Illinois’ highest state court has again turned aside an effort by businesses to limit the reach of the state’s biometrics privacy law, a statute that has spawned thousands of class action lawsuits against employers and other businesses, generating a steady windfall of fees for plaintiffs’ lawyers.
On Feb. 2, the Illinois Supreme Court ruled the Biometric Information Privacy Act should be governed by a five-year, rather than one-year statute of limitations. The ruling keeps open the door for plaintiffs to demand much greater financial damages.
The ruling turned aside an effort by trucking and logistics company Black Horse Carriers to significantly reduce its potential payout under a class action lawsuit brought by employees Jorome Tims and Isaac Watson.
James Zouras
The plaintiffs, represented by attorneys with the Chicago law firm of Stephan Zouras, claimed the company had violated the BIPA law in the way it required workers to scan fingerprints to verify their identity when punching the clock at work.
The lawsuit asserted Black Horse should have been required to first obtain their employees’ written consent before scanning their fingerprints, and should have provided written notices to the employees about how their scanned fingerprints would be stored, used, shared and ultimately destroyed.
The lawsuit also asserts Black Horse allegedly improperly shared the fingerprints with its third-party payroll vendor.
The lawsuit was roughly similar to thousands of similar class action complaints lodged in Cook County Circuit Court and other Illinois courts, seeking potentially big payouts from employers and other businesses under the BIPA law.
Famously, the BIPA law has been used to bring class action lawsuits against social media and tech giants, including Facebook and Google. Those lawsuits asserted those companies had improperly “mapped” the faces of people whose photos had been uploaded to its platforms, without first securing written consent and providing notices to users.
The bulk of BIPA litigation, to date, however, has primarily targeted employers over employee fingerprint scans. Businesses require those scans typically to accurately track work hours and to control access to secure facilities or sensitive areas in a workplace requiring heightened security, like cash rooms or medicine lockers.
And the claims can be highly lucrative. The claims against Facebook and Google generated settlements worth hundreds of millions of dollars. And a mounting number of other BIPA class action settlements have resulted in payouts amounting to hundreds of thousands of dollars, up to $50 million.
Under the BIPA law, plaintiffs can demand damages of $1,000 to $5,000 per alleged violation, depending on their alleged severity. When multiplied across an entire workforce over many years, those damages could quickly mount into many millions or even billions of dollars, should a jury rule against the company.
That risk was on display in 2022, when a jury in Chicago federal court ordered railway operator BNSF to pay $228 million to about 45,000 truck drivers who claimed they had been improperly required to scan their fingerprints when entering BNSF railyards in Illinois.
While BNSF has appealed that verdict, plaintiffs’ lawyers in that case have argued the verdict was too low, and should have been around $800 million or more.
Faced with such financial risk, which lawyers for defendants have characterized as potentially “crippling,” businesses and their advocates have struggled to find ways to effectively defend themselves against such lawsuits.
Illinois Democratic lawmakers, who dominate Springfield and are heavily funded by campaign donations from trial lawyers, have turned a deaf ear to pleas from the business community to soften the law to keep in place privacy protections, but end the alleged abuse of the statute in these class actions.
And the Illinois Supreme Court and other courts have, to date, largely shot down attempts by businesses to mount legal defenses in court.
Notably, the state high court ruled in 2019 that plaintiffs don’t need to prove they ever suffered any actual harm to bring potentially massive class action claims. That decision all but opened the floodgates in court, with hundreds of new class actions against businesses of all types flowing in since.
Some attempts at defense remain pending. The Illinois Supreme Court is scheduled to soon rule on arguments advanced by fast food chain White Castle that alleged violations of the BIPA law only occur on the first allegedly illegal biometric scan. Plaintiffs have argued the law should be read to force businesses to pay up to $5,000 for each time someone has their biometrics scanned. That could mean employers could face four claims or more, per day, for every employee using a fingerprint to punch the clock, amounting to potentially "astronomical damages."
