CURRENT MONTH (June 2023)
Judge Vacates Jury BIPA Damages Award and Orders New Trial on BIPA Damages Issue
By Alan S. Wernick, Esq., Aronberg Goldgehn
The damages for a violation of the Illinois Biometric Information Privacy Act (“BIPA”) became uncertain when, on June 30, 2023, a federal judge in the first-ever BIPA trial granted defendant’s motion for a new trial limited to the question of damages.
Biometrics measure and analyze people’s unique physical and behavioral characteristics. Biometrics’ many uses include identification, access controls, testing, and numerous other rapidly evolving business applications. The Illinois BIPA (which became effective on October 3, 2008) provides (740 ILCS 14/20) that for each negligent violation of the act, a prevailing plaintiff may recover liquidated damages of $1,000 or actual damages, whichever is greater, in addition to obtaining other relief such as an injunction. For each intentional or reckless violation of the act, the plaintiff may recover the greater of liquidated damages of $5,000 or actual damages. In addition, the plaintiff may recover reasonable attorney’s fees and costs, including expert witness fees and other litigation expenses, plus other relief, including an injunction, as the state or federal court may deem appropriate. Illinois BIPA is not the only law regulating the use of biometric data. See, “Biometric Information – Permanent Personally Identifiable Information Risk.”
On October 12, 2022, the jury in the first-ever trial concerning BIPA, in Richard Rogers, individually and on behalf of similarly situated individuals, Plaintiff, v. BNSF Railway Company, U.S. District Court, Northern District, Illinois (“Rogers”), agreed with the plaintiffs’ class of more than 44,000 truck drivers suing BNSF Railway on allegations of 45,600 willful or reckless BIPA violations. The jury awarded a $228 million verdict against BNSF Railway. The underlying math for the verdict was relatively simple: the number of violations multiplied by statutory damages of $5,000 for each willful or reckless violation ($228,000,000 = $5,000 x 45,600).
Both parties filed motions regarding the jury’s judgment: BNSF moved for entry of judgment in its favor as a matter of law, and in the alternative moved for a new trial or to alter or amend the damages award; Rogers moved to amend the judgment and for a partial new trial. The U.S. District Court, in its June 30, 2023, decision, denied all the motions except for BNSF’s motion for a new trial on the damages issue. Rogers v BNSF Railway Company, 2023 WL 4297654.
The U.S. District Court in Rogers based its decision to grant a new trial on the damages issue in part on the February 17, 2023, Illinois Supreme Court decision in Cothron v. White Castle Sys., Inc., 2023 IL 128004. Cothron held that a BIPA claim accrues under the Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent. The Illinois Supreme Court in Cothron, in dicta, cited to the use of “may” in the BIPA and a decision by the Illinois Appellate Court, stating: “It also appears that the General Assembly chose to make damages discretionary rather than mandatory under the Act. See 740 ILCS 14/20 … (detailing the amounts and types of damages that a ‘prevailing party may recover’ (emphasis added)); see also Watson, 2021 IL App (1st) 210279, ¶66 n.4, 458 Ill.Dec. 267, 196 N.E.3d 571 (concluding that damages under the Act are discretionary rather than mandatory).” Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 42.
The U.S. District Court, in partially granting BNSF’s motion for a new trial, vacated the award of damages, and ordered a new trial limited to the question of damages, stating, in part: “…the court in Cothron also pointed out that ‘where statutory language is clear, it must be given effect.’ 2021 IL 128004, ¶ 40. That same canon of statutory interpretation applies to Section 20, and the use of ‘may’ and ‘each violation’ indicates to this Court that to the extent that damages are discretionary, the discretion does not depend on the number of violations. The Court therefore sees no basis, in making an ‘Erie Guess,’ to disregard the Illinois Supreme Court’s statement that ‘the General Assembly chose to make damages discretionary rather than mandatory under the Act.’ Cothron, 2021 IL 128004, ¶ 42.” Rogers, 2023 WL 4297654, *9.
The outcome of the new trial on the damages issue may help clarify the BIPA damages calculation. However, the liability for violating BIPA has become clearer as courts around the country have considered the liability of businesses collecting, storing, and/or using biometric data. The bottom line is that business collecting, storing, or using biometric data need to promptly discuss with knowledgeable legal counsel the legal risks and ramifications associated with biometric data. Compliance with BIPA and other privacy/cybersecurity statutes and regulations, like any compliance activity, is a recognized business expense. However, that expense can be far lower than non-compliance.
© 2023 Alan S. Wernick and Aronberg Goldgehn.
Texas Data Privacy and Security Act
By DaJonna Richardson, J.D. Candidate, Class of 2024, University of Colorado Law School
In the absence of a comprehensive federal privacy law similar to Europe’s General Data Protection Regulations, Texas joins nine other states with approved privacy legislation. These ten states are part of a growing number of state governments establishing a framework to protect consumer data rights.
