The Illinois Biometric Information Privacy Act: Proceed at Restricted Speed
- On October 26, 2023
The Illinois Biometric Information Privacy Act: Proceed at Restricted Speed
Stephen J. Foland and John C. Duffey, Fletcher & Sippel LLC, Chicago
Stephen and John have defeated a motion for class certification in a Biometric Information Privacy Act lawsuit. They also know more about railroads than is good for them. Stephen can be reached at firstname.lastname@example.org and John at email@example.com.
The Illinois Biometric Information Privacy Act (“BIPA”)[i] is a state statute regulating the ways in which employers, vendors, and other businesses may collect personal biometric data and biometric information from their employees, contractors, customers, and third parties, and the uses which may be made of that data and information. While BIPA’s purported aims (enhancing public welfare, public security, and public safety by “regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information”) are, in and of themselves, benign, the statute’s mechanisms to achieve those aims have created the potential for truly staggering liability which business operating in Illinois (including railroads and others in the transportation industry) can ill afford to ignore. It is therefore important to know enough about BIPA to help avoid potentially catastrophic damage awards.
BIPA calls to mind the aphorism, often attributed to Otto von Bismarck, the Iron Chancellor of Imperial Germany, comparing the making of laws with the making of sausages, and observing that it is best not to watch either one being made. Every year, the Illinois General Assembly introduces thousands of bills, hundreds of which are signed into law, and emerge from the Springfield sausage factory only to create unexpected difficulties when the public begins to consume them.[ii] BIPA was enacted in 2008, but lay quietly on the books until 2014, when a boy named Alexander Rosenbach submitted a fingerprint scan to verify a guest pass at the Six Flags amusement park in Gurnee, Illinois. Rosenbach’s mother filed a lawsuit under BIPA, pleading that Six Flags had neither provided her son with a consent form for the fingerprint scan nor with any information about its policy controlling the storage of biometric information. The case made its way to the Illinois Supreme Court, which ruled (contrary to causes of action created by other Illinois statutes) that no physical injury or other harm was necessary for a plaintiff to bring a lawsuit under BIPA.[iii]
Since the Illinois Supreme Court decided Rosenbach’s case, BIPA has become a popular hobby horse with the Chicago plaintiffs’ bar. Literally hundreds of BIPA lawsuits have been filed since 2019, most of them as class actions, and most of them in Cook County.[iv] These lawsuits have targeted an array of businesses, ranging from retail companies like Amazon and Walmart and hoteliers like Marriott to fast-food chains like White Castle and technology firms like Facebook. These lawsuits have also targeted the railroad industry. BNSF, CSX, Illinois Central, and Union Pacific are facing (or have faced) BIPA lawsuits. Other out-of-state companies, doing business in Illinois and unaware of the lurking danger of BIPA, have also been sued.[v] While BIPA was enacted largely in reaction to a failed experiment with high-technology fingerprint payment systems, most BIPA lawsuits have arisen from more mundane biometric applications, typically fingerprint scans taken by timekeeping devices, or (in the railroad context) checking in with security officers at intermodal ramps.[vi]
BIPA encompasses “biometric identifiers,” such as DNA, facial geometry, eye geometry (including iris and retinal patterns), fingerprints, hand geometry (including palm prints and palm vein patterns), and even body odor. It also includes “biometric information,” which is defined as “information, regardless of how it is captured, converted, stored, or shared,” derived from those biometric identifiers.[vii] The statute does not encompass things like photographs, writing samples, or physical descriptors like height, weight, and hair color.