But in its most recent ruling, the state high court said companies can’t reduce the number of years in which those BIPA violations can be claimed.
In the lawsuit against Black Horse, like nearly all others, plaintiffs sought to press their claims under a five-year statute of limitations. That means the class action would include all workers who were required to scan fingerprints within the five years before the lawsuit was filed.
The BIPA law itself contains no statute of limitations.
The plaintiffs argued, therefore, Illinois’ so-called “catch-all” 5-year statute of limitations should apply.
Black Horse, however, said the more proper statute of limitations should be one year, as found in state law governing disclosure of secret information and defamation. They argued the dispute over improper disclosure of fingerprint scans amounts to claims that the company improperly “published” protected biometric data.
"Maintaining secrecy is the essence of the action, which is why the complaint specifically cites both the actual exposure of plaintiffs’ biometric information to third parties and plaintiffs’ 'ongoing' concern that defendant’s failure to properly safeguard their biometric data will result in further disclosures," Black Horse asserted.
In addition, Black Horse said the BIPA law "focuses on preserving a plaintiff’s ability to control the secrecy of their biometrics."
Judges, however, took a dim view of that argument. Cook County Judge David Atkins rejected Black Horse’s motion to dismiss on those grounds, and that decision was largely upheld by the Illinois First District Appellate Court.
A unanimous Illinois Supreme Court also sided with the plaintiffs on the statute of limitations question.
Justices conceded certain language within the law “could be defined as involving publication and would fall within the purview of the one-year limitation period … as ‘publication of matter’ violating a privacy right.”
But the justices said they still did not buy that argument for BIPA.
“… When we consider not just the plain language of (of the law) but also the intent of the legislature, the purposes to be achieved by the statute, and the fact that there is no limitations period in the Act, we find that it would be best to apply the five-year catchall limitations period,” the justices wrote.
The justices noted Illinois state lawmakers, when approving the BIPA law in 2008, gave “extensive consideration … to the fears of and risks to the public surrounding the disclosure of highly sensitive biometric information.” So, they said, it would “thwart legislative intent” to allow defendants to use the law’s language to shorten the amount of time in which plaintiffs can bring suit and shorten the amount of time for which companies could be made to pay for allegedly violating technical provisions of the law.
“… The full ramifications of the harms associated with biometric technology is unknown, and absent the Act’s protections, it is unclear when or if an individual would discover evidence of the disclosure of his or her biometrics in violation of the Act,” the justices wrote. “Moreover, a shorter limitations period would prejudice those whom the Act is intended to protect.”
The opinion was authored by Justice P. Scott Neville. Chief Justice Mary Jane Theis and justices David K. Overstreet, Lisa Holder White and Joy V. Cunningham concurred.
The court’s two recently elected justices Elizabeth M. Rochford and Mary K. O’Brien did not participate in the decision.
The case had been argued in September. In the months since, four members of the court who heard arguments in the case have either retired or been defeated at the ballot box.
Cunningham was appointed to replace retired Justice Anne M. Burke. Holder White was appointed to replace retired Justice Rita B. Garman. O’Brien defeated former Justice Michael Burke. And Rochford was elected to an open seat, essentially replacing retired Justice Robert L. Carter.
represented by Ryan F. Stephan, James B. Zouras, Paige L. Smith, Teresa M. Becvar and Catherine T. Mitchell, of the Stephan Zouras firm, of Chicago.
Black Horse is defended by David M. Schultz, John P. Ryan, Joshua G. Vincent and Louis J. Manetti Jr., of Hinshaw & Culbertson, of Chicago.
The case also drew interest from outside organizations concerned about the outcome.
The Illinois Trial Lawyers Association, the Illinois chapter of the National Employment Lawyers Association and the Employment Law Clinic filed friend-of-the-court arguments for the plaintiffs.
The Illinois Chamber of Commerce filed friend-of-the-court arguments in support of Black Horse.