BIPA – Class Action Defense

March 30, 2023December 1, 2023 by Gerald L. Maatman, Jr.

Illinois Court Dismisses BIPA Class Action Brought Against Seller Of Point-Of-Sale Technology For Lack Of Personal Jurisdiction

By Gerald L. Maatman, Jr., Tyler Z. Zmick, and Shaina Wolfe

Duane Morris Takeaways: In White v. HungerRush LLC, No. 22-1206 (C.D. Ill. Mar. 28, 2023), the Court dismissed claims for violations of the Biometric Information Privacy Act (“BIPA”) brought against a company that sells point-of-sale technology for lack of personal jurisdiction. White serves as a reminder to businesses that personal jurisdiction in Illinois may be lacking where their conduct has only a tenuous connection to Illinois and/or where they do not “collect” or “possess” biometric data. This ruling – which is largely consistent with federal court decisions addressing the issue – is a rare win for companies facing BIPA class actions, and is a required read for companies facing privacy class action litigation.

Case Background

Plaintiff worked at a restaurant in Peoria, Illinois, which used a point-of-sale system sold by Defendant HungerRush LLC, a Texas-based company. While working at the restaurant, Plaintiff enrolled her fingerprint onto the point-of sale system as a means of clocking in and out of work. She later sued the Texas-based Company, claiming that it violated the BIPA in connection with its sale of the point-of sale system by (i) failing to develop a written policy made available to the public establishing a retention policy and guidelines for destroying biometric data, and (ii) collecting her biometric data without providing her with the requisite notice and obtaining her written consent.

In response to the complaint, the Company moved to dismiss on the basis that the Court lacked personal jurisdiction. In support of its jurisdictional argument, the Company submitted an affidavit signed by its Chief Administrative Officer and General Counsel.

The Company’s affidavit explained that: (i) it is a Texas-based company; (ii) it does not manufacture finger-scan devices or software; (iii) Plaintiff’s employer purchased a point-of-sale system from it and separately purchased a finger-scan device from a third-party; (iv) the finger-scan device operates independently from its software; and (v) finger-scan data is not transmitted to its point-of-sale software – instead, the finger-scan device sends only an approval signal to its software.

Based on these facts, Defendant argued that its limited contact with Illinois (i.e., selling a point-of-sale system to Plaintiff’s Illinois-based employer) was insufficient to establish personal jurisdiction.

The District Court’s Decision

The Court granted the Company’s motion to dismiss under Rule 12(b)(2).

First, the Court noted that “[w]here, as here, the defendant submits ‘evidence opposing the district court’s exercise of personal jurisdiction, the plaintiff must similarly submit affirmative evidence supporting the court’s exercise of jurisdiction.’” The Court explained that because Plaintiff failed to submit any evidence refuting the Company’s evidence, i.e. the sworn affidavit, the affidavit was considered “unrebutted.”

Second, the Court found that the Company’s unrebutted evidence demonstrated that it did not have sufficient minimum contacts with Illinois for this case and it was not reasonably foreseeable that Plaintiff’s claims related to the Company’s contacts with Illinois. Significantly, Plaintiff failed to submit any evidence refuting the affidavit’s sworn statements that Plaintiff’s Illinois-based employer initiated the transaction with the Company, that any contracts the Company makes with Illinois restaurants are made in Texas with Illinois restaurants reaching out to the Company, that the Company’s system has no cloud functions, or that the Company does not and has never manufactured a fingerprint scanner.

The Court held that because Plaintiff failed to offer evidence or adequate explanations refuting the Company’s sworn statements, she failed to meet her burden in establishing personal jurisdiction.

Implications For Employers

White serves as a reminder that companies must have sufficient contacts with the state in order for the courts to have personal jurisdiction over them. In other words, companies with only limited contacts with Illinois will not be subject to personal jurisdiction in courts within Illinois.

White also illustrates the importance of submitting extrinsic materials (e.g., sworn affidavits) in support of showing lack of personal jurisdiction. Significantly, once the defendant has submitted affidavits or other extrinsic evidence supporting lack of jurisdiction, the plaintiff must go beyond the pleadings and submit affirmative evidence supporting the exercise of jurisdiction. Moreover, courts can dismiss BIPA class actions for lack of personal jurisdiction based on supporting affidavits – even where the affidavits speak in part to the merits of the case. See Order & Op. at 8.

