Latest Post | Last 10 Posts | Archives
Previous Post: Pritzker on gun law case, support for a safe storage law, thoughts on insurance requirements and opposition to taxing ammunition
Next Post: The lost art of outreach
Posted in:
* From the Ogletree Deakins law firm blog last October…
On October 12, 2022, a federal jury in the U.S. District Court for the Northern District of Illinois concluded that a company violated the Illinois Biometric Information Privacy Act (Privacy Act or BIPA) 45,600 times over six years by collecting truck drivers’ fingerprints to verify identities without the informed, written consent the Privacy Act requires. This is the first jury verdict rendered under the Privacy Act following a spike in class action filings under the statute. […]
Following the jury’s findings, the federal judge assigned to the case awarded $5,000 in liquidated damages for each intentional or reckless violation. Hence, the plaintiff-class received a judgment totaling $228 million.
* The company, BNSF Railroad, filed a motion to overturn or at least limit the jury’s verdict. From the Ogletree Deakins last month…
A federal judge in the Northern District of Illinois vacated a $228 million damages award issued following the first-ever jury verdict in an Illinois Biometric Information Privacy Act (Privacy Act or BIPA) class action and ordered a new trial on the issue of damages. However, in doing so, the judge refused to overturn the jury’s finding that the company’s Privacy Act violations were intentional or reckless.
In the June 30, 2023, ruling, the federal district court judge determined that there was sufficient evidence presented to the jury to find that the company was directly or vicariously liable for Privacy Act violations and to find that those violations were intentional or reckless. The judge further ruled that Privacy Act damages are discretionary and “that a damages award after a finding of liability is a question for the jury.” As such, the judge granted the company’s post-trial motion for a new trial on the issue of damages, which according to court records is set to commence in October 2023. […]
In vacating that award, the judge pointed to the subsequent February 2023 ruling by the Supreme Court of Illinois in Cothron v. White Castle. In that case, the Illinois Supreme Court held that Privacy Act claims accrue on each and every scan or collection, but in doing so, observed that a judge has the discretion to fashion damages so as not to result in “annihilative liability.” The judge in the present case stated that this observation “suggests how the Illinois Supreme Court is likely to rule if it were to address this question [of Privacy Act discretionary damages] in the future.” […]
The judge noted that the company continued to collect drivers’ fingerprints without obtaining informed consents for nearly one year after being sued and learning that there were potential compliance concerns with the system under the Privacy Act and only appeared to stop due to the COVID-19 pandemic. […]
It is not clear whether a jury will ultimately uphold the $228 million damages award in the case, but the ruling is nevertheless significant in that it suggests that damages are not simply a strict calculation of a statutory damages amount multiplied by the number of violations. This is especially important for companies following the Cothron ruling, which found that Privacy Act violations accrue on each scan. With violations occurring per scan, which may occur regularly (potentially multiple times per day), and a five-year statute of limitations, Privacy Act damages have the potential to skyrocket, which could also open the floodgates for more Privacy Act class actions.
While the holding is not binding on Illinois courts, the ruling highlights the language from the Cothron decision suggesting that Privacy Act damages are discretionary. That interpretation may be persuasive on other courts to hold that juries should fashion “appropriate” damage awards in Privacy Act class actions.
The ruling is here.
posted by Rich Miller
Tuesday, Aug 1, 23 @ 10:17 am
Sorry, comments are closed at this time.
Previous Post: Pritzker on gun law case, support for a safe storage law, thoughts on insurance requirements and opposition to taxing ammunition
Next Post: The lost art of outreach
WordPress Mobile Edition available at alexking.org.
powered by WordPress.
=== 45,600 times over six years===
This is pretty hard to defend. I think the judge made the right call.
Comment by Candy Dogood Tuesday, Aug 1, 23 @ 10:34 am
The point of the law, I think, is to change the behavior of employers. Putting the employer out of business with exceedingly large fines is not a great idea. This ruling looks like a search for a middle ground, which is probably a good idea.
Comment by Friendly Bob Adams Tuesday, Aug 1, 23 @ 10:59 am
BNSF has been getting absolutely dragged by every judge who touched this for their defense of “how were we supposed to know about a law that’s existed for six years?” One judge pointed out that BNSF has been operating for ~170 years in a highly-regulated industry and that was a ridiculous claim.
BNSF also kept scanning fingerprints after the lawsuit was filed and they were definitely on notice the law existed at that point.
Comment by Suburban Mom Tuesday, Aug 1, 23 @ 11:08 am
If companies want to avoid BIPA penalties, there’s a simple solution: stop breaking the law!
Comment by Google Is Your Friend Tuesday, Aug 1, 23 @ 12:13 pm
Seems like good news/bad news for businesses here. If they know they’re violating the law and don’t stop, they’re gonna get hit harder in court — deservedly so. But it looks like this decision puts the “per-swipe” liability standard in doubt, which is the main cause of the big cash settlements. Maybe this makes BIPA ripe for the US Supreme Court to take a look?
Comment by Tony T Tuesday, Aug 1, 23 @ 1:02 pm
=== If companies want to avoid BIPA penalties, there’s a simple solution: stop breaking the law! ===
Not necessarily the issue here. The issue is how much the penalties should be for the violation of the law. In the White Castle case, their damages based on the statute is $17 billion dollars. Do you think that is appropriate?
Please note that White Castle’s annual revenues are roughly $720 million annually
Comment by Hannibal Lecter Tuesday, Aug 1, 23 @ 2:28 pm
===Putting the employer out of business with exceedingly large fines is not a great idea.===
I don’t think $5,000 is an excessive fine. The issue then becomes the sheer number of violations.
And counter to the White Castle case, BNSF had revenue of the just under $23 billion last year. $228 million isn’t going to shutter them.
Comment by Mike Sorensen Tuesday, Aug 1, 23 @ 3:12 pm
=== And counter to the White Castle case, BNSF had revenue of the just under $23 billion last year. $228 million isn’t going to shutter them. ===
Not the point. I will pose the same question to you that I posed to the other commenter:
In the White Castle case, their damages based on the statute is $17 billion dollars. Do you think that is appropriate?
Please note that White Castle’s annual revenues are roughly $720 million annually
Comment by Hannibal Lecter Tuesday, Aug 1, 23 @ 3:45 pm