Last week, the first jury trial involving a case arising under Illinois’ Biometric Information Privacy Act (BIPA) reached a verdict in favor of the plaintiffs. The case, Rogers v. BNSF Railway, Co., No. 19-cv-03083 (N.D. Ill. Oct. 12, 2022), was brought on behalf of a class of truck drivers who claimed that BNSF illegally required them to scan their fingerprints when entering its railyards. The plaintiffs contended that BNSF violated BIPA by failing to obtain their consent and failing to inform them of the purpose of the scan or the length of time that the biometric information would be collected and stored. The plaintiffs’ counsel also emphasized the fact that BNSF failed to take action and continued to allow for the collection of biometrics even after the suit was initially filed in 2019.
After deliberating for just one hour, the jury found that BNSF was liable for violating BIPA recklessly or intentionally 45,600 times, an amount equal to the estimated number of truck drivers in the class who had their fingerprints scanned from April 4, 2014, through January 25, 2020. The distinction between “reckless or intentional” violations versus “negligent” violations of BIPA is important as the former carries damages of $5,000 per violation, while negligent violations call for damages of $1,000. Judge Matthew Kennelly of the U.S District Court for the Northern District of Illinois calculated the damages pursuant to the jury’s finding at $228 million – a straightforward calculation of $5,000 per plaintiff. While the damages award was large, it could have been exponentially larger – the court opted not to award damages for every time each plaintiff had scanned a finger.
BNSF did not, itself, scan fingerprints or collect data. Remprex LLC was a third-party vendor and independent contractor hired by BNSF to scan fingerprints. At trial, BNSF defended itself by arguing that Remprex was responsible for collecting biometric data and complying with the law and that BNSF was not responsible for the “method and manner” of Remprex’s work. Clearly, the jury rejected BNSF’s defense that it should not be subject to vicarious liability. BNSF has indicated it will ask the Seventh Circuit to evaluate this specific issue on appeal.
It is worth noting that there was no evidence that any plaintiff’s identity had actually been stolen or that anyone had wrongfully obtained any fingerprint data, although such evidence is not required in order to recover under BIPA. The verdict clearly emphasizes the jury’s concern about protecting privacy interests. Such a large award after short deliberations will undoubtedly embolden plaintiffs’ class-action attorneys to push BIPA claims toward trial if it is apparent that a violation of BIPA has occurred. Any private entity doing business in Illinois should take notice of the Rogers verdict and if they do collect biometric information in any way from their employees or other individuals (through a fingerprint, retina, or facial scan), it is critical to make note of BIPA’s requirements.
BIPA requires that an entity collecting or capturing an individual’s “biometric identifier or biometric information” must first: (1) inform the person in writing that a biometric identifier or biometric information is being collected; (2) inform the person in writing of the specific purpose and length of time for which the information is being collected, stored, and used; and (3) receive a written release executed by the individual from whom it is being collected.
Later this month, it is expected that the Illinois Supreme Court, in Cothron v. White Castle System, Inc., will rule on an important issue involving BIPA. The Court will decide whether claims “accrue” under BIPA each time a person’s biometric identifier is scanned or only upon the first scan. Should the Court decide in favor of the plaintiffs, potential damages in BIPA cases will become exponentially greater as $1,000 or $5,000 will be assessed for every violation, rather than on a per-individual basis, as the court did in Rogers.
Not only will the Cothron decision significantly impact the potential damages in BIPA cases, but also whether certain claims will be barred by the statute of limitations. Presently, claims under BIPA carry a statute of limitations of five years (the “catch-all” limitation period in Illinois). Should the Cothron decision come back in the defendants’ favor, individual class members whose first biometric scans occurred more than five years prior to the suit being filed would have their claims barred. It should also be noted that the Illinois Supreme Court is considering, in Tims v. Black Horse Carriers, whether a one-year or five-year statute of limitations should be applied in BIPA cases.
In the wake of the Rogers verdict, and with the understanding that exponentially larger verdicts may be on the horizon, companies that collect biometric data are well-advised to take action to ensure compliance with the law and to develop appropriate contractual protections when dealing with third-party vendors who collect biometrics. The attorneys at Segal McCambridge have extensive backgrounds in both employment law and cyber risk matters and are well-versed in all aspects involving claims brought under BIPA. Should you have questions about your company’s plan for complying with BIPA, please don’t hesitate to contact us.