In a major victory for defendants related to the Illinois Biometric Information Act (BIPA) U.S. District Judge Matthew Kennelly of the Northern District of Illinois has vacated a $228 million damages award in Richard Rogers v. BNSF Railway Co., the first case tried to a verdict under the Illinois BIPA. Judge Kennelly ordered a new jury trial limited to the question of damages. (Click to download Opinion and Order)
In the Rogers case, lead plaintiff Richard Rogers sued BNSF on behalf of a class of about 45,000 truck drivers. Rogers claimed the BNSF illegally required truck drivers to scan their handprints to verify their identity when entering secured railyards, and that the BNSF did not first obtain their consent or provide them with notice about what might happen with their scanned prints. Following a five-day trial, the jury took approximately one hour to find in favor of Rogers and the certified class of truck drivers.
Importantly, the jury was only tasked with determining whether BNSF violated the BIPA and, if so, the number of times BNSF violated the Act negligently or recklessly. Under BIPA, the distinction between a negligent violation and a reckless or intentional violation is significant. BIPA provides for an award of $1,000 for each negligent violation of the Act, while the award of liquidated damages increases to $5,000 for each reckless or intentional violation of the Act. The jury found that BNSF recklessly or intentionally violated BIPA 45,600 times—an amount equal to the defense expert’s estimated number of truck drivers in the class whose fingers were scanned from April 4, 2014 through January 25, 2020.
Following the jury’s verdict, Judge Kennelly performed a straightforward calculation by multiplying 45,600 by $5,000 —resulting in an award of damages of $228 million.
Four months after Judge Kennelly entered the Rogers’ judgment, the Illinois Supreme Court issued its ruling in Cothron v. White Castle Sys., Inc., 2023 IL 128004., holding “that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).” Further, the Supreme Court in Cothron observed that it “appears” the General Assembly made “damages discretionary rather than mandatory under the Act.” BNSF filed motions requesting a new trial or to amend the amount of damages in the judgment based on the Illinois Supreme Court’s statement in Cothron that the $5,000 per violation liquidated damages amount “appears” to be discretionary.
The Rogers court’s analysis began by examining the plain language of BIPA and noted that the Act does not include any statutory language indicating that the “liquidated damages” amounts were intended to be a range. The Rogers court’s analysis then relied on the dicta in the Cothron ruling as an indication of how the Illinois Supreme Court would likely decide the issue and found that damages under Section 20 of BIPA are discretionary. The Rogers court then vacated the prior award of damages and ordered a new trial in which the jury will determine only the appropriate amount of damages based on the jury’s prior factual finding that BNSF recklessly or intentionally violated BIPA 45,600 times.
On the plus side for defendants in BIPA disputes, the Rogers ruling definitively finds that damages under BIPA are discretionary. This holding is a sharp deviation from the standard BIPA damages analysis, which often assumes an absolute application of the $1,000 or $5,000 liquidated damages amounts contained in the Act.
Nonetheless, neither the Cothron decision nor the Rogers ruling provides any guidance as to what elements should be used to calculate damages under BIPA, including whether a finder of fact should consider whether any of the class plaintiffs suffered any actual harm by way of a data breach or other compromising event.
Importantly, it remains unclear as to how the jury in the upcoming Rogers retrial will be instructed to exercise its discretion in determining the amount of damages. Despite the uncertainty of how the jury will calculate BIPA damages, it is likely that this future calculation will serve as a baseline during settlement negotiations of pending and future BIPA claims.
In a related development, on July 20 the Illinois Supreme Court refused to reconsider its earlier decision that found violations of the state’s Biometric Information Privacy Act occur each time an unauthorized scan is made.
The same four justices who decided a new BIPA violation occurs every time an unauthorized scan is made, such as a finger scan, ruled against White Castle in a petition for a rehearing.
Critics of the ruling said the interpretation will lead to massive monetary damage awards that could destroy businesses. White Castle warned that under the high court’s interpretation of the law, a jury could award a $17 billion penalty against it because 9,500 current and former employees were involved. White Castle had employees scan their fingerprint to access work computers.
The Illinois Chamber of Commerce was among several business groups that filed briefs urging the Supreme Court to reconsider its interpretation of when violations occur under the law.
Given the activity around BIPA claims, by now all businesses should have assessed and corrected any business practice that potentially concerns biometrics—including employee timekeeping, identification procedures or security protocols. The failure to fully comply with BIPA leaves companies open to significant potential liability.
If you have questions about the Illinois Biometric Information Privacy Act, please contact Garrett L. Boehm, Jr., Kevin G. Owens, or D. Patterson Gloor at Johnson & Bell.