On October 12, 2022, a federal jury in the U.S. District Court for the Northern District of Illinois concluded that a company violated the Illinois Biometric Information Privacy Act (Privacy Act or BIPA) 45,600 times over six years by collecting truck drivers’ fingerprints to verify identities without the informed, written consent the Privacy Act requires. This is the first jury verdict rendered under the Privacy Act following a spike in class action filings under the statute.
Responding to the questions assigned, the jury determined the company’s violation of the statute was intentional or reckless and that it violated the Privacy Act 45,600 times, a figure consistent with the class of independent contractor truck drivers whose fingerprints were scanned between April 4, 2014, and January 25, 2020, applying a five-year statute of limitations from the date the complaint was filed on April 4, 2019. The jury did not differentiate between pre-complaint violations and post-complaint violations. Thus, the jury seemingly based its finding on the drivers’ last actual fingerprint scan, which presumably occurred after the initial complaint was filed on April 4, 2019, rather than the date on which the company initially collected the drivers’ fingerprints.
Following the jury’s findings, the federal judge assigned to the case awarded $5,000 in liquidated damages for each intentional or reckless violation. Hence, the plaintiff-class received a judgment totaling $228 million.
What Is the Privacy Act?
The Privacy Act is an Illinois law enacted in 2008 that governs the use, collection, and storage of biometric data, including retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. The Privacy Act contains five sections, requiring each private entity that uses, collects, or stores biometric data to:
- “develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric [data]” in their possession;
- receive written, informed consent prior to obtaining biometric data;
- refrain from “sell[ing], leas]ing], trad[ing], or otherwise profit[ing]” from biometric data;
- refrain from disclosing or disseminating biometric data, subject to certain exceptions; and
- “store, transmit, and protect from disclosure all biometric [data]” in a manner at least as protective as it “stores, transmits, and protects other confidential and sensitive information.”
The Privacy Act provides that a prevailing party may recover actual damages or liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation, whichever is greater, in addition to injunctive relief, attorneys’ fees and costs, and expert witness fees and other litigation expenses.
Privacy Act Cases Currently Pending Before the Illinois Supreme Court…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
