for BIPA compliance.
  • Claims accrual has not been completely settled.
  • BNSF should not be read to preclude any claims against vendors that collect and process biometric identifiers and biometric information.
  • Successful BIPA claims require more than merely Illinois resident plaintiffs; rather, there must be sufficient evidence that the wrongful conduct occurred in Illinois.
  • There may be different statutes of limitations based on the type of alleged violation.