In the first biometric privacy class action lawsuit to go to trial in Illinois, a jury awarded a $228 million judgment last week against BNSF Railway Co. In the case of Rogers v. BNSF Ry. Co. (ND Ill., #19-cv-03083), the jury found that BNSF violated the Illinois Biometric Privacy Act (BIPA) and awarded $228 million to the class of plaintiffs over 45,000 truck drivers.
The BIPA limits how companies can use and store biometric information of individuals, such as fingerprints, retina scans, face scans, etc. The law requires employers to meet a variety of requirements, including obtaining written consent and posting their biometric data policies, before they can use or store biometric information.
In Rogers v. BNSFthe plaintiffs group alleged that truck drivers were required to scan their fingerprints to confirm their identity and gain access to BNSF facilities, but the company did not disclose the purpose of the fingerprint collection and did not not published a data retention or destruction policy, as required by BIPA.
The BNSF argued that it should not be liable for biometric data collected on its behalf by a third-party contractor, but U.S. District Court Judge Matthew Kennelly rejected that argument.
The jury found that BNSF recklessly or intentionally violated the BIPA and awarded $5,000 to each class member. With 45,600 truckers in the class, the total judgment was $228 million.
Failure to comply with BIPA notification requirements can be quite costly, with enormous liability, as seen in the BNSF Case. Employers who do not meet these requirements face the following penalties:
- Negligent breaches: $1,000 in damages or actual damages (whichever is greater)
- Intentional or reckless violations: $5,000 or actual damages (whichever is greater), plus attorneys’ fees/costs and any additional appropriate relief the court may decide.
Litigation currently pending in the Supreme Court of Illinois will shed more light on BIPA’s damages, with rulings to be made on the statute of limitations for BIPA’s claims and whether damages apply. per individual or each time the biometric information of the individual is used.
BIPA has been in force since 2008, but it continues to catch employers off guard with its application and the extent of its liability.
If your business uses – or has ever used – biometric information (such as clocks or fingerprint, face, hand or retina reading input devices), it is essential that you confirm that you meet BIPA requirements. You should also consider whether there are ways to reduce any potential liability for past activities.