BIPA defendant ordered to produce per-scan damages data
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
In February 2023, the Illinois Supreme Court issued its decision in Cothron v. White Castle Sys., Inc., 2023 IL 128004, allowing plaintiffs in Illinois Biometric Information Privacy Act (BIPA) class action suits to recover statutory damages for each instance of BIPA non-compliance, as opposed to only the first violation. Cothron completely altered the biometrics legal landscape, paving the way for astronomical damages in BIPA disputes, while also spiking the already-inflated value of BIPA claims exponentially.
Just recently—and pursuant to Cothron—an Illinois federal court compelled the production of damages data for purposes of calculating per-scan statutory damages in Fleury v. Union Pac. R.R. Co., No. 20 CV 390, 2023 U.S. Dist. LEXIS 221741 (N.D. Ill. Dec. 13, 2023). The Fleury decision serves as an important reminder of the need for strict compliance with BIPA when using biometrics today, while also providing several additional key takeaways for companies that utilize this advanced technology in commercial operations.
The Fleury Decision
David Fleury, a truck driver who was required to scan his fingerprint into a biometric identity verification device to enter the railyards of Union Pacific Railroad Company, sued the railroad on behalf of himself and a class of 42,000 similarly situated truck drivers for alleged violations of BIPA Sections 15(a), 15(b), and 15(d). Shortly before the parties’ discovery period was set to expire, the plaintiff filed a motion to compel the production of damages data to demonstrate how many times the defendant scanned the fingerprints of truckers who used the company’s biometric scanner in Illinois.
In support of his motion to compel, the plaintiff argued that pursuant to Cothron, BIPA provides for liquidated damages “for each violation of the statute,” making evidence of each time members of the putative class had their fingerprints scanned when entering the railroad’s facilities necessary to establish the full extent of statutory damages at issue in the dispute.
Conversely, the defendant argued that Cothron left open the issue of “per scan” damages, holding that it is the trier of fact’s obligation to exercise his or her “discretion to fashion a damages award that (1) fairly compensate[s] claiming class members and (2) include[s] an amount designed to deter future violations, without destroying the defendant’s business.” See id. at *6 (citing Cothron, 2023 IL 128004, at ¶ 42). The railroad further contended that BIPA damages are discretionary and, as a result, the damages data sought by the plaintiff was irrelevant and beyond the scope of discovery.
The court sided with the plaintiff, granting the motion to compel and requiring the railroad to produce information relating to the issue of per-scan damages—specifically, data as to each time a member of the putative class used a scanner at one of the defendant’s Illinois gates.
Analysis and takeaways
Impact of granular damages data in BIPA class actions
The first major takeaway from the Fleury decision pertains to the court’s application of Cothron in the context of BIPA damages evidence.
The Fleury court reasoned that pursuant to Cothron—which decided that “a separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation” of BIPA—per-scan damages evidence is discoverable because it is relevant to ascertaining the amount of damages sustained by members of a putative class due to purported non-compliance with BIPA. Id. at *3, 15-16. In addition, the court also reasoned that production of this evidence offered the additional benefit of giving the court concrete evidence to work with at later stages in the litigation, particularly in rendering inevitable rulings on damages, which further supported granting the plaintiff’s motion to compel.
Companies should take note of this willingness to mandate the production of extremely granular per-scan damages evidence in BIPA class actions, as such evidence will allow plaintiff’s counsel to fashion precise damages figures in support of the exorbitant settlement demands that have become commonplace in BIPA disputes today.
Not only that, but the wide latitude given to plaintiffs in pursuing this type of evidence will likely raise the cost of discovery by a significant margin for companies that are unable to procure the early dismissal of BIPA class actions—which has proven to be a herculean task due to the extremely low bar that courts have set for plaintiffs to avoid dismissal at the pleading stage.
Scope of potential liability exposure for BIPA non-compliance
The second major takeaway from Fleury relates to the court’s discussion of statutory damages under Cothron’s continuing violation theory of claim accrual, which illustrates the tremendous liability exposure faced by companies for mere technical non-compliance with Illinois’s biometrics law.
