In a landmark decision, U.S. District Judge Matthew Kennelly vacated a $228 million damages award in Richard Rogers v. BNSF Railway Co., the first case tried to a verdict under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), and ordered a new jury trial limited to the question of damages. (See full Opinion and Order here.) The Rogers ruling applies the Illinois Supreme Court’s decision in Cothron v. White Castle System, Inc. finding that the amount of damages in a BIPA action is discretionary, not mandatory. A jury will ultimately exercise that discretion in a subsequent trial on damages.
The Rogers v. BNSF Railway Co. Underlying Verdict and Judgment
In the Rogers case, lead plaintiff Richard Rogers sued BNSF on behalf of a class of about 45,000 truck drivers. Rogers claimed the BNSF illegally required truck drivers to scan their handprints to verify their identity when entering secured railyards, and that the BNSF did not first obtain their consent or provide them with notice about what might happen with their scanned prints. Following a five-day trial, the jury took approximately one hour to find in favor of Rogers and the certified class of truck drivers.
Importantly, the jury was only tasked with determining whether BNSF violated the Act and, if so, the number of times BNSF violated the Act negligently or recklessly/intentionally. Under BIPA, the distinction between a negligent violation and a reckless or intentional violation is significant. BIPA provides for an award of $1,000 for each negligent violation of the Act (740 ILCS 14/20(1)), while the award of liquidated damages increases to $5,000 for each reckless or intentional violation of the Act (740 ILCS 14/20(2)). The jury found that BNSF recklessly or intentionally violated BIPA 45,600 times—an amount equal to the defense expert’s estimated number of truck drivers in the class whose fingers were scanned from April 4, 2014 through January 25, 2020.
Following the jury’s verdict, Judge Kennelly performed a straightforward calculation by multiplying (i) 45,600 (i.e., the number of times the jury found that BNSF recklessly or intentionally violated BIPA) by (ii) $5,000 (i.e., the award amount allowed by the Act for each reckless or intentional violation)—resulting in an award of damages of $228 million.
Vacating the Rogers’ Judgment
Approximately four months after Judge Kennelly entered the Rogers’ judgment, the Illinois Supreme Court issued its ruling in Cothron, in which it found “that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).” Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 1. In addition to this holding, the Supreme Court in Cothron observed that it “appears” the General Assembly made “damages discretionary rather than mandatory under the Act.” Id. ¶ 42. BNSF filed post-trial motions, which included a request for a new trial or to amend the amount of damages in the judgment based on the Illinois Supreme Court’s statement in Cothron that the 5,000 per violation liquidated damages amount “appears” to be discretionary.
The Rogers court’s analysis began by examining the plain language of BIPA and noted that the Act does not include any statutory language indicating that the “liquidated damages” amounts were intended to be a range. The Rogers court’s analysis then relied on the dicta in the Cothron ruling as an indication of how the Illinois Supreme Court would likely decide the issue and found that damages under Section 20 of BIPA are discretionary. The Rogers court then vacated the prior award of damages and ordered a new trial in which the jury will determine only the appropriate amount of damages based on the jury’s prior factual finding that BNSF recklessly or intentionally violated BIPA 45,600 times.
The Rogers Ruling’s Impact on Your Business
The impact of the Rogers Court vacating the prior judgment is significant in at least two respects. First, the ruling definitively finds that damages under BIPA are discretionary. This holding is a sharp deviation from the standard BIPA damages analysis, which often assumes an absolute application of the $1,000 or $5,000 liquidated damages amounts contained in the Act. The possibility of a damages calculation independent of the liquidated damages amounts set out in the statute may be helpful to BIPA defendants in settlement negotiations. Second, neither the Cothron decision nor the Rogers ruling provides any guidance as to what factors or criteria should be utilized in calculating damages under BIPA, including whether a finder of fact should consider whether any of the class plaintiffs suffered any actual harm by way of a data breach or other compromising event. In that regard, it remains unclear as to how the jury in the upcoming Rogers retrial will be instructed to exercise its discretion in determining the amount of damages. Despite the uncertainty of how the jury will calculate BIPA damages, it is likely that this future calculation will serve as a baseline during settlement negotiations of pending and future BIPA claims.
Ultimately, every business should perform a critical analysis as to any business practice that potentially concerns biometrics—including employee timekeeping, identification procedures or security protocols. The failure to fully comply with BIPA, even when such a failure results in no actual injury to an individual, may lead to significant liability.