Enacted in 2008, it took several years for BIPA litigation to get its footing, but today it has become a cottage industry much like class actions under the Telephone Consumer Protection Act of 1991 ('TCPA') or the Fair Credit Reporting Act of 1970 ('FCRA'). And it is continuing to grow. Last year was a groundbreaking year for BIPA litigation and this year we have seen two seminal BIPA cases get handed down in the first quarter alone.

Illinois was the first state to regulate the collection and storage of biometric data. Generally, BIPA requires any private entity in possession of biometric information to: (i) develop a written policy; (ii) inform the owner of the biometric information in writing about the purpose for collecting the information and the length of time it will be stored; (iii) obtain written consent for the collection and storage of the data; and (iv) refrain from selling, leasing, trading, or otherwise profiting from that biometric information.

A critical component of BIPA is its almost unfettered private right of action, which allows 'any person aggrieved by a violation of [the] Act' to sue for steep liquidated damages: $1,000 for each negligent violation, $5,000 for each intentional or reckless violation. Successful plaintiffs can also obtain attorneys' fees and costs, and injunctive or other relief. Since its passage, this private right of action has enabled thousands of class actions to be filed, many of which settled for hefty sums, across state and federal courts.

BIPA takes shape under recent case law

Perhaps an inevitable result, BIPA has significantly evolved over the past few years due to the substantial number of lawsuits filed under it. While a number of cases have clarified BIPA's contours, many have served only to further confound the BIPA litigation landscape.

Standing for BIPA claims

Adding more 'teeth', to BIPA, in 2019 the Illinois Supreme Court held that a mere statutory violation was sufficient for standing purposes in Rosenbach v. Six Flags Entm't Corp. In other words, a person is 'aggrieved by a violation of [the] Act', and thus has a cause of action, merely upon a showing that BIPA was violated. Accordingly, to pursue BIPA claims in state court, plaintiffs do not need to demonstrate any other kind of harm, such as that their biometric information was compromised or used for nefarious purposes.

Standing in federal courts is a different story. Current case law has created a matrix of impractical rules concerning Article III standing for BIPA claims. Under Article III of the U.S. Constitution, federal courts are only permitted to decide 'cases' and 'controversies'. This has been interpreted to mean that plaintiffs must demonstrate an actual or imminent alleged injury that is concrete and particularised in order to satisfy standing requirements. Whether such injury has been sufficiently pleaded is frequently a basis for Rule 12 motions to dismiss in privacy cases. BIPA has been no different.

Currently, Article III standing for BIPA claims is based on the BIPA section allegedly violated. Under three Seventh Circuit opinions, Bryant v. Compass Grp. USA, Inc., 958 F.3d 617 (7th Cir. 2020), Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146 (7th Cir. 2020), and Thornley v. Clearview AI, Inc., 984 F.3d 1241 (7th Cir. 2021), to assert federal claims under section 15(a), a plaintiff must show injury beyond a mere statutory violation unless bringing a claim for 'violation of the full panoply of its section 15(a) duties'. To assert federal claims under section 15(b), a plaintiff can merely allege a statutory violation. However, to assert federal claims under section 15(c), a plaintiff needs to allege additional harm. See the table below:

Accordingly, BIPA plaintiffs must make jurisdictional decisions before filing to determine whether their claims should be filed in state or federal court.

A five-year statute of limitations for all BIPA claims

Until recently, litigants were unsure of the limitations period that applied to BIPA claims. BIPA, itself, does not specify a limitations period. Under Illinois law, where a statute does not specify a limitations period, it will typically assume a 'catchall' five-year limitations period. However, if another statute of limitations is 'specifically applicable', Illinois courts will apply that statute's limitations period. To determine whether there is a more 'specifically applicable' statute of limitations, Illinois courts analyse 'the type of injury at issue, irrespective of the pleader's designation of the nature of the action'.

Employing this analysis, Illinois trial courts consistently applied the catchall five-year statute of limitations to BIPA claims¹. Undeterred, defendant Blackhorse Carriers, Inc. argued that Chapter 735, Act 5, Article 13, Part 2 of the Illinois Compiled Statutes ('ILCS'), which provides a one-year limitations period for '[a]ctions in slander, libel, or for publications of matter violating the right to privacy', was 'specifically applicable' in Tims v. Blackhorse Carriers, Inc².  Blackhorse argued that this statute was, first and foremost, a privacy statute, and dealt with the publication of private information, which BIPA was also meant to regulate.

The Illinois Appellate Court agreed in part³. It held that the one-year statute of limitations, as provided for in 735 ILCS 5/13-201, applied to those portions of BIPA that regulated an entity's dissemination or disclosure of biometric information, (i.e., Sections 15(c) and (d)). The five-year catch-all limitations period, however, would apply to those portions of BIPA that did not contain a publication or dissemination element (i.e., Sections 15(a), (b), and (e)).

On 2 February 2023, however, the Illinois Supreme Court partially reversed the Seventh Circuit, holding that the five-year limitations period applied to all sections of BIPA⁴. While it was not the decision BIPA defendants were hoping for, it has provided much-needed clarity and will simplify limitations analyses in the future. It will also provide leverage to plaintiffs hoping for large settlement funds, since BIPA's statutory damages regime provides recovery for 'each violation'⁵.