February 2, 2023 by Alex W. Karasik

Illinois Supreme Court Holds Five-Year Statute Of Limitations Applies To The BIPA

By Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley

Duane Morris Takeaways: In one of the most highly anticipated class action rulings in years, in Tims, et al. v. Black Horse Carriers, Inc., Case No. 127801 (Ill. Feb. 2, 2023), the Illinois Supreme Court held that a five-year statute of limitations applies to claims under the Biometric Information Privacy Act, 740 ILCS 14/15 (“the BIPA”). This ruling adds to the risks for employers and companies who do business in Illinois in terms of BIPA class action exposures.

Given that the BIPA statute does not have an explicit statute of limitations, the Illinois Supreme Court’s ruling now provides clarity for litigants and attorneys in this space as to the scope of the putative classes in their lawsuits.

Case Background

In March 2019, Plaintiff filed a class action complaint alleging that Defendant violated the BIPA through its timekeeping practices that involved the scanning and storing of employees’ fingerprints. Plaintiff asserted claims under three sub-sections of the law, including: (1) section 15(a) of the BIPA, for failing to institute, maintain, and adhere to a retention schedule for biometric data; (2) section 15(b) of the BIPA, which states that no private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information without notice and consent; and (3) section 15(d) of the BIPA, which involves the unlawful disclosure or dissemination of biometric data without first obtaining consent. Of note, section 15(c) of the BIPA prohibit the sale of a person’s biometric data for a profit, and section 15(e) of the BIPA imposes a duty of reasonable care in storing and protecting biometric data from disclosure.

On September 17, 2021, the Illinois Appellate Court held that hat a one-year limitations period pursuant to section 13-201 of the Illinois Code of Civil Procedure (the “Code”) governs actions under sections 15(c) and (d) of the BIPA, while a five-year statute of limitations pursuant to section 13-205 applies to sections 15(a), (b), and (e). The Illinois Appellate Court explained that the BIPA imposes various duties that are separate and distinct from one another. While each of the duties set forth under sections (a)-(e) “concern privacy,” the Appellate Court reasoned that a private entity could violate sections (a), (b), or (e) “without having to allege or prove that the defendant . . . published or disclosed any biometric data.” Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, at ¶ 31 (1st Dist. Sept. 17, 2021). However, the “publication or disclosure of biometric data is clearly an element of an action under” sections 15(c) and (d). Id. at ¶ 32. Accordingly, the Illinois Appellate Court applied the state’s one-year statute of limitations for right of privacy claims for sections (c) and (d), and applied the five-year “catch all” statute of limitations for sections (a), (b), and (e).

The Illinois Supreme Court’s Decision

On February 2, 2023, the Illinois Supreme Court affirmed in part and reversed in part the Illinois Appellate Court’s decision. First, the Illinois Supreme Court notably opined that it, “agree[d] with the parties that the [A]ppellate [C]ourt erred in applying two different statutes of limitations to the Act.” Tims, 2023 IL 127801, at ¶ 16. It explained that one of the purposes of a limitations period is to reduce uncertainty and create finality and predictability in the administration of justice. Id. at ¶ 20 (citations omitted). The Illinois Supreme Court thus held that, “applying two different limitations periods or timebar standards to different subsections of section 15 of the Act would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.” Id. at ¶ 21.

Having decided that a singular uniform statute of limitations should apply, the Illinois Supreme Court next analyzed whether the statute of limitations should be five years or one year. Analyzing the plain language of the BIPA statute, the Illinois Supreme Court held that all five subsections of section 15 of the Act prescribe rules to regulate the collection, retention, disclosure, and destruction of biometric identifiers and biometric information. Id. at ¶ 29. In regards to the Illinois Appellate Court’s holding that section 15(a), 15(b), and 15(e) of the Act contained no words that could be defined as involving “publication,” the Illinois Supreme Court held that the Illinois Appellate Court correctly found that subsections (a), (b), and (e) are subject to the five-year “catchall” limitations period codified in section 13-205 of the Code. Id. at ¶ 30.