BIPA’s private right of action permits the recovery of $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation, of the law. 740 ILCS 14/10. In Fleury, the court highlighted that—based on the plaintiff’s contention that he scanned his fingerprint 45 times during the applicable limitations period—those purported BIPA violations amounted to between $45,000 to $225,000 in statutory damages for that single class member alone. Id. at *4.
When those figures are then multiplied by the 42,000 individuals that comprised the putative class of truck drivers in Fleury, that figure skyrockets to a spread of $1.89 and $9.45 billion in total potential liability exposure. See id. Notably, these damages calculations only pertain to violations arising from the non-compliant collection of biometric data (the focus of BIPA Section 15(b)), but do not factor in the additional damages resulting from the improper disclosure of such data (the subject of Section 15(d)).
Rejection of “Hash” or “Hex” data argument
Lastly, the Fleury decision serves as a cautionary tale regarding the crosshairs companies put themselves in by attempting to take the position that their biometric technologies or related processing activities do not implicate “biometric identifiers” or “biometric information” as those terms are defined in BIPA because the data generated by such technologies is thereafter converted into some other piece of information, such as a series of numbers and letters (sometimes referred to as “hash” or “hex” data), or a mathematical representation.
In Fleury, the railroad argued that its fingerprint scanner did not implicate biometric identifiers or biometric information—thus obviating the company from compliance with BIPA—because its technology only generated “hex data,” i.e., numbers and letters, which (according to Union Pacific) was not a “fingerprint” and could not be rendered into a fingerprint. Id. at *11-12.
The court flatly rejected this argument, reasoning that since the railroad’s technology featured code that converted fingerprint images into readable data by a computer, there was also very likely code that could convert that data back into a fingerprint image useful to the human eye. More important than that, the court continued, the computer data from an initial fingerprint scan necessarily had to be compared to each subsequent scan, meaning that some type of active comparison or live match had to be completed while a truck driver had his/her finger on the scanner to convert the fingerprint scan into something the technology could use to compare it to the data the system already had on file. Id. at *13-15.
Taken together, this was sufficient for the court to conclude that the defendant’s biometric technology engaged in the collection of “fingerprints,” an enumerated form of biometric identifier under BIPA. In turn, the railroad was unable to escape liability merely because truck drivers’ fingerprint scans were thereafter converted into a different form of computer data. Id. at *15-16.
The reasoning set forth in Fleury comports with other courts that have analyzed this same argument. For example, in Rivera v. Google Inc., the court explained that regardless of what a company does in manipulating or converting a biometric identifier into a different form of data, “the resulting information is still covered by [BIPA] if that information can be used to identify the person.” 238 F. Supp. 3d 1088, 1094 (N.D. Ill. 2017).
To avoid the significant risks that accompany a strategy of this nature, companies should consider taking a more conservative approach when using biometrics—one that ensures all applicable BIPA requirements are satisfied—even where it is not definitively clear that the data generated through biometric technology falls under the scope of Illinois’s biometrics statute.
The final word
Fleury does not break any new ground in the BIPA class action litigation space, but the decision nonetheless drives home the importance of maintaining compliance with Illinois’s biometrics statute when using any type of biometric technology or, alternatively, supplying such technology for use by customers in their commercial operations.
As we head into 2024, now is the perfect time for companies to consult with experienced biometrics counsel to review their current organizational biometrics practices and implement any necessary modifications to their compliance programs to remediate any compliance gaps or deficiencies.
About the author
David J. Oberly is Of Counsel in the Washington, D.C. office of Baker Donelson, and a member of the firm’s Biometric Privacy, Artificial Intelligence, and Data Protection, Privacy & Cybersecurity practices. Recognized as “one of the nation’s foremost thought leaders in the biometric privacy space” by LexisNexis, David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. In addition, David has deep experience in litigating bet-the-company BIPA class action disputes. He is also the author of Biometric Data Privacy Compliance & Best Practices—the first and only full-length treatise of its kind to provide a comprehensive compendium of biometric privacy law. He can be reached at email@example.com. You can follow David on X at @DavidJOberly.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.