A violation for every scan

While BIPA provides recovery for 'each violation', prior to this year, it was unclear what constituted a 'violation'. Was every scan of an individual's fingerprint a violation, so that an employee who had to clock in and out of shifts using their fingerprint for years could assert hundreds or even thousands of 'violations'? Or was BIPA triggered on only the first scan, giving such an employee just one claim to pursue and five years to pursue it?

On 17 February 2023, the Illinois Supreme Court answered this question in Cothron v. White Castle Sys., holding that a claim is triggered upon each biometric scan, rather than just the first⁶. In this case, plaintiff Latrina Cothron, a White Castle employee, argued that each non-compliant scan of her fingerprint (required to access pay stubs and her computer) constituted a BIPA violation. White Castle, on the other hand, argued that only the first scan it took from Cothron (incidentally outside the limitations' period) constituted a violation. The decision was long-awaited. The question was first raised in the Northern District of Illinois in June 2020 and was subsequently appealed to the Seventh Circuit. The Seventh Circuit then certified the question to the Illinois Supreme Court in December 2021.

The White Castle decision will have an outsized impact on litigants and BIPA litigation generally. While the decision took the guess work out of damages assessments, defendants can potentially face millions (if not hundreds of millions) in damages under it. This notion was acknowledged by the Illinois Supreme Court, but it ultimately explained that it 'continue[s] to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature'⁷.

BIPA exceptions apply broadly

BIPA provides for certain exceptions, including for 'financial institutions' subject to Title V of the Gramm-Leach-Bliley Act ('GLBA')⁸ and for information 'captured from a patient in a health care setting'⁹. Such exceptions have been applied broadly.

In November 2022, the Northern District of Illinois dismissed BIPA claims against defendant DePaul University in Powell v. DePaul University, holding that BIPA's GLBA exception applied¹⁰. While DePaul is a university, not a bank, it participates in the U.S. Department of Education's Federal Student Aid Program and is regulated by GLBA for those purposes. Accordingly, BIPA does not apply.

The Northern District of Illinois recently applied BIPA's 'healthcare' exception to bar a suit against Christian Dior in Warmack-Stillwell v. Christian Dior Inc¹¹ BIPA excludes 'information captured from a patient in a health care setting' from its definitions of 'biometric identifiers' and 'biometric information'. The plaintiff alleged that her use of Dior's online 'virtual try-on' tool, which allowed her to see what she would look like if she were wearing a certain pair of sunglasses, violated BIPA. Although the plaintiff alleged she was 'trying on' non-prescription sunglasses, the Court found that 'sunglasses, even if non-prescription, protect one's eyes from the sun and are Class I medical devices under the Food & Drug Administration's regulations'¹². Accordingly, plaintiff's claims were dismissed.

Trials and tribulations - the first BIPA trial

In October 2022, Rogers v. BNSF Railway Co., the first BIPA case to go to jury, resulted in a verdict against BNSF Railway. The federal jury found BNSF had 'recklessly or intentionally' violated BIPA 45,600 times. This number represented an expert's estimate of the number of drivers who had their fingerprints collected by BNSF when they entered BNSF's rail yards between 2014 and 2020. BIPA provides for up to $5,000 for each reckless or willful violation, so the Court awarded the class a total of $228 million, i.e., $5,000 for each of driver whose fingerprints were collected. Notably, post-trial briefing has not concluded, and pending are the plaintiff's request to increase the damages award threefold, to at least $684 million, and BNSF's motion to decrease it. Regardless of how the court rules on these motions, this case is sure to cause risk-adverse defendants to agree to higher settlements to avoid trial.

Like most privacy statutes, for BIPA, compliance is key. It is also relatively easy. If your organisation collects biometric information, even if it is not located in Illinois, it would be prudent to contact a privacy attorney to determine and limit legal exposure.

Molly S. DiRago Partner
[email protected]
Troutman Pepper Hamilton Sanders LLP, Chicago

1. See, e.g., Burlinski v Top Golf USA, Inc., No. 19-cv-06700, 2020 U.S. Dist. LEXIS 161371, at 17 (N.D. Ill. Sep. 3, 2020); Meegan, 2020 U.S. Dist. LEXIS 99131, at 5; Bryant, 2020 U.S. Dist. LEXIS 222219, at 3.
2. Tims v. Black Horse Carriers, Inc., 2020 Ill. Cir. LEXIS 6004 (Feb. 26, 2020).
3. Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, 451 Ill. Dec. 879, 184 N.E.3d 466.
4. Tims v. Black Horse Carriers, Inc., 2023 IL 127801.
5. 740 ILCS 14/20.
6. Cothron v. White Castle Sys., 2023 IL 128004.
7. Id.  ¶ 43.
8. 740 ILCS 14/25(c).
9. 740 ILCS 14/10.
10. Powell v. DePaul Univ., No. 21 C 3001, 2022 U.S. Dist. LEXIS 201296 (N.D. Ill. Nov. 4, 2022).
11. Warmack-Stillwell v. Christian Dior, Inc., No. 1:22-CV-04633, 2023 U.S. Dist. LEXIS 22926 (N.D. Ill. Feb. 10, 2023).
12. Id. at 8.