Takeaway: It’s time to evaluate your business’s biometric-privacy policies and exposure. Recent court decisions may lead to significantly larger judgments against violators and also encourage expansion of biometric-privacy litigation into states without devoted biometric-privacy laws, such as Wisconsin.
BIPA claims have grown increasingly common and led to very large settlements and awards.
Many businesses and attorneys in Wisconsin have watched in abject horror as Illinois’ state and federal courts have become a hotbed for biometric-privacy litigation. Using Illinois’ groundbreaking Biometric Information Privacy Act (or BIPA), consumer-side plaintiffs’ attorneys have flooded the courts with putative class-action lawsuits. 740 Ill. Comp. Stat. Ann. 14/1 et seq.
The outcomes are staggering. Facebook paid $650 million to settle a putative class action against it. Google resolved a case for $100 million; TikTok for $92 million. And a jury hit BNSF Railway with a $228 million verdict.
What explains these huge sums? For the most part, two things: (1) the Illinois BIPA enforcement mechanism, which allows a private right of action and imposes statutory damages of $1,000 to $5,000 per violation; and (2) ongoing confusion about how far BIPA liability extends. On the latter issue, for example, courts and parties have been uncertain over the statute of limitations applicable to some BIPA claims and how they accrue. If resolved in a plaintiff-friendly way, those open issues multiply defendant-business’s potential exposure by creating a much longer window for plaintiffs to bring claims and treating every separate collection of biometric information as a standalone violation. So, it’s no surprise that many businesses have been willing to pay huge amounts to settle these cases when the potential exposure is astronomical.
Recent plaintiff-friendly court decisions expose businesses to even greater risks.
Be ready for those eye-popping numbers to continue, because in the last two months the Illinois Supreme Court has ruled on these issues—in the plaintiff-friendly way that many businesses feared. In Tims v. Black Horse, the Illinois Supreme Court held that all BIPA claims have a five-year limitations period, not the one-year period the defendant business in that case argued. More recently, the Illinois Supreme Court held in Cothron v. White Castle System Inc. that BIPA claims accrue after each violation. So, for instance, a plaintiff who complains their fingerprints were scanned to clock in at the beginning of every shift for many years (as the plaintiff in Cothron claimed) could have not one but hundreds or thousands of separate claims, each of which may be compensable as a separate violation. As a result, by one metric, the defendant business in the Cothron case could be exposed to a billion-plus-dollar judgment. Tims v. Black Horse Carriers, Inc., 2023 IL 127801; Cothron v. White Castle Sys., 2023 IL 128004.
Businesses shouldn’t expect to rely on their business partners to foot the bill. Just because a third-party vendor is providing the technology that collects the biometric information typically does not let a business using that third-party technology off the hook. Franchisors may even be held liable for their franchisees’ violations. Rogers v. BNSF Railway Co., N.D. Ill. Case No. 19-cv-3083; Rushing v. Aggressive Developments of Missouri LLC, N.D. Ill. Case No. 3:22-cv-00649; N.Y. State Dep’t of Labor, RO-10-0024 (April 22, 2010).
Biometric-privacy litigation is expanding into other jurisdictions—even jurisdictions without devoted biometric-privacy laws.
At this point, you and your leadership team may be thinking: “We’re not based in Illinois. We don’t even have operations there. We’re based in Wisconsin (or some other state), which doesn’t have a biometric privacy law. So, we’re safe. Right?”
The answer: MAYBE NOT.
We’re seeing biometric-privacy lawsuits being filed under other states’ laws, too. And it could just be a matter of time until they’re being filed across the country, even in states like Wisconsin that don’t have devoted biometric-privacy laws.
Texas’ Attorney General is currently suing Facebook parent Meta Platforms and Google for alleged violations of Texas’ BIPA analog, the Texas Capture or Use of Biometric Identifier Act (or CUBI). Texas argues that the collection of face geometry and voiceprint data, which Meta and Google often capture to make “tagging” suggestions or otherwise improve their artificial intelligence models, is done for commercial purposes and without providing adequate notice, receiving consent, or having in place policies to protect and eventually destroy the data. If Texas proves a violation, Meta and Google could face statutory fines of $25,000 for each violation. Tex. Bus. & Comm. Code, Title 11, § 503.001 (CUBI statute); State of Texas v. Meta Platforms Inc., dba Facebook Inc., Harrison County District Court Case No. 22-0121; State of Texas v. Google LLC, Midland County District Court Case No. CV58999. We may soon see other states join Texas, as recently-enacted comprehensive privacy laws in states like Virginia and Colorado have biometric-privacy components most likely to be enforced by state agencies.
In two recent decisions applying California law, courts held that consumers may be able to bring biometric-privacy claims under laws that are not specifically focused on biometric privacy. In one Northern District of Illinois case that is part of multidistrict litigation against Clearview AI, the court refused to dismiss plaintiff-consumers’ claims for violation of California’s common law right of publicity, its misappropriation-of-likeness statutes, and plaintiffs’ state constitutional rights to privacy, but denied plaintiff-consumers’ request to apply California’s generic Unfair Competition Law to biometric-privacy claims. In re Clearview AI, Inc., Consumer Privacy Litigation, 585 F.Supp.3d 1111 (N.D. Ill. 2022). In another case involving Clearview AI but separate from the MDL, the Alameda County Superior Court allowed a biometric-privacy claim to proceed under that generic Unfair Competition Law. Renderos v. Clearview AI, Inc., 2021 WL 1623886 (Super. Ct. Alameda Cnty. April 22, 2021). Expect to see enterprising consumer-side lawyers use these decisions to create biometric-privacy claims even under the laws of states without devoted biometric privacy statutes like BIPA.
Together, these legal developments demand that businesses across the country review their biometric-privacy risks.
These cases show biometric-privacy litigation expanding in two separate directions. First, at least under Illinois’ BIPA, the courts are time and again refusing to limit the potential monetary exposure under the law. That progression shows no signs of slowing, and we are not aware of any legislative efforts to stop it. Simultaneously, the flood gates could be opening for biometric-privacy litigation in other jurisdictions. That litigation may be pursued by state actors, like Texas, that are exercising their statutory authority under devoted privacy laws. Or it may be pursued by consumers filing putative-class-action lawsuits even in states that lack devoted biometric-privacy laws, spurred on by the two recent California-law decisions.
Given all this, one thing should be clear: businesses can’t hide their heads in the sand, hoping that biometric-privacy lawsuits will happen to other businesses in other jurisdictions. Even for businesses that aren’t based in a state with devoted biometric-privacy laws, you could soon see lawsuit threats in where you do business or have employees. If your business is using biometric data in any way, it’s time to take steps that can at least reduce your exposure to lawsuits and liability. Godfrey & Kahn’s Labor & Employment, Data Privacy & Cybersecurity, and Litigation teams are ready to help.