The statute applies only to “private entities,” a term which is defined broadly and includes virtually every business operating in Illinois. Private entities possessing biometric identifiers or biometric information must develop written policies available to the public setting out what is collected and their guidelines for destroying the identifiers and information collected. Private entities are also prohibited from collecting biometric identifiers or information without meeting three specific requirements of the statute. First, they must provide written notice to the person submitting biometric identifiers or information that they are being collected. Second, they must disclose the specific purposes and durations for which biometric identifiers or information are being collected. Third, they must obtain a written release from the person submitting the biometric identifiers or information. Further, private entities are barred from leasing, selling, or making any profit, in any way, from biometric identifiers or biometric information.[viii]
Whether or not it was intended by the Illinois legislature, BIPA has established nearly absolute liability for Illinois businesses and created the potential for damage awards that could make the Iron Chancellor cry. These potential damages are the consequences of three provisions in the statute. First, BIPA allows a private right of action, which means that any person who qualifies as an “aggrieved individual” within the meaning of the statute may sue.[ix] Practically, every person who submitted, within a given five-year window of time, any biometric identifiers or biometric information to any private entity in Illinois is a potential plaintiff. Second, as noted above, BIPA has created a purely statutory right of action, meaning plaintiffs are not required to demonstrate any physical injury or actual loss to sue. “The violation, in itself, is sufficient to support the individual’s or the customer’s statutory cause of action.”[x] Third, and perhaps BIPA’s most onerous feature, is the statute’s singular liquidated damages clause, which allows a plaintiff to recover $1,000 for each negligent violation and $5,000 for each reckless or willful violation. Critically, these are not damages per plaintiff, but damages for each individual violation. As the Illinois Supreme Court put it, “a separate claim accrues” under BIPA every single time a person submits biometric identifiers or biometric information without the statute’s required disclosures and consent.[xi]
Simple arithmetic illustrates the devastating damages a BIPA judgment can inflict upon a defendant. Let’s say a business has twenty employees, and tracks their time using a fingerprint scanner. If each employee scans twice a day (at the beginning and end of each shift), five days a week, for fifty weeks a year, the business will have collected 10,000 scans annually. The BIPA statute of limitations is five years. This means the business will have collected 50,000 scans subject to BIPA liability. These 50,000 scans could result in a verdict of $50 million for negligent violations or $250 million for reckless or willful violations. Double the number of scans to four a day (assuming employees also scan in and out for lunch), and these potential damages rise to $100 million for negligent violations and $500 million for reckless or willful violations. These figures are not Halloween specters conjured by corporate defense lawyers! BNSF was recently hit with a $228 million verdict in Cook County, while White Castle is looking down the barrel at potential damages of $17 billion (yes, with a b).[xii]
Railroads and other businesses in the transportation industry are confronted with unique challenges under BIPA. For example, the special nature of intermodal operations, which often use fingerprint scans to check loads in and out of intermodal ramps, has left intermodal facility operators vulnerable to targeted lawsuits by plaintiffs who drive cartage or drayage between the various facilities. A driver could quickly and easily accrue multiple claims by checking in and out of multiple ramps in a short period of time. BNSF and CSX, for example, were defendants in two separate BIPA class actions, brought by the same truck driver as class representative, and represented by the same Chicago plaintiffs’ firm.[xiii]
Another challenge BIPA presents to the interstate transportation industry is that traditional preemption defenses afforded by such federal laws as the ICC Termination Act (“ICCTA”) have thus far not been successful, and may continue to face an uphill battle. Preemption defenses are strongest where a state or local law conflicts with the language or intention of a federal statute, or where a state or local law has the effect of regulating interstate transportation operations in some way.[xiv] However, where there is no direct conflict, or where a federal law has not completely occupied the same field as a state or local law, a court may be less inclined to find the plaintiff’s claim preempted by federal law, even if the state or local law has some incidental effect on interstate transportation. This can be the case with local building codes and other similar laws.[xv] In this respect, BIPA may be seen more like a local building code, such that the incidental effect it has on transportation operations is construed as insufficient for a railroad or other transportation company to defeat a BIPA lawsuit with a preemption argument.[xvi] On the other hand, if and when a BIPA verdict threatens the financial viability, rate structure, or operating practices of a railroad common carrier, it is possible a court could entertain a challenge to the verdict itself as a violation of ICCTA, which places the economic regulation of freight railroads throughout the United States squarely in the hands of the Surface Transportation Board.[xvii]
Other paths are available, however. While BIPA has imposed significant financial liabilities on transportation companies operating in Illinois, it is still possible for these businesses to proceed at restricted speed, prepared to stop short of running into the obstruction ahead. Companies sued under BIPA may consider certain tested approaches to their defense. For short-line railroads, for example, it may be helpful to consider the number of prospective plaintiffs who could bring BIPA claims. Most BIPA lawsuits are filed as class actions, and while Illinois law requires no definite number of plaintiffs to certify a class (and Illinois courts are notoriously friendly to class actions), you may be able to defeat a motion for class certification, forcing each plaintiff to bring an individual claim, and thereby reducing your exposure to an astronomical class verdict. The party seeking class certification (almost always the plaintiff) has the burden of showing the court why a class should be certified. Among other things, this means the party must prove to the court that there are enough people who have been harmed by the alleged BIPA violations for there to be a class. While individual judges around Illinois may differ, a class of twenty-five prospective plaintiffs is most likely an insufficient number to certify a class. Between twenty-five and forty, the party seeking certification must establish certain other factors, such as the prospective class members’ geographical distribution, the court’s ability to identify and locate individual class members, and the total number and nature of their claims.[xviii] Unfortunately for larger businesses, Illinois courts will almost always certify a class containing more than forty prospective plaintiffs.
