Jury Awards Plaintiffs $228 Million in Illinois Biometrics Class Action

In the first biometrics privacy class action to go to trial in Illinois, last week a jury handed down a $228 million judgment against BNSF Railway Co. In the case of Rogers v. BNSF Ry. Co. (N.D. Ill., No. 19-cv-03083), the jury found that BNSF had violated the Illinois Biometric Privacy Act (BIPA) and awarded $228 million to the plaintiff class of more than 45,000 truck drivers.

BIPA limits how businesses can use and store individuals’ biometric information, such as fingerprints, retina scans, face scans, and the like. The law requires that employers meet various requirements, including obtaining written consent and posting their policies regarding biometric data, before they can use or store biometric information.

In Rogers v. BNSF, the plaintiff class alleged that truck drivers were required to scan their fingerprints to confirm identity and access BNSF facilities, but the company hadn’t disclosed the purpose of collecting fingerprints and didn’t publish a data retention or destruction policy, as required by BIPA.

BNSF argued that it shouldn’t be liable for biometric data collected on its behalf by a third-party contractor, but U.S. District Court Judge Matthew Kennelly rejected this argument.

The jury found that BNSF had recklessly or intentionally violated BIPA and awarded $5,000 for each class member. With 45,600 truck drivers in the class, the total judgment was $228 million.

The failure to meet BIPA’s notice requirements can be quite costly, with staggering liability, as seen in the BNSF case. Employers that fail to meet these requirements face the following penalties:

• Negligent violations: $1,000 in liquidated damages or actual damages (whichever is greater)
• Intentional or reckless violations: $5,000 or actual damages (whichever is greater), along with attorneys’ fees/costs and any additional appropriate relief the court may decide.

Litigation currently pending before the Illinois Supreme Court will shed further light on BIPA damages, with decisions set to be handed down on the statute of limitations for BIPA claims and on whether the damages apply per individual or each time the individual’s biometric information is used. 

BIPA has been in effect since 2008, but it continues to catch employers off-guard with its application and scope of liability.

If your company uses – or has previously used – biometric information (such as fingerprint, face, hand, or retina scan timeclocks or entry devices), it’s critical that you confirm that you are meeting BIPA’s requirements. You should also determine if there are ways to reduce any potential liability for past activities.

Attorneys from our Employment & Executive Compensation Group and Cybersecurity Team continue to monitor legal developments regarding biometric data and are happy to assist with evaluating and updating processes to ensure compliance and mitigate exposure from past violations.