Last Wednesday, a federal jury in Chicago found that BSNF Railway violated the privacy rights of over 40,000 truck drivers under the Illinois Biometric Information Privacy Act (BIPA), resulting in a $228 million judgment against the defendant. The case, Rogers v. BSNF Railway Co., is the first jury trial decision under BIPA, which has served as a battleground for privacy-rights litigation in recent years.
Overview of BIPA Requirements
BIPA places several requirements on private entities that collect biometric identifiers and information. Among other requirements, the statute prohibits private entities from collecting, capturing, purchasing, or receiving biometric data without informed written consent (BIPA § 15(b)); requires private entities in possession of biometric data to develop a publicly available written policy with a retention schedule (BIPA § 15(a)); and generally prohibits private entities from disclosing biometric data without consent (BIPA § 15(d)).
Unlike other states, the Illinois statute also has a private right of action, allowing aggrieved individuals to sue any private entity that has allegedly run afoul of BIPA’s requirements (BIPA § 20). This provision has teeth: BIPA provides for liquidated damages of either $1,000 or $5,000, depending on whether a violation is negligent or intentional/reckless. Significantly, technical violations of BIPA are alone sufficient to file suit; in 2019 the Illinois Supreme Court unanimously ruled that infringement of a right afforded under the state’s Biometric Information Privacy Act (“BIPA”) is sufficient for a plaintiff to allege a violation of the law, even absent any allegations of harm beyond the statutory violation itself.
Fingerprinting Truck Drivers
The class action lawsuit brought by the truck drivers in Rogers centers around BNSF’s collection of biometric data when the drivers entered and exited BNSF’s rail yards. BNSF, through a subcontractor, collected drivers’ fingerprints for identity verification purposes as drivers came and went. The plaintiffs alleged that their biometric data was collected without informed consent or notice in violation of BIPA. BNSF primarily argued that it was not liable because a third-party vendor—which it contended was an independent contractor—collected the fingerprint data.
Although the trial lasted five days, the jury returned a verdict after only one hour of deliberations. Notably, it found that BSNF was liable for BIPA’s heightened statutory damages and, in turn, liable for $228 million. BNSF plans to appeal the decision.
BIPA Moving Forward
While companies doing business in Illinois should already be aware of BIPA given the sheer volume of lawsuits filed to date, the jury verdict in Rogers calls for renewed attention. Among other lessons, the verdict demonstrates both the existence and magnitude of risks created by possible BIPA violations, even in cases where the relevant conduct and decision-making is done by a third-party vendor (e.g., a security or timekeeping firm), rather than a business itself. And, of course, the decision is expected to result in an uptick in BIPA class actions and will undoubtedly be touted as additional leverage by plaintiffs in settlement negotiations.