In addition to assuring that you comply with BIPA if you are collecting biometric identifiers or biometric information, there are some defenses to consider if you are facing a lawsuit. For transportation companies subject to the Railway Labor Act or other federal labor laws, it may be helpful to review your collective bargaining agreements. Recent decisions from the Illinois Supreme Court and the federal district courts in Illinois have left open the possibility that BIPA claims which have not been submitted through the appropriate grievance process may be preempted as a violation of management’s rights pursuant to the agreements, the applicable federal labor laws, or the plaintiffs’ failure to exhaust their administrative remedies.[xix] Another approach is to determine who, exactly, has collected the biometric identifiers or biometric information. If a business has not taken an “active step” to collect biometric identifiers or biometric information, but has come to possess them as a collateral effect of its relationship with some other party, then it may not be liable under BIPA.[xx] Finally, it may be helpful to stress that liquidated damages under BIPA are, in fact, discretionary. The statute expressly states that a plaintiff “may” recover damages, meaning that a court has some leeway to temper the enormous liability which the statute has created.[xxi]
BIPA has created colossal liability for Illinois businesses, which the Illinois Supreme Court has recognized is “harsh, unjust, absurd, or unwise[.]”[xxii] Nevertheless, until the statute is amended, repealed, or overturned, it is good law in Illinois, and businesses must comply with it. Given the potential devastation the statute can cause, proceed at restricted speed. Get a policy in place, give notice, get the appropriate consent from the appropriate people, and if necessary, obtain competent counsel for your defense as quickly as possible.
[i] 740 ILCS §§ 14/1 et seq.
[ii] Michael J. Kasper, Using Article VI of the Illinois Constitution to Attack Legislation Passed by the General Assembly, 40 Loy. U. Chicago L. J. 847 (2009).
[iii] Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186; Jennifer Quinn-Barbanov, Zachary Schreiber & Onika K. Williams, Navigating the Roadblocks of Illinois’ Biometric Information Privacy Act, 90 J. of Transp. Law, Logistics & Policy 185 (2023).
[iv] Quinn-Barbanov et al. at 192–94.
[v] Id. at 203.
[vi] Charles N. Insler, Understanding the Biometric Information Privacy Act Litigation Explosion, 106 Ill. Bar J. 34 (2018); Rogers v. CSX Intermodal Terminals, Inc., 409 F.Supp.3d 612 (N.D. Ill. 2019); Fleury v. Union Pac. R.R. Co., 528 F.Supp.3d 885 (N.D. Ill. 2021); Rogers v. BNSF Ry. Co., 2023 WL 4297654 (N.D. Ill. 2023).
[vii] 740 ILCS § 14/10; Rogers, 409 F.Supp.3d 612; Fleury, 529 F.Supp.3d 885; Rogers, 2023 WL 4297654; Quinn-Barbanov et al. at 189–90.
[viii] 740 ILCS § 14/15; Quinn-Barbanov et al. at 190–91.
[ix] 740 ILCS § 14/20; Rosenbach, 2019 IL 123186; Quinn-Barbanov et al. at 192.
[x] Rosenbach, 2019 IL 123186; Quinn-Barbanov et al. at 192.
[xi] 740 ILCS § 14/20; Cothron v. White Castle Sys., Inc., 2023 IL 128004; Quinn-Barbanov et al. at 195–96.
[xii] Rogers, 2023 WL 4297654; Cothron, 2023 IL 128004; Quinn-Barbanov et al. at 195.
[xiii] Rogers, 409 F.Supp.3d 612; Rogers, 2023 WL 4297654.
[xiv] Green Mt. R.R. Corp. v. Vt., 404 F.3d 648 (2d Cir. 2005); Vill. of Mundelein v. Wis. Cent. Ltd., 227 Ill.2d 281 (2008); Vt. Ry., Inc. v. Town of Shelburne, 287 F.Supp.3d 493 (D. Vt. 2017), aff’d 918 F.3d 82 (2d Cir. 2019).
[xv] In re Vt. Ry., 171 Vt. 469 (2000).
[xvi] Rogers v. BNSF Ry. Co., 2022 WL 787955 (N.D. Ill. 2022); Quinn-Barbanov et al. at 201–02.
[xvii] 49 U.S.C. §§ 10501; Union Pac. R.R. Co. v. Chicago Transit Auth., 647 F.3d 675 (7th Cir. 2011); S. Dak. ex rel. S. Dak. R.R. Auth. v. Burlington N. & S.F. Ry. Co., 280 F.Supp.2d 919 (D.S.D. 2003).
[xviii] 735 ILCS §§ 5/2-801 et seq.; Wood River Area Dev. Corp. v. Germania Fed’l Sav. & Loan Ass’n, 198 Ill.App.3d 445 (5th Dist. 1990).
[xix] Miller v. Sw. Airlines Co., 926 F.3d 898 (7th Cir. 2019); Singleton v. B. L. Downey Corp., 2021 WL 3033393 (N.D. Ill. 2021); Walton v. Roosevelt Univ., 2023 IL 128338; Quinn-Barbanov et al. at 203.
[xx] Patterson v. Respondus, Inc., 593 F.Supp.3d 783 (N.D. Ill. 2022); Jones v. Microsoft Corp., 2023 WL 130495 (N.D. Ill. 2023); Clark v. Microsoft Corp., 2023 WL 5348760 (N.D. Ill. 2023).
[xxi] 740 ILCS § 14/20; Cothron, 2023 WL 128004; Quinn-Barbanov et al. at 196.
[xxii] Cothron, 2023 WL 128004.