The Texas Data Privacy and Security Act (“TDPSA”), also known as H.B. 4, passed in the Texas legislature on May 29, 2023, after a six-year effort of many stakeholders in the Lone Star state. The new law takes effect July 1, 2024. Starting January 1, 2025, the TDPSA also requires all controllers—“an individual or other person that, alone or jointly with others, determines the purpose and means of processing [consumer] personal data”—to recognize universal opt-outs (e.g., web browser privacy settings or the use of designated electronic agents).
The new law applies to any individual or entity collecting, storing, or otherwise handling the personal data of any resident of Texas, or transferring that data for any consideration, who will likely meet these standards:
- Entities conducting business in Texas or generates products or services consumed by Texas residents.
- Processing or engaging in the sale of personal data.
- Do not identify as a small business as defined by the U.S. Small Business Administration.
The new law is grounded in the five privacy principles of data protection. Here is what you need to know about the Texas law:
- Notice 🡪
- Choice and consent 🡪
- Companies will also be required to obtain opt-in consent before collecting data relating to racial or ethnic origins, health conditions, sexuality, or citizenship status, as well as genetic and biometric data, with a thirty-day cure provision.
- Access and participation 🡪
- Controllers of information must practice data minimization (only using personal data as reasonably necessary) and avoid secondary uses. They must conduct data protection assessments. Consumers must be allowed to opt out of data processing for targeted advertising and data sales, and they will not be considered to have consented if their agreement was obtained using “dark patterns.”
- Integrity and security 🡪
- A controller that is in possession of “deidentified” or “pseudonymous” data should take reasonable measures to ensure that the data cannot be associated with an individual, in addition to publicly committing to not re-identify the data. This includes ensuring appropriate steps are taken to remedy any breach of these commitments.
- Enforcement 🡪
- The Texas Attorney General (AG) has been given sole enforcement rights on any violation of the TDPSA. The AG must give thirty days’ notice to any person found in violation of the TDPSA and allow the person thirty days to cure the violation. The right to cure will apply only if the controller provides a written statement and supporting documentation that the violation has been cured and notifies consumers of the violation. A person who breaches and fails to cure that breach within the thirty-day cure period may incur a civil penalty of up to $7,500.
Music Publishers Seek $250 Million in Copyright Infringement Damages from Twitter
By Aja Finger, J.D. Candidate, Class of 2024, Howard University School of Law
On June 14, 2023, a group of seventeen music publishers filed a complaint against Twitter in the US District Court for the Middle District of Tennessee. Plaintiffs are member companies of the National Music Publishers’ Association (“NMPA”), a trade association whose mission is to protect, promote, and advance the interests of music creators in the United States. The Publishers allege that Twitter consistently and knowingly infringes on artists’ copyrights by hosting and streaming infringing copies of musical compositions, including ones uploaded by or streamed to Tennessee residents.
The NMPA began sending formal infringement notices to Twitter on a weekly basis in December 2021. Since then, member Publishers have notified Twitter of more than 300,000 infringing tweets, consisting of “unauthorized copies of the official artist music videos, videos with unauthorized recordings of live performances, and/or other video content that was synchronized to Publishers’ musical compositions without authorization.” The NMPA argues that this is just the “tip of the iceberg” as they are not the only copyright holders whose works have been, and are being, shared without authorization on Twitter.
Twitter’s copyright policy broadly states that “Twitter will respond to reports of alleged copyright infringement ….” If an account receives multiple copyright complaints, Twitter may suspend them in accordance with its Repeat Infringer Policy. Accounts that re-post removed content and/or indicate to users where to access copyrighted material on third party websites may be permanently suspended. Plaintiffs claim that this is not enough. They allege that Twitter often waited weeks or months after receiving the NMPA infringement notices before removing or disabling access to content. Moreover, Twitter suspended virtually none of the verified accounts identified in the notices, allegedly because their large follower bases are more valuable and monetizable than unverified accounts.
After years of unsuccessfully petitioning Twitter to take more decisive action against copyright infringement, the NMPA turned to the court for a remedy. The plaintiffs assert that Twitter is both contributorily and vicariously liable for the direct infringements by users on its platform. As a result, they seek a declaration that Twitter has willfully infringed musical works owned and/or controlled by Publishers in violation of the Copyright Act, as well as statutory damages in an amount of up to $150,000 for each infringed work. Alternatively, Publishers may elect to pursue actual damages, including Twitter’s profits from infringement as proven at trial.
This lawsuit is the latest in legal and financial challenges for the social media platform coming in the wake of the Federal Trade Commission’s investigation into possible data privacy and security violations. Twitter has yet to release a comment.