Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA claims under the Commercial General Liability (CGL) policies they already have.
As BIPA claims make their way through the courts, the range of potential liability under the statute has grown.
BIPA generally bars private entities from collecting, capturing, purchasing, receiving, or otherwise obtaining a person’s biometric information without obtaining that person’s advance, informed consent (see 740 ILCS 14/15(b)), and grants a private right of action to individuals who are “aggrieved” by a violation of the statute, entitling them to recover liquidated or actual damages (whichever is greater) as well as attorneys’ fees and costs (see 740 ILCS 14/20). For negligent violations, liquidated damages are $1,000, and for intentional or reckless violations, liquidated damages are $5,000. See id. Claims under the statute are subject to a five-year statute of limitations. Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 37 (Feb. 2, 2023).
In late 2022, the first BIPA case to proceed to trial, Rogers v. BNSF Railway Co., resulted in a $228 million verdict against the defendant. That suit was brought on behalf of a class of 45,600 truck drivers whose fingerprints were scanned and stored and used for entry at BNSF’s facilities. Rogers v. BNSF Ry. Co., No. 19 C 3083, 2023 WL 4297654, at *2 (N.D. Ill. June 30, 2023). BNSF was found to have not obtained consent for the collection of those fingerprints. Id. At trial, the jury found that BNSF had recklessly or intentionally violated BIPA 45,600 times, i.e. one violation per class member. Id. at *4. The court multiplied the 45,600 violations by the $5,000 liquidated damages amount for reckless or intentional violations and entered judgment for the plaintiffs in the amount of $228 million. The court subsequently denied BNSF’s motion for judgment as a matter of law that BNSF did not act intentionally or recklessly. Id. at *6-7. The court found that it was not “unreasonable for the jury to infer conscious disregard to utter indifference” based on evidence that BNSF continued to collect biometrics for nearly a year after it learned that doing so might violate BIPA. Id. *7. On June 30, 2023, the court granted BNSF’s motion for a new trial limited to damages based on a finding that the $1,000 and $5,000 liquidated damages amounts set out in the BIPA statute are discretionary caps, and damages should thus be determined by the jury. Id. at *7-10. While this case is still pending, it puts potential defendants on notice that their liability may not be limited to the “negligent” violation level.
The Illinois Supreme Court has also substantially expanded the range of potential liability under BIPA by holding in Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 1 (July 18, 2023) that a “separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation of [BIPA].” In contrast to the one-violation-per-claimant calculation applied in BNSF, each scan of the same claimant would constitute a separate violation that is potentially subject to a separate award of liquidated damages. Id.
While the Cothron court also recognized that damages under BIPA are discretionary rather than mandatory, id. at ¶ 43, its holding has an enormous impact on the potential number of violations that could be asserted against defendants. For example, while the plaintiffs in BNSF are not being permitted to assert a one-violation-per-scan theory in their new trial because the court found that plaintiffs had not adequately disclosed that theory, plaintiffs asserted that such a theory would have raised the number of violations from 45,600 to 1,171,608. At the $5,000 per violation level, the maximum liquidated damages would be over $5.8 billion. In another case, the Northern District of Illinois recently certified a class that is alleging that 2,620 people who used a biometric timeclock were scanned 2,439,412 times during the class periods. Tapia-Rendon, et al. v. United Tape & Finishing Co., et al., No. 21 C 3400, 2023 WL 5228178, at *3 (N.D. Ill. Aug. 15, 2023). At the $5,000 per violation level, that number of violations would mean maximum liquidated damages would be over $12 billion.
It remains to be seen what level of damages will ultimately imposed for BIPA violations, but the risk faced by defendants is clearly substantial.Continue Reading BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders