To say that class action litigation regarding the use or collection of “biometric information” – such as fingerprints, face records, or voice records – is expensive would be a gross understatement.  The damages sought, and sometimes recovered, in litigation under the Illinois Biometric Information Privacy Act and similar laws that impose statutory penalties can be truly shocking.  And, if a recent complaint under a Portland, Oregon city ordinance and a jury verdict in Illinois are indicative, there is no immediate sign that this trend will reverse.

First Ever Lawsuit Under Portland Facial Recognition Ordinance Seeks $10 Million

On December 1, 2022, plaintiffs Brian Norby and Jacqueline May filed the first ever lawsuit alleging a violation of the City of Portland, Oregon’s ban on the use of face recognition technologies, Code of the City of Portland, Oregon, Chapter 34.10 (“Facial Recognition Ordinance”).  The Facial Recognition Ordinance became effective on January 1, 2021, and broadly bans the use of facial recognition technologies by private entities in public accommodation.  For an analysis of this ordinance, and how to comply with it, see our previous article here.

Norby and May allege that on January 5, 2021, days after the ordinance became effective, each visited the same convenience store owned by Jacksons Food Store (“Jacksons”) and each was subjected to the use of facial recognition technology in violation of a “statutorily protected right to privacy.”  Norby and May do not allege any other specific damages, and they allege that Jacksons used this technology in just three of its Portland, Oregon stores.  Nevertheless, Norby and May seek certification of a class action of all individuals “exposed to Facial Recognition Technologies when they visited Jacksons store location in Portland, Oregon.”  They then claim statutory damages of $1,000 per day for each violation of the Facial Recognition Ordinance.  In all, they estimate these amounts to be $10,000,000, and they also seek to recover attorneys’ fees and expenses.  

First Ever Class Action Jury Verdict under BIPA Results in $228 Million Award

If the damages in the suit under the Portland ordinance seem implausible, an Illinois jury and court, ruling on a suit under the Illinois Biometric Information Privacy Act (“BIPA”), suggest otherwise.  The BIPA regulates the collection and use of biometric information, and, in many ways, serves as a template for the Portland Facial Recognition Ordinance and other similar laws.  A discussion of this statute is available here.  Many suits have been filed under the BIPA, but it wasn’t until earlier this year that the first such case, Roger v. BNSF Railway Co., went to a jury trial.

Rogers was first filed in April 2019 in Illinois state court and was removed to federal court in the Northern District of Illinois.  In the complaint, the plaintiff sought to represent a class of more than 44,000 truck drivers who visited facilities owned by BNSF, a national railyard owner and operator.  The suit alleged that BNSF required drivers who visited its railyards to provide biometric identifiers in the form of fingerprints and hand geometry to access BNSF’s facilities and violated BIPA by (i) failing to inform class members that their biometric identifiers or information were being collected or stored, (ii) failing to inform class members of the specific purpose and length of term for which the biometric identifiers or information were being collected, and (iii) failing to obtain written consent prior to collection. BNSF noted that a third party, not BNSF, collected the information and that it had no knowledge of the collection.  The jury disagreed.  After a five-day trial and just one hour of deliberation, the jury found that BNSF recklessly or intentionally violated BIPA more than 45,000 times.  The court then applied BIPA’s damages provision and entered a judgment of $228 million, not including attorney’s fees. BNSF has stated it will appeal, and the parties have exchanged settlement proposals to finally resolve the matter. 

Any Recourse?

A recent case from the Ninth Circuit suggests that courts might narrow disproportionate awards of statutory damages in some cases.  In Wakefield v. Visalus, a case brought under the Telephone Consumer Protection Act, the court held that an aggregate award that is “wholly disproportionate” and “obviously unreasonable” in relation to the goals of a statute and the conduct the statute prohibits can violate due process.  In these extreme cases, a damages award can, and should, be reduced.  But such a holding has never applied to a case under a biometric statute, and its broad impact is unclear. 

The best recourse is, therefore, proactive: any business that uses or collects biometric information should make sure that it understands and complies with the requirements of all relevant laws.  The consequences of failing to take these preventative measures could be significant.

About the Global Privacy & Security Blog

Learn More

Contracts, laws and regulations require privacy compliance, and good business practices demand it. This blog is designed to inform our clients and readers about developing privacy issues and regulatory updates, and provide alerts on cyber security stories and data breaches that impact various data privacy and security requirements.