November 17, 2022 - The United States is seeing a surge in litigation over biometric privacy rights.  Most of this litigation is happening under state law, and state attorneys general and private litigants have been bringing lawsuits in record numbers.  In particular, there has been an uptick in class action litigation filed under the Illinois Biometric Privacy Act (BIPA) (740 ILCS 14/1 et seq.).

In October 2022, the first BIPA case to go to trial concluded in a jury verdict awarding $228 million to a group of truck drivers who had sued BNSF Railway Co. (BNSF).  When the truck drivers made deliveries or pickups at BNSF’s facilities, their fingerprints were scanned for identification purposes. They successfully argued that this practice violated BIPA because BNSF failed to provide them with prior written notice or obtain their prior written consent. 

BIPA authorizes private litigation to enforce its provisions.  The Illinois Supreme Court has held that plaintiffs only need to show a violation of the statutory terms, and not that they suffered any actual harm.  Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, ¶ 28 (129 N.E.3d 1197, 1205, 432 Ill. Dec. 654, 662).  In the absence of actual harm, BIPA provides for liquidated damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, as well as attorneys’ fees and costs.  740 ILCS 14/20.

In practice, defendants typically settle class actions like the BNSF case rather than face a jury trial.  BNSF’s decision to go to trial was apparently influenced by the fact that a third-party service provider, and not BNSF itself, scanned the truck drivers’ fingerprints.  At trial, BNSF argued that it had not been negligent or reckless in retaining the service provider and that it could not be held vicariously liable for the service provider’s actions because the service provider was an independent contractor.

The jury was not persuaded by BNSF’s arguments.  It found BNSF vicariously liable for 45,600 intentional or reckless violations of BIPA, equal to the estimated number of drivers whose fingerprints had been registered by an automatic gate system.  The judge entered judgment for damages in the amount of $228 million (45,600 x $5,000).

Notably, the jury did not find that BNSF had violated BIPA each time a driver’s fingerprints were scanned without written notice or consent, but only upon the initial scan and registration.  There is another case currently sub judice before the Illinois Supreme Court that will decide whether a BIPA claim accrues each time a biometric identifier is scanned and transmitted to a third party or only upon the first scan and transmission. Cothron v. White Castle Sys., Inc., No. 128004, filed pursuant to an order of certification from the U.S. Court of Appeals for the Seventh Circuit, 20 F.4th 1156 (7th Cir. 2021).  The Illinois Supreme Court’s decision will establish the law going forward but is unlikely to affect the jury’s finding in the BNSF case.

Meanwhile, other BIPA cases continue to settle.  The largest settlement in a BIPA class action is still the $650 million Facebook settlement.  In re Facebook Biometric Info. Priv. Litig., 522 F.Supp.3d 617 (N.D. Cal. 2021).  In that case, plaintiffs alleged that Facebook’s “Tag Suggestions” program identified their faces in uploaded photographs, resulting in the collection and storage of their facial scans without prior notice or consent.

The Facebook settlement has encouraged numerous class actions and settlements.  This year, BIPA lawsuits were filed against 7-Eleven, Amazon, Louis Vuitton, and others.  Defendants who have recently settled BIPA lawsuits include, among others, Google ($100 million), TikTok ($92 million), McDonald’s ($50 million) and Snapchat ($35 million).

The recent surge in litigation has not been limited to BIPA cases.  In February of this year, the Texas Attorney General brought that office’s first lawsuit under the Texas Capture or Use Biometric Identifier Act (CUBI), suing Meta Platforms, Inc. (the parent of Facebook and Instagram).  The lawsuit against Meta Platforms makes allegations similar to those in the BIPA class action against Facebook.  In October of this year, the Texas Attorney General filed a similar lawsuit against Google, focused on the Google Photos app and certain other software, including voice-recognition software.

One reason for the growing number of lawsuits under U.S. state law is that the United States does not have a comprehensive federal privacy law.  However, a U.S. federal agency, the Federal Trade Commission (FTC), has been investigating the collection, storage and use of biometric information under its authority to police unfair and deceptive trade practices.  

In January 2021, the FTC brought its first case alleging misuse of facial recognition technology. In that case, the FTC alleged that Everalbum, the operator of a photo storage and organization app, misled consumers when it stated that it would not use facial recognition technology unless the customer turned it on and that it would delete customers’ photos and videos when they deactivated their accounts.  Everalbum settled quickly, agreeing to obtain customers’ express consent going forward and to delete the models and algorithms already developed through its facial recognition technology.  The settlement did not include any monetary penalties.

Conclusion

Companies need to be vigilant in complying with biometric privacy laws.  Gartner, Inc., a leading technology consulting firm, predicts that by 2024 the average annual budget for privacy compliance at large companies will surpass $2.5 million, and that by 2025 biometric privacy lawsuits will have resulted in $8 billion in total penalties and settlements.  These predictions seem credible in light of the current litigation surge and the large settlements that have already occurred.