Analyzing Biometric Data Privacy Class Action Settlements
The use of biometric data such as facial scans and fingerprints has proliferated in recent years in marketing, cybersecurity, and other applications. Concerns about how biometric data is collected, stored, and used have proliferated as well. For example, last year, the Federal Trade Commission released a biometric information policy statement “warning that the increasing use of consumers’ biometric information and related technologies, including those powered by machine learning, raises significant consumer privacy and data security concerns and the potential for bias and discrimination.”
Furthermore, several states have enacted laws governing biometric data privacy and misuses of biometric information. The most stringent of these is Illinois’ Biometric Information Privacy Act (BIPA). Passed in 2008, BIPA applies to all entities operating in Illinois and regulates the collection, storage, disclosure, transmission, and deletion of biometric data. BIPA also provides for a private right of action as well as statutory damages of $1,000 per “negligent” violation and $5,000 per “reckless” violation.
Several notable decisions in recent years have driven an increase in the number of private class actions brought under BIPA. In January 2019, the Illinois Supreme Court ruled in favor of plaintiffs in Rosenbach v. Six Flags Entertainment Corporation, finding that a BIPA claim could proceed even if the violation in question did not cause “actual injury.” The Court further determined that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act.” The effect of this ruling was substantial. Whereas between 2009 and 2018 there were fewer than five BIPA cases filed per year (on average), there have been at least 130 such cases filed in every year since 2019.
Decisions by the Illinois Supreme Court in several cases last year continued to substantially evolve the BIPA litigation landscape.
- In Cothron v. White Castle System, Inc., the Court ruled that BIPA claims accrue each time data is unlawfully collected or disclosed. This ruling clarified the interpretation of “per violation” to mean that if (for example) employees are using biometrics to clock in for each shift, a distinct “violation” occurred each time each employee “clocked in” and their data was collected.
- In Tims v. Black Horse Carriers, Inc., the Court ruled that a five-year, as opposed to a one-year, statute of limitations applies to BIPA claims.
- In Mosby v. Ingall, the Court considered BIPA's health care exemptions and determined that these exemptions are not restricted only to patients but also apply to employees.
Despite the proliferation of litigation involving BIPA claims, there has been little analysis of the economics of these cases. Only one BIPA case has gone to a verdict—the jury in Rogers v. BNSF Railway Company awarded plaintiffs $228 million in damages ($5,000 for each of the 45,600 times that driver fingerprints were allegedly registered)—but that damages award was later vacated. The rest of BIPA cases have been resolved through dismissal or settlement.
The limited research on settlements in BIPA class actions has focused on a small subset of “landmark” cases involving consumer harm—i.e., where the plaintiffs were the defendants’ customers. (Below, we refer to this type of case as involving “non-workplace” claims.) However, most BIPA cases do not make the headlines, and many involve plaintiffs that were the defendants’ employees—alleging that their employer had improperly collected and used their biometric information in the workplace. (Below, we refer to this type of case as involving “workplace” claims.)
We have compiled a unique database of over 100 BIPA settlements that have taken place since the initial 2019 ruling in Rosenbach. In our database, 22 percent of cases involve non-workplace claims, while 78 percent involve workplace claims. summarizes the number of settlements in each year since 2019.
Exhibit 1
BIPA Settlements By Year
Sizes of proposed classes brought under BIPA can vary substantially. Our analysis shows that the median size of classes involving workplace claims is approximately 777 people, and some classes comprise of fewer than 100 people. The median size of classes involving non-workplace claims is approximately 63,450 people, with some classes (e.g., users of popular social media platforms) consisting of millions of people.
In addition to being generally smaller, classes involving workplace claims tend to have higher settlements per class member. As we discussed above, BIPA provides for statutory damages of $1,000 per “negligent” violation and $5,000 per “reckless” violation. However, our analysis shows that the median settlement in workplace cases is $900 per class member, while the median settlement in non-workplace cases is $207. That is, on a per class member basis, the typical non-workplace settlement is only about 23 percent of the typical workplace settlement.
Exhibit 2 shows a distribution of workplace and non-workplace settlements.
Exhibit 2
Distribution of Settlements Per Class Member
As this exhibit shows:
- Almost two-thirds of non-workplace settlements were below $250 per class member, and 96 percent were below $750 per class member.
- In contrast, over 70 percent of workplace settlements were above $750 per class member, and 38 percent were above $1,000 per class member.
Our analysis also suggests that settlements have trended upward since the February 2023 Cothron v. White Castle System ruling. For example, for the 90 workplace settlements in our database:
- Prior to February 2023, approximately 34 percent of cases had per-class member settlements above $1,000. Since then, this share has increased to approximately 46 percent of settlements.
- Prior to February 2023, the average per-class member settlement amount was $838. Since then, the average per-class member settlement amount increased to $1,049, or approximately 25 percent more per class member.
While the data suggests an increase in BIPA settlements post-Cothron, legislation being considered by Illinois lawmakers may potentially reverse the trend. One measure being considered “would count biometric data repeatedly collected from the same person in the same way without consent as a single violation of the law rather than multiple violations,” while another would include a BIPA security exemption, among other provisions.” Depending on the Illinois legislature's course of action, trends may well shift again in 2024 and beyond.
There may also be lessons to be learned from biometric privacy cases that inform the economics of the building wave of cases in genetic privacy. Another Illinois statute—the Genetic Information Privacy Act (or “GIPA”) broadly relates to treatment of genetic information like genetic tests of an individual or an individual's family members. Like BIPA, claims under GIPA were little used for a long time after the statute's inception—whereas there were only a handful of lawsuits brought under this statute in its first 25 years of existence, approximately 40 have been filed in 2023. However, statutory damages are larger under GIPA—$2,500 per “negligent” violation and $15,000 per “willful” violation. Given the rapid proliferation of biometric data privacy class actions, and the evolution in the law, it is important that practitioners understand the economics underlying these claims.
Copyright 2024 Bloomberg Industry Group, Inc. (800-372-1033) Analyzing Biometric Data Privacy Class Action Settlements. Reproduced with permission.
Experts
- Partner