Although the motivation behind the Illinois Biometric Information Privacy Act – to protect individuals from having their unchangeable, biometric identities stolen or sold to the highest bidder – is noble, the class action litigation that has ensued is a nightmare. For large companies, the alleged damages can be in the millions or billions of dollars, even without a single injured plaintiff in the class. For small companies, a BIPA lawsuit can mean the end of the business. And for defense attorneys, there have been very few strategies for effectively defending a client caught unaware of the statutory requirements.
A few of the high-profile class settlements show the broad scope of this law. In 2020, Facebook settled for $650 million, and TikTok settled for $92 million, in actions brought by their respective users based on facial recognition technology. More recently, in early 2021, Walmart settled for $10 million in a lawsuit based on employees’ use of a palm scanner when checking out and returning cash register drawers.
The Walmart case may be the largest settlement in an employment-based BIPA case and is remarkable for a few other reasons. Walmart allowed employees to use either the palm scanner or a personal identification number, stopped using the palm scanner altogether in 2018, deleted all of the data collected during the time period that the scanner was in use, and argued that there was no actual injury to any putative class member. Nonetheless, the court denied Walmart’s motion to dismiss the lawsuit, and the parties engaged in discovery and multiple mediations before reaching a resolution. According to the motion for preliminary approval of class action settlement, Walmart identified 21,677 employees who used the palm scanner without first signing a written consent form.
Whether the size and pace of these cases will continue may depend on the rulings in two highly anticipated appeals. The one expected to be released first, Tims v. Black Horse Carriers, Inc., No. 1-20-0562, asks the Illinois Appellate Court to determine whether the one-year statute of limitations for privacy claims applies to claims brought under the BIPA. (Many state and federal trial courts have instead applied the five-year “catch-all” statute of limitations in BIPA cases.) One indication that the short statute of limitations may apply came this past May. The Illinois Supreme Court ruled in West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan Inc., that an insurer must defend a tanning salon against a customer's BIPA claims, because the proposed class action alleged a privacy violation that was potentially covered under the salon's general liability policy. The Court’s discussion of the BIPA as a privacy statute suggests that the one-year statute of limitations may apply.
The second appeal to watch is McDonald v. Symphony Bronzeville Park, LLC, No. 1-19-2398. In McDonald, the Illinois Supreme Court has been asked to determine whether the state Worker’s Compensation Act preempts the BIPA in the employment context. The Appellate Court said no, but if the Supreme Court rules otherwise, employers might be able to assert a complete defense to BIPA suits brought by employees. Such a decision would have no effect on the consumer class action cases brought against Facebook, Six Flags and others, but it would be excellent news for employers.
In the meantime, employers who have not yet been targets of BIPA lawsuits should make sure they are in compliance with the notice, consent, and data retention requirements of the statute. For those who have already been sued, there is hope that one of the pending appeals will result in a ruling that finally provides some relief to employers.