Turning to subsections (c) and (d), the Illinois Supreme Court acknowledged that the one-year statute of limitations could be applied. Id. at ¶ 32. However, the Illinois Supreme Court held that, “when we consider not just the plain language of section 15 but also the intent of the legislature, the purposes to be achieved by the statute, and the fact that there is no limitations period in the Act, we find that it would be best to apply the five-year catchall limitations period codified in section 13-205. Id. at ¶ 30. The Illinois Supreme Court explained that this outcome would further its goal of ensuring certainty and predictability in the administration of limitations periods that apply to causes of actions under the BIPA. Id. at ¶ 32. In support of its conclusion, the Illinois Supreme Court held that Illinois courts have routinely applied this five-year catchall limitations period to other statutes lacking a specific limitations period, such as the BIPA. Id. at ¶ 34.

Finally, the Illinois Supreme Court examined the Illinois General Assembly’s goals in enacting the BIPA statute. The Illinois Supreme Court opined that in light of the extensive consideration the General Assembly gave to the fears of and risks to the public surrounding the disclosure of highly sensitive biometric information, “it would thwart legislative intent to (1) shorten the amount of time an aggrieved party would have to seek redress for a private entity’s noncompliance with the Act and (2) shorten the amount of time a private entity would be held liable for noncompliance with the Act.” Id. at ¶ 39. The opinion also noted that defamation torts such as libel and slander are subject to a short limitations period because aggrieved individuals are expected to quickly become apprised of the injury and act quickly when their reputation has been publicly compromised, while it would be uncertain as to whether an individual would ever become aware of their biometric being improperly disclosed or misappropriated. Id.

The Illinois Supreme Court concluded its opinion by holding that the five-year limitations period contained in section 13-205 of the Code controls claims under the BIPA. Therefore, the Illinois Supreme Court affirmed in part and reversed in part the judgment of the Appellate Court, and remanded the cause to the Circuit Court for further proceedings.

Implications For Employers

This decision is unsurprising given the public policy behind the law and the growing importance of privacy. The five-year statute of limitations serves to increase BIPA class action litigation exposure.

Companies can expect more BIPA-related rulings in the near term. The Illinois Supreme Court is due to issue its decision in Cothron v. White Castle System, Inc., No. 1280004 (Ill.), which will decide whether each fingerprint scan is its own discrete violation. An adverse finding in Cothron could enhance BIPA class action exposures.

If employers have not already done so, now is time to make sure their timekeeping procedures and consent policies are legally compliant. The Tims ruling is apt to increase the plaintiff class action bar’s appetite for BIPA claims, so it is more important than ever for employers to make sure their procedures are legally sound.

January 9, 2023 by Gerald L. Maatman, Jr.

Illinois Appellate Court Affirms Dismissal Of BIPA Class Action Lawsuit

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways: In Barnett v. Apple Inc., Case No. 1-22-0187, 2022 Ill. App. LEXIS 556 (Ill. App. 1st Dist. Dec. 23, 2022), after a trial court dismissed a biometric privacy class action lawsuit involving the use of facial and fingerprint recognition features, the Illinois Appellate Court affirmed the dismissal order. In an important decision defining the parameters of liability under the Illinois Biometric Information Privacy Act (“BIPA”), the Illinois Appellate Court held that the users of the technology themselves were responsible for possessing, capturing, and collecting their biometric data

For businesses that are confronted with biometric privacy class action allegations in the context of recognition software, this monumental victory for Apple provides an excellent roadmap to attack such claims at the pleading stage.

Case Background

Plaintiffs alleged that Apple violated the Biometric Information Privacy Act, 740 ILCS 14/1 et seq., by offering users of its phones and computers the option of utilizing face and fingerprint recognition features without first instituting a written policy regarding the retention and destruction of the users’ biometric information; and without first obtaining the users’ written consent. Id. at *1-2. Plaintiffs claimed Apple was “in possession of,” “collected,” and “captured,” the users’ biometric information, since Apple designed, owned, and had the ability to remotely update the software. Id. at *2.

On January 3, 2022, the trial court granted Apple’s motion to dismiss. Id. at *9. First, the trial court held that Plaintiffs failed to allege that their biometric information was sent to Apple’s servers or any third party server. Rather, Plaintiffs expressly alleged that the information was stored locally on Plaintiffs’ own devices. Second, the trial court held that Plaintiffs did not allege that Apple stored any of Plaintiffs’ biometric data in Apple databases. Third, the trial court held that it was clear Plaintiffs voluntarily chose to use Face ID and Touch ID features, and could delete their biometric information from their devices if they chose. On February 2, 2022, Plaintiffs filed a timely notice of appeal. Id. at *11.

