In November 2017, while participating in a Crain's Chicago Business roundtable discussion concerning a variety of employment topics, I noted that a recent wave of class-action lawsuits under the Illinois Biometric Information Privacy Act (BIPA) presents the newest challenge to Illinois companies.
While BIPA was enacted in 2008, it wasn't until 2016 that the first few class actions started making their way through the court system. The challenge for businesses under BIPA was clear: even a negligent violation of the Act carried a $1,000 statutory penalty; an intentional violation resulted in a $5,000 penalty (both types of violations allowed for plaintiffs to recover their attorneys' fees as well). I laid out in the article the recommended action items companies should consider to best minimize the risk of BIPA liability: (i) issuing proper notice before collecting biometric identifies, (ii) obtaining written consent, and (iii) publishing robust policies for the destruction of such information.
While we could see the wave coming, we could not foresee the tsunami-sized wave of class action lawsuits that would flood the Illinois courts. The ever-increasing number of BIPA class actions can be attributed in large part to a multitude of plaintiff-friendly decisions that have been issued, including by the Illinois Supreme Court, and the fact that only a few defenses have emerged, which I discuss toward the end of this alert.
Despite the extensive litigation that has occurred over the nearly five years since that roundtable discussion, the courts have rejected numerous arguments raised by what had largely been unsuspecting companies. In its January 2019 Rosenbach v. Six Flags Ent. Corp. decision, 2019 IL 123186, the Illinois Supreme Court issued its first meaningful interpretation of the statute, holding that plaintiffs do not need to prove that they incurred actual damages to pursue a claim. That decision, rejecting a major argument raised by the defense bar, is regularly credited with significantly increasing the number of BIPA class action claims. In February 2022, the Illinois Supreme Court issued its decision in McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, rejecting another potential defense that the Illinois Workers' Compensation Act preempted BIPA claims.
As potential defenses have fallen, the list of defendants who have had to agree to substantial payments in settlements has grown exponentially – including high tech companies Facebook, Google, Snapchat and TikTok, online retailers offering virtual try-on technology (VTOT), and scores of manufacturers and other businesses who use time clocks employing fingerprint or retina scan technology to accurately capture employees clocking in and out of work.
BIPA settlements can seem astronomically expensive (some as high as $100 million), but recently a defendant learned the hard way that going to a jury trial on BIPA class claims can be even worse. What appears to be the first BIPA class action to be tried to a jury verdict occurred in October 2022 in the case Rogers v. BNSF Ry. Co. There, the jury awarded $428 million in statutory damages to the class of truckers despite the defendant claiming it did not actively collect, use, or possess any biometric data.
Most recently, on February 2, 2023, the Illinois Supreme Court issued yet another decision that serves as a setback to companies attempting to find some way to scale back the scope of BIPA claims. In Tims v. Black Horse Carriers, Inc., 2023 IL 127801, the Court held that all BIPA causes of action are subject to a five-year statute of limitations, rejecting arguments that a one-year statute of limitations should apply. This will give plaintiffs five years to bring BIPA claims, which will expand, yet again, the number of BIPA claims being litigated.
Now, the Illinois business community nervously awaits what could be the most consequential Illinois Supreme Court decision. In Cothron v. White Castle, which was argued to the Supreme Court in May 2022, the Court is deciding whether BIPA's statutory penalties are issued on a per person basis, or per violation basis. A per violation outcome would be catastrophic to Illinois' businesses.
Despite all of the challenges, Goldberg Kohn has been able to successfully defend several BIPA class action cases based on the complete exemption in the law for financial institutions that have to comply with Gramm-Leach-Blilely Act (GLBA) privacy requirements. Section 25(c) of BIPA provides that "Nothing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Blilely Act of 1999 and the rules promulgated thereunder." If a defendant can establish that it is an affiliate of a financial institution and subject to GLBA, then there can be no liability assessed under BIPA. This exemption has not reached the Illinois Supreme Court yet, but a federal district court very recently relied on it to dismiss a BIPA class action. What may be most interesting is that the defendant was not a bank or a "traditional" financial institution. In Powell v. DePaul University, decided on November 4, 2022, the Northern District of Illinois dismissed a BIPA class action against a university because it participates in the U.S. Department of Education's Federal Student Aid Program and is thus considered a financial institution subject to Title V of the GLBA.
The Northern District of Illinois also issued another decision just a few days ago that addressed a different exemption provided expressly under BIPA. In Warmack-Stillwell v. Christian Diro, Inc., decided on February 10, 2023, the court dismissed a BIPA class action complaint alleging the plaintiff visited the defendant's website and used a VTOT that allowed her to see how a pair of sunglasses would look on her face. As the court noted, BIPA includes what the court referred to as a "general health care exemption" – specifically "information captured from a patient in a health care setting." 740 ILCS 14/10. The court held that using "VTOT constitutes 'health care,'" and "VTOT counts as a 'setting.'" The court found that to be true regardless of whether the plaintiff was virtually trying on either prescription or non-prescription sunglasses. Until the Illinois Supreme Court says otherwise, at least two exemptions have successfully been used to defeat BIPA claims.
Complying with BIPA is not challenging as long as a company is aware of the law and takes modest steps necessary to comply with it. But BIPA is unforgiving if a company fails to comply. Companies hoping to find refuge in a court system for mere "technical" violations are in for a rude awakening. Do not wait for the White Castle decision to be handed down before taking every step you can to comply with the law. And if your company is facing a BIPA class action, be sure to have counsel assess whether the two exemptions discussed here, or any other exemption under BIPA, may serve as a complete defense to BIPA liability.
If you have any questions about complying with the Illinois Biometric Information Privacy Act or privacy issues, please contact David Morrison.