Skip to Main Content
ニュース&イベント: Client Advisories

Damages For Violations of BIPA Are Discretionary, Not Mandatory

9.28.23
関連業務分野 訴訟

In past Advisories, we have provided an overview of the requirements of Illinois’ Biometric Information Privacy Act (740 ILCS 14/1 et seq.) (“BIPA”) and the risks of noncompliance. (See "Risks and Compliance Under the Illinois Biometric Information Privacy Act: No Actual Harm Required for Private Cause of Action" and "BIPA Claim Concerns for Illinois Employers")  We reported on the Illinois Supreme Court’s landmark decision holding that a company using biometric data, such as fingerprints, handprints, voiceprints, retina or iris scans, and facial geometry characteristics captured by facial recognition systems without complying with BIPA could be liable for statutory damages in the amount of $1,000 per negligent violation and $5,000 per intentional/reckless violation or actual damages plus attorney's fees and costs. Cothron v. White Castle Systems, Inc., 2023 IL 128004 (Feb. 17, 2023). (See "Illinois Supreme Court Decision Exposes Companies to Potentially Catastrophic Damages For BIPA Violations")  Based on this ruling, companies that have used biometric data for timekeeping or security purposes, without complying with BIPA, could potentially be liable for damages for each separate scan, resulting in multi-billion dollars in damages.

On June 30, 2023, a federal district court, applying Cothron, reversed its award of $228 million to a class of plaintiffs alleging breach of BIPA, finding that the amount of damages under BIPA is discretionary, not mandatory. The court sent the case back to the jury for a new trial on damages only. Rogers v. BNSF Railway Company (Case No. 19 C 3083).

BNSF contracted with a third-party company to install and manage an Auto-Gate System (AGS) to control the entry and exit of truck drivers at four of BNSF's Illinois facilities. The system required the drivers to scan their handprints to verify their identity when entering secured railyards, and the plaintiff drivers alleged that BNSF did not obtain their consent or provide them with required BIPA notices.

After a five-day trial, the jury found in favor of Rogers and the certified class of truck drivers finding that BNSF had recklessly or intentionally committed 45,600 violations of BIPA. BIPA provides for an award of $1,000 for each negligent violation, and liquidated damages of $5,000 for each reckless or intentional violation of the Act. Based on this finding, the court performed the mathematical calculation and entered a judgment for $228 million (45,600 times $5,000). Both parties filed post-trial motions.

On appeal, the Court acknowledged that a federal court must predict how the Supreme Court of Illinois would determine issue of state law if a question of law has not yet been decided by that Court. The Court noted that the Illinois Supreme Court in Cothron cited the use of “may” in Section 20 of BIPA, which provides that "[a] prevailing party may recover [damages, fees and costs, and other relief] for each violation." Id. (emphasis added). Therefore, it concluded that the General Assembly chose to make damages discretionary rather than mandatory. Therefore, a damage award after a finding of liability is a question for the jury, not the court, and the Court granted a new trial limited to the question of damages. Of course, the jury could ultimately use the same method of calculating damages as the trial court did, but this decision provides BIPA defendants with some basis to argue that less than the full amount of statutory damages should be awarded for BIPA violations.

Considering the enormous potential exposure, companies using biometric data for any purposes should consult with their legal advisors to confirm that they are in compliance with BIPA.

© 2024 Masuda, Funai, Eifert & Mitchell, Ltd. All rights reserved. 本書は、特定の事実や状況に関する法務アドバイスまたは法的見解に代わるものではありません。本書に含まれる内容は、情報の提供を目的としたものです。かかる情報を利用なさる場合は、弁護士にご相談の上、アドバイスに従ってください。本書は、広告物とみなされることもあります。