The Illinois Appellate Court’s Decision

The Illinois Appellate Court affirmed the trial court’s dismissal of Plaintiffs’ complaint. Addressing the issue of “possession,” the Appellate Court explained that the term was not defined in the BIPA statute. Id. at *16. Plaintiffs argued that Apple ‘possesse[d]” their information because Apple software collected and analyzed their information. Id. at *17. Rejecting Plaintiffs’ argument, the Appellate Court opined that based on the facts alleged by Plaintiffs, it seemed as though Apple designed these features with the express purpose of handing control to the user. Id. at *17-18. The Appellate Court also noted that these features were completely elective, explaining that the user must undertake a series of affirmative steps in order to use them. Id. Finally, the Appellate Court found that Plaintiffs’ arguments were not persuasive since Plaintiffs alleged that the information is stored on the users’ own individual devices, and that users may delete the information and disable the features at their convenience. Accordingly, the Appellate Court held that Plaintiffs failed to properly allege that Apple possessed their biometric information.

Turning to the issue of whether Apple collected and captured Plaintiffs’ biometric information, the Appellate Court explained that these terms were also not defined in the BIPA statute. Id. at *20. In support of their proposed definitions, Plaintiffs cited a BIPA class action in the employment context, where the employee plaintiff was required to use the biometric scanner or lose her job. Id. at *22-23 (citations omitted). Rejecting Plaintiffs’ argument, the Court noted that the biometric features in this care were wholly optional, the information was stored exclusively on Plaintiffs’ devices, and Plaintiffs could delete the information at will. Further, the Court noted that Plaintiffs specifically alleged that the information is stored only on their devices. Accordingly, the Appellate Court held that Plaintiffs failed to properly allege that Apple captured and collected their biometric information.

In conclusion, the Appellate Court summarized its findings as follows: “[P]laintiffs do not dispute that the user’s biometric information is stored on the user’s own device; that Apple does not collect or store this information on a separate server or device; that these features are completely optional; that the user is the sole entity deciding whether or not to use these features; that, to enable the features, the user employs his or her own device to capture and collect his or her own biometric information on that device; that, to utilize these features, the user must undertake a number of steps, which are all documented in photos in plaintiffs’ complaint; and that the user has the power to delete this biometric information from the device, at any time, without negatively impacting the device.” Id. at *22-23. Accordingly, the Appellate Court affirmed the trial court’s dismissal of Plaintiffs’ BIPA class action.

Implications For Employers

Facial recognition technology is rapidly becoming more prevalent in both the employment and consumer contexts. This decision underscores the importance of carefully analyzing the allegations in biometric privacy class action pleadings. In situations where users maintain control over their own biometric data, this may be a helpful decision to seek an early exit from the lawsuit. Finally, Apple’s victory further provides some optimism for companies defending biometric privacy class actions, as the recent tide of key decisions has largely been adverse to defendants.

November 14, 2022 by Gerald L. Maatman, Jr.

New Trial Sought Following $228 Million Judgment In Landmark BIPA Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Synopsis: In Rogers v. BNSF Railway Co., Case No. 19-CV-03083 (N.D. Ill.), the first federal court jury trial in a case brought under the novel Illinois Biometric Information Privacy Act (“BIPA”), the plaintiffs secured a verdict in favor of the class of 45,000 workers against Defendant BNSF. After a week-long trial in the U.S. District Court for the Northern District of Illinois in Chicago, the jury found that BNSF recklessly or intentionally violated the law 45,600 times. The Court thereafter entered against BNSF for $228 million. Post-trial motions are now before the Court, which raise significant issues for all companies that use biometric equipment.

On November 9, 2022, Defendant BNSF Railway Co. filed a motion for a new trial under Rule 59(a) or to reduce the damages award under Rule 59(e). It argues that none of the 45,000 class members suffered any actual harm. It also raised constitutional concerns about the BIPA.

This latest development suggests that BNSF is pulling out all the stops to challenge the precedent-setting $228 million judgment. The outcome of this motion and future appeals will profoundly shape the privacy class action landscape.

Case Background

As we blogged about here, Plaintiff filed a class action lawsuit alleging that BNSF unlawfully required truck drivers entering the Company’s facilities to provide their biometric information through a fingerprint scanner. He claimed that BNSF collected the drivers’ fingerprints without first obtaining informed written consent or providing a written policy that complied with the BIPA and therefore violated sections 15(a) and (b) of the BIPA. BNSF argued that it did not operate the biometric equipment and instead sought to shift blame to a third-party vendor who operated the biometric equipment that collected drivers’ fingerprints.

