One hour. That is all it reportedly took for a jury to deliberate in the first-of-its-kind trial alleging violations of Illinois’ Biometric Information Privacy Act (BIPA) before finding defendant BNSF Railway Company liable for the reckless and intentional violation of that state privacy law. The violation? Requiring BNSF employees to scan their fingerprints to gain access to the company’s premises, without first obtaining the BIPA-required written release. The resulting $228 million civil judgment sends a devastating warning to businesses that collect or use biometric information of the importance of having a proactive biometric compliance program in place.

BIPA Overview

BIPA is a 2008 Illinois statute that requires private entities that collect, use or store biometric information – defined to include fingerprints, iris scans, and face prints – to first obtain a written release from individuals prior to the collection of that biometric data, and to also provide notice of the collection that includes the purpose of collection and duration of storage. While other state laws regulate biometric information, BIPA is the only such state law that includes a private right of action, or the ability of an individual to sue a business directly for a violation of the act. BIPA also includes a statutory penalty provision, allowing for $1,000 per negligent violation and $5,000 for intentional or reckless violation of the law.

Over the years, BIPA has been interpreted by courts to extend to companies outside of Illinois, and in 2019 the Illinois Supreme Court in the Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) decision determined that actual injury was not required for standing to sue under BIPA. In other words, a violation of the BIPA law was enough to proceed in a lawsuit, and an individual need not show other, separate injury to their person by the collection of their biometric data. Rosenbach and its progeny have seen the general expansion of BIPA liability and an increase in BIPA filings, though some nuances around preemption and vendor liability remain. While headline-making BIPA settlements exist, such as against large tech companies Facebook and Tik Tok, in reality, the majority of BIPA filings are against employers who use devices like fingerprint scanners for access control or timekeeping purposes, as was the case in the Rogers trial.

The Rogers Case

Rogers, a truck driver and former employee of BNSF, sued the company on behalf of a class of BNSF employees alleging that BNSF had collected his and others’ biometric information through a fingerprint scanner used to gain entry to the Company’s facilities. According to Rogers, BNSF failed to obtain a written release from him and others, and make the requisite notice and disclosures.

For its part, BNSF denied that it operated the fingerprint scanner and attempted to shift responsibility for the collection of biometric information onto a third-party vendor, arguing that this entity was actually responsible for the data collection. Recently, a decision by the Northern District of Illinois in Ronquillo v. Doctors Associates, LLC, No. 21-cv-4903 (N.D. Ill. April 4, 2022) ruled that BIPA may apply to third-party vendors with no direct employment relationship to a BIPA plaintiff. However, the shifting to a third-party vendor as a defense to business liability, as BNSF attempted in the Rogers trial, was previously untested.

Suffice it to say, the third-party vendor defense did not work. The one-week trial ended in an hour-long deliberation that indicated jurors were not satisfied that a business could shift responsibility for BIPA compliance onto a vendor. And, the jury found that BNSF had violated BIPA 45,600 times, based on BNSF’s own expert’s estimate of the number of truck drivers in the class who had their fingers scanned during the relevant time period.

Following the verdict, U.S. District Court Judge Matthew Kennelly awarded $228 Million in damages to the plaintiffs, applying the $5,000 statutory damage per reckless or intentional violation to each of the estimated 45,600 violations.

What’s Next for BIPA litigation?

The blockbuster Rogers verdict empowers the plaintiffs bar to continue to bring BIPA lawsuits, and demand larger BIPA settlements that closely follow the statutory damages calculation endorsed by the Rogers court.

While the impact of Rogers will be felt on BIPA litigations for years to come, not all recent BIPA news has sided with plaintiffs.  On Monday, a federal judge in Washington state dismissed two putative BIPA class actions brought by Illinois residents against Microsoft and Amazon for their use of IBM’s Diversity in Faces datasets. The Washington court sided with Microsoft that BIPA does not apply outside Illinois and that the alleged hosting of biometric information on servers located within Illinois, alone and where the use of the data occurred elsewhere, was not sufficient to bring the action in scope for BIPA.

And litigants on both sides of the BIPA lawsuit continue to anticipate the Illinois Supreme Court decision in Cothron v. White Castle Sys., No. 128004 (Ill. Sup. Ct). In White Castle, the Supreme Court is asked to answer an age-old question when it comes to statutory violations – is each failure to comply with BIPA a separate, actionable occurrence – or a continuing violation of the statute? Should the Court determine that each failure is actionable – i.e., in the Rogers context, each fingerprint scanned without a written release and notice in place – as opposed to the number of employees who had a fingerprint scanned over a relevant time period – the impact on BIPA damages calculations could be enormous.

Takeaways: The Importance of BIPA Compliance

The benefits of biometric devices are numerous – companies gain speed and efficiency by using fingerprint scans or facial recognition technologies for access controls and timekeeping. But the burdens of BIPA litigation, especially post-Rogers and in anticipation of White Castle, are increasing. Often times businesses may not appreciate that different business units or facilities are relying on biometric devices for these purposes. Additionally, biometric information is now regulated under several state privacy laws, including sensitive personal data under the California Privacy Rights Act.

In a world of increasing privacy regulation and litigation, businesses and employers should evaluate their data collection practices and high-risk processing activities.  Especially in states such as Illinois, businesses and employers should work to evaluate whether proper consent management procedures and release are in place before collecting biometric information.