BIPA’s Discretionary Damages in Practice: BNSF Gets Its Shot to Reduce a Historic $228 Million Judgment

The Illinois Biometric Privacy Act (BIPA) provides that a prevailing party “may” recover liquidated damages for a violation of the statute. Addressing the potential for “annihilative liability” in White Castle, the Illinois Supreme Court provided a (small) break in the clouds for Illinois businesses. The Illinois court explained that a trial court “would certainly possess the discretion to fashion a damage award that (1) fairly compensated claiming class members and (2) included an amount designed to deter future violations, without destroying defendant’s business.”

Though the nod to this discretion was provided in dicta, the federal court presiding over the first BIPA trial that went to verdict, Rogers v. BNSF Railway Company, upon a motion for a new trial on damages, has taken this admonition by the Illinois Supreme Court to heart. BNSF will now have the opportunity to convince a jury to reduce a historic $228 million BIPA judgment entered against it.

Last October, a $228 million judgment was entered against one of the nation’s largest railway companies, BNSF. The jury did not decide the dollar-amount of the judgment. Instead, the jury solely determined liability, finding that BNSF had recklessly or intentionally violated BIPA. The trial court then calculated the damages award by multiplying $5,000, allowed for liquidated damages, by the number of class members (45,600). At the time, the court reasoned that the use of “may” permitted recovery of the “the greater of either actual damages or a fixed amount of $1,000 or $5,000.” With the benefit of White Castle, the trial court has now agreed with BNSF’s argument “that a damages award after a finding of liability is a question for the jury.”

While court watchers anxiously await how this plays out, the parties have already signaled what the damages trial will look like. BNSF has described this judgment as “unprecedented” because none of the class members were actually harmed—for instance, there was no “breach” of BNSF’s security whereby unauthorized users accessed the biometric identifiers. It is expected that BNSF will argue that the appropriate measure of damages is somewhere closer to (if not) zero. Plaintiffs on the other hand will seek to introduce evidence of the defendant’s finances and will also argue that, for a company of that size, $228 million is de minimus and a reasonable amount for deterring future violations.

What amount, if any, the jury will award remains to be seen. However, currently and in the wake of White Castle, the plaintiffs in BIPA cases have felt confident in advancing per-scan damages. With this same theory, individual employees are seeking six-figure damages. But, in the shorter term, this opportunity afforded to the defendant in the Rogers case may provide some much-needed ammunition for defendants in potential resolution of BIPA cases.

As always, it remains a best business practice to analyze whether BIPA applies to your business—or, given the draconian, potential exposure, could arguably apply to your company—and to take necessary measures to ensure compliance. Regularly audit and review what personal data you collect from your customers, employees, and website visitors, collect the necessary consent for this personal information consumption, and update your policies as necessary, in order to stay current on not only BIPA’s requirements but other privacy statutes and regulations enacted nationwide.