The case proceeded before a jury in federal court in Chicago. The proceeding was closely watched, as it represented the very first time any class action had gone to a full trial with claims under the BIPA. The trial lasted five days. However, the jurors deliberated for just over an hour. Following the jury’s finding of liability, the Court entered a judgment against BNSF in the amount of $5,000 per violation, for a total amount of $228 million.

BNSF’s Motion For A New Trial Or Amended Judgment

BNSF renewed its motion for judgement as a matter of law pursuant to Federal Rule of Civil Procedure Rule 50(b), following the Court’s denial of BNSF’s Rule 50(a) motion at trial. In the alternative, BNSF moved for a new trial under Rule 59(a), or to reduce the damages award under Rule 59(e).

First, BNSF argues that there was insufficient evidence for the jury to find that BNSF violated the BIPA. Id. at *3. In support of that argument, BNSF cited testimony from its former Director of Technology Services that BNSF did not collect or obtain biometrics from truck drivers in Illinois, that the biometric data was stored on another entity’s server, and that BNSF did not maintain a copy of any of that data. Id. at *4.

Second, BNSF argues that it is entitled to judgment as a matter of law or a new trial, or at least a significant reduction in damages, because there was insufficient evidence for a rational jury to conclude that BNSF violated the BIPA recklessly or intentionally 45,600 times — which is the basis for the $228 million damages award. Id. at *5-6. BNSF claims that there was no evidence that BNSF even learned about the BIPA until April 2019. Therefore, BNSF argued, no rational jury could have inferred from this evidence that BNSF consciously disregarded or intentionally violated the rights of Plaintiff and the class members at any point, much less for the full class period starting in April 2014.

Third, BNSF argued that the Court’s award of $228 million in damages where Plaintiff admits he and the members of the class have suffered no actual harm violates the Due Process Clause and Excessive Fines Clause of the U.S. Constitution. BNSF points out that, “It is undisputed that neither Plaintiff nor any member of the class has suffered any actual harm from any alleged violation of BIPA. Given that the agreed value of the class’s injury is zero dollars, any award would be disproportional to such nonexistent harm.” Id. at *8-9.

Accordingly, BNSF seeks relief that the Court should enter judgment as a matter of law against Plaintiff and in favor of BNSF; or in the alternative, the Court should grant BNSF a new trial, or substantially reduce the damages award against BNSF.

The ball is now in Plaintiff’s court to respond to the motion. Further proceedings will then await the parties after full briefing of the post-trial motion.

Implications For Employers

BNSF’s filing of this motion indicates that the Company will not be going down (to the tune of $228 million) without a fight. The ultimate outcome of this motion, and any potential Seventh Circuit appeals, will be carefully scrutinized by both the plaintiff class action bar and businesses throughout Illinois and beyond.

Employers not only should continue to monitor this groundbreaking privacy class action lawsuit, but also ensure their strategic compliance plans are sufficient in regards to biometric privacy laws.

November 11, 2022November 14, 2022 by Gerald L. Maatman, Jr.

Illinois Federal Court Rejects Efforts To Dismiss BIPA Claims Involving Virtual Try-On Technology

By Gerald L. Maatman, Jr., Gregory Tsonis, and Kelly Bonner

Duane Morris Takeaways – In a significant decision for retailers, Judge Manish Shah of the U.S. District Court for the Northern District of Illinois recently denied in part Defendant Estée Lauder’s motion to dismiss proposed class action claims that its consumer “try-on” technology violated the Illinois Biometric Information Privacy Act (“BIPA”). The Court rejected Defendant’s personal jurisdiction argument, as well as claims that its website terms and conditions required Plaintiff to arbitrate her dispute, and that Plaintiff lacked standing to sue on behalf individuals that used websites Plaintiff herself did not visit. In a decision entitled Kukovec v. The Estée Lauder Companies, Inc., Case No. 22-CV-1988 (N.D. Ill.), the Court determined, however, that Plaintiff did not sufficiently plead that the cosmetics giant intentionally or recklessly violated consumers’ biometric privacy rights, and thereby dismissed those claims. The ruling in Kukovec illustrates the ongoing legal risks for retailers in using “try-on” tech to enhance customer service.

