The use of biometric information is growing by leaps and bounds. It is estimated that 245 million Americans have utilized their biometric information on their smartphones.1 Biometric information is defined as the “measurement and statistical analysis of an individual’s physical and behavioral characteristics.”2 More simply put, it is the measurable attributes and traits that make each of us unique. Examples include DNA, fingerprints, retina and iris scans, and voiceprints. The main areas of application are: (1) identification/security access, (2) employee time keeping, and (3) the technology sector.
Background in Illinois
In 2008, the Illinois General Assembly passed the Biometric Information Privacy Act (“BIPA”) by a 113‑0 vote.3 Intended as a consumer protection law to safeguard the collection, usage, and storage of biometric information, BIPA’s private right of action and mandated statutory damages have driven a different result.
Verdicts and Settlements – Rogers v. BNSF was the first BIPA class action verdict rendered.4 In October 2022, a jury determined that BNSF Railway Co. was liable for more than 45,000 violations of BIPA, and the judge calculated damages under the statutory formula to be $228 million (45,600 violations times $5,000). Separately, reported settlements include matters resolved for $35 million, $36 million, $50 million, $92 million, $100 million, and $615 million, just to name a few.5 Notably, none of the reported verdicts or settlements alleged specific instances of data breaches or identity theft. Rather, all involved alleged non-compliance with the strict statutory requirements.
Court Decisions – The legal landscape has developed rapidly since 2019, with courts holding under BIPA that:
- Recovery does not require injury-in‑fact.6
- Workers’ Compensation laws do not bar recovery.7
- A five-year statute of limitations governs BIPA claims (as opposed to one- and two‑year limitations courts previously relied on).8
- Liquidated damages accrue per scan/collection of information as opposed to per claimant.9
Illinois’ BIPA Updates
There were 250 BIPA class actions filed in Illinois in 2022.10
White Castle – On February 17, 2023, the Illinois Supreme Court issued its ruling in Cothron v. White Castle that each scan/collection of biometric information constitutes a separate BIPA violation.11 Shortly thereafter, White Castle declared that its resulting exposure in that matter could exceed $17 billion.12 As a result of the White Castle decision potentially expanding liability exponentially for BIPA violations, in the two months following the ruling BIPA filings jumped 65%.13 Overall, in the first four months of 2023 there were 180 BIPA lawsuits filed.14
Given its impact, it is worth digging into the White Castle decision a bit. Overall, the majority opinion relied upon the plain language of the statute to determine that a violation occurs upon each scan/collection of biometric information (as opposed to per claimant).15 Nonetheless, the court made special note of White Castle’s argument that such an interpretation would entangle Illinois businesses in “’astronomical’ damages awards that would constitute ‘annihilative liability’ not contemplated by the legislation and possibly be unconstitutional.”16 Further, the court noted that “the General Assembly chose to make damages discretionary rather than mandatory,” and specifically called on the Illinois legislature to “review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”17 Separately, two dissenting opinions were penned and included the following:
- “I see nothing in the Act indicating that the legislature intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier. The legislature's intent was to ensure the safe use of biometric information, not to discourage its use altogether.”
- “The legislature never intended the Act to be a mechanism to impose extraordinary damages on businesses or a vehicle for litigants to leverage the exposure of exorbitant statutory damages to extract massive settlements.”
- “[I]n the more than 1700 cases filed since 2019, no case involved a plaintiff alleging that his or her biometric data has been subject to a data breach or led to identity theft.”18
Rogers v. BNSF Update – As stated above, Rogers v. BNSF was the first BIPA case to proceed to trial and resulted in an award of $228 million. On June 20, 2023, the court vacated the entry of judgment and ordered a new trial solely to determine damages.19 Subsequently, the parties agreed to settle, but no details have been made public to date.20
Wilcosky v. Amazon – This case involves a class action filed on behalf of all individuals that spoke to an Amazon Alexa device anywhere in the state of Illinois, alleging BIPA violations stemming from voiceprints.21 On October 31, 2023, U.S. District Judge Franklin Valderrama, although recognizing that it was a “close call,” rejected Amazon’s motion to dismiss and ruled that the case can proceed.22 Moreover, the ruling provides that even individuals who did not own a device could join the class if they spoke to Alexa just one time, on an appliance in another individual’s home, despite Amazon’s warning that such an interpretation would place “Amazon and other technology providers in an impossible position, and effectively outlaw most biometric technology in Illinois.”23
Mosby v. Ingalls Memorial Hospital – Class action was filed by a registered nurse alleging that the hospital’s finger-scan device utilized to access the medication dispensing system collected biometric information from staff in violation of BIPA.24 On November 30, 2023, in an important victory for health care providers, the Illinois Supreme Court overturned a state appeals court and ruled that a BIPA exclusion applied. After a very detailed analysis of the statutory language, the court determined that BIPA did not apply to biometric information provided by healthcare workers for treatment purposes (as opposed to employee time management).
National Fire Insurance Co. v. Visual Park Co. – Underlying class action brought on behalf of employees of a temporary staffing agency.25 Plaintiffs alleged that fingerprint scans were utilized to collect biometric information without their consent in violation of BIPA. Regarding coverage, on December 19, 2023 an Illinois appellate court affirmed the lower court’s holding and ruled that CNA did not have a duty to defend due to the application of a broad violation of law exclusion. Notably, the court referenced a Seventh Circuit decision that reached the opposite conclusion, but specifically stated that “we believe that this federal decision was wrongly decided and decline to follow it.”
Other notable developments include:
- Compliance – Businesses located or conducting business in Illinois continue to seek legal counsel and focus on compliance efforts.
- Coverage – Most of the litigation to date has been under CGL policies, but there is still much to play out, including whether coverage is ultimately sought under other lines of coverage (e.g., Directors & Officers, EPLI and Cyber).
Biometric information privacy concerns are not limited to Illinois. Other states continue to consider biometric information privacy legislation, including some versions that, similar to BIPA, allow for private rights of action.