Case Background

Too Faced Cosmetics, a cosmetics brand owned by Defendant Estée Lauder, operates a website featuring a try-on function to allows shoppers to virtually test its products. When a shopper clicks a “Try It On” button, a pop-up box appears containing a disclaimer informing the shopper that their “image will be used to provide you with the virtual try-on experience” and a link to a privacy policy. Id. at 4. If the shopper selects the “Live Camera” option, the user’s computer camera is activated and the product is overlaid on part or all of the user’s face. Id.

Plaintiff, an Illinois resident, alleged that Defendant’s try-on tool violated Section 15(b) of the BIPA by capturing users’ facial geometry without informing them how that data is collected, used, or retained. Id. at 6. Plaintiff also alleged that Defendant lacked a publicly-available written policy establishing how long such data is retained and when it is destroyed, in violation of Section 15(a) of the BIPA. Id. Plaintiff filed a putative class action lawsuit against Defendant, seeking to represent a class of individuals that used the virtual try-on tool not just on the Too Faced website, but also four other websites for Defendant’s other brands. Id. Defendant removed the case to federal court based on diversity jurisdiction and the Class Action Fairness Act, then moved to dismiss the complaint.

The Court’s Ruling On Defendant’s Motion To Dismiss

Defendant sought to dismiss Plaintiffs’ claims on four grounds, three of which the Court fully rejected.

First, Defendant argued that the Court lacked personal jurisdiction over it since its “Try On” tool was “geography neutral,” did not target Illinois consumers, and the mere accessibility of the tool to Illinois consumers lacked the substantial connection to Defendant’s sale of cosmetics and employees in Illinois. Id. at 8. The Court rejected this “overly narrow” interpretation of personal jurisdiction. It held that “[t]he try-on tool is part of [Defendant’s] cosmetics marketing and sales strategy,” since those that use the tool are also presented with buttons to add the products to their cart or send as a gift. Id. at 9.

Second, Defendant argued that venue was improper because Plaintiff’s claims were subject to arbitration pursuant to a provision in its website’s terms and conditions. Id. at 11. Central to the issue of whether Plaintiff had constructive knowledge of the arbitration agreement was whether the terms and conditions were presented in “clickwrap” form, where a customer has to affirmatively check a box to assent (as courts generally uphold such assent), or “browsewrap” form, where a customer’s continued use of a website is taken as passive assent (and which require more detailed analysis). Defendant’s website contained both clickwrap and browsewrap forms, but the Plaintiff only visited pages with browsewrap forms. Id. at 12. Users of the virtual try-on tool received a pop-up notification that had Too Faced’s privacy policy, not its terms and conditions, though the privacy policy contained a link to the terms and conditions. Id. On other pages, the terms and conditions were presented at the bottom of webpages “in the middle of fifteen links to other pages on the site and six links to social media platforms. . .” Id. The Court held such a website design insufficient to provide constructive notice, since a customer “could easily try the tool without once confronting the terms-and-conditions link.” Id. at 14. Further, the Court rejected Defendant’s argument that the Plaintiff had constructive notice because she recently filed two other BIPA-related lawsuits against TikTok and L’Oréal, noting that a website user “is not automatically on notice that any website she visits likely has terms and conditions just because she’s visited other websites that have them.” Id. at 15. Accordingly, the Court held that Plaintiff lacked constructive knowledge and that the arbitration clause could not be enforced against her.

Third, Defendant also sought to dismiss the complaint on the basis that it provided only “conclusory legal statements” and lacked sufficient facts establishing that Defendant captured users’ facial geometry, collected biometric data, or acted negligently, recklessly, or intentionally under the BIPA. Id. at 16. The Court disagreed. It found that the complaint “alleged enough to infer” that Defendant captured Plaintiff’s biometric information and “no intermediary separated the defendant from the collection of plaintiff’s facial geometry.” Id. at 17. However, since recklessness and intentionality require a specific state of mind that Plaintiff did not allege, the Court dismissed Plaintiff’s claims for reckless or intentional conduct, but allowed Plaintiff an opportunity to amend her complaint. Id. at 18.

Finally, Defendant contended that since Plaintiff did not use the websites of its four other brands that utilize the virtual try-on tool, she lacked standing to sue on their behalf. The Court noted that because no class had been certified, yet Defendant’s argument was premature. The Court reasoned that plaintiff “alleges an injury from a technology deployed across multiple websites” and that standing exists because Plaintiff’s injury “can be redressed by a decision in her favor.” Id. at 20.

Implications For Companies Using Biometric Equipment

By allowing consumers to “try-on” products in a virtual environment, retailers increasingly rely on biometric data to provide hyper-personalized services and recreate the real-world shopping experience for the virtual world. But as the popularity of try-on technology grows, so too does the legal risk from biometric data privacy lawsuits. Since 2019, numerous retailers have been sued for violating the BIPA and other state biometric privacy laws for their use of try-on tech and other digital tools to personalize consumer recommendations. The Kukovec decision highlights how new technologies expose companies to costly litigation, even when they take steps to notify consumers or mandate arbitration. Companies should consider how they notify customers regarding try-on technology, ensure that their privacy policies stay current with evolving legislation and competing definitions of “biometric data,” and implement proper safeguards and consent processes.

October 13, 2022October 17, 2022 by Class Action Defense

$228 Million Judgment Entered In First Ever BIPA Class Action Trial Before A Chicago Jury

By: Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Synopsis: In Rogers v. BNSF Railway Co., Case No. 19-CV-03083 (N.D. Ill.), the first federal court jury trial in a case brought under the novel Illinois Biometric Information Privacy Act (“BIPA”), the plaintiffs secured a verdict in favor of the class of 45,000 workers against Defendant BNSF. After a week-long trial in the U.S. District Court for the Northern District of Illinois in Chicago, the jury found that BNSF recklessly or intentionally violated the law 45,600 times, based on the defense expert’s estimated number of drivers who had their fingerprints collected. The Court thereafter entered a judgment against BNSF for $228 million.

This landmark verdict showcases the potentially devastating impact of the BIPA statute on unwary businesses across the state of Illinois that collect, use, or store biometric information.

Case Background

Plaintiff, a truck driver, filed a class action lawsuit alleging that BNSF unlawfully required drivers entering the Company’s facilities to provide their biometric information through a fingerprint scanner. He claimed that BNSF collected the drivers’ fingerprints without first obtaining informed written consent or providing a written policy that complied with the BIPA and therefore violated sections 15(a) and (b) of the BIPA. BNSF argued that it did not operate the biometric equipment and instead sought to shift blame to a third-party vendor who operated the biometric equipment that collected drivers’ fingerprints.

The trial lasted five days. However, the jurors deliberated for just over an hour. The jurors were asked to: (1) indicate on the verdict form whether they sided with Plaintiff, and (2) if so, indicate how many times BNSF violated the BIPA negligently or how many times the company violated the statute recklessly or intentionally.

The BIPA provides for damages of $1,000 for every negligent violation, and up to $5,000 in liquidated damages for every willful or reckless violation. At the conclusion of the trial, the jury found that BNSF recklessly or intentionally violated the law 45,600 times. Accordingly, the Court entered a judgment against BNSF in the amount of $5,000 per violation, for a total amount of $228 million.

Implications For Employers

This verdict undoubtedly will embolden the plaintiffs’ class action bar and equally serve as an eye opener for businesses in Illinois. In the short term, companies can expect an uptick in the number of BIPA class actions filed by the plaintiffs’ bar. While it is almost certain that the verdict will be challenged in post-trial motions and in an appeal, companies can expect that plaintiffs’ lawyers will increase their settlement demands in other BIPA class actions.

The BIPA vastly increases the importance of adopting a strategic compliance plan for businesses that operate in Illinois. It is more important than ever for companies to implement proper mechanisms and consent forms to comply with the BIPA.

September 27, 2022 by Gerald L. Maatman, Jr.

Biometric Privacy, Plasma & Preemption: Illinois Federal Court Issues Another Pro-Plaintiff Ruling

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways: In Vaughan v. Biomat USA, Inc. et al, Case No. 20-CV-4241, 2022 U.S. Dist. LEXIS 168497 (N.D. Ill. Sept. 19, 2022), Judge Marvin Aspen of the U.S. District Court for the Northern District of Illinois issued the latest plaintiff-friendly decision under the Illinois Biometric Information Privacy Act (“BIPA”), holding that federal regulations relating to plasma collection do not preempt the BIPA. For employers looking to craft novel defenses in response to the recent onslaught of biometric privacy class action litigation, this ruling represents another impediment to a potential defense strategy. Continue reading “Biometric Privacy, Plasma & Preemption: Illinois Federal Court Issues Another Pro-Plaintiff Ruling”