Illinois continues to be a hotbed of privacy litigation, in large part due to Illinois’s landmark Biometric Information Privacy Act (BIPA), which was enacted in 2008. Despite the flood of cases in the wake of Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), this is only the first BIPA class action lawsuit to proceed to trial. On October 12, 2022, in Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.), a federal jury in Chicago found in favor of a class of more than 44,000 truck drivers who alleged that BNSF Railway Company (BNSF) violated BIPA by unlawfully scanning employee fingerprints for identity verification purposes without giving notice and obtaining their prior written permission. U.S. District Judge Kennelly entered a judgment against BNSF for $228M in damages. This case highlights many important considerations for organizations deploying biometric technologies in Illinois, including the potential for vicarious liability for a vendor’s actions, and provides valuable insight into how damages in BIPA cases are calculated. This decision from the Illinois court demonstrates that defendants can face significant civil liability in BIPA litigation, and companies using or collecting biometric information should be aware of these risks.

Summary of Pre-Trial Litigation

Leading up to the trial, BNSF’s position was that, because it did not operate the biometric collection equipment and instead engaged a third-party vendor, Remprex, to collect the biometric data, it could not be vicariously liable for the vendor’s actions. The court rejected BNSF’s argument. BNSF also attempted to move to dismiss the claims, arguing that BIPA is preempted by federal statutes regulating railroad and transportation entities. The Court also denied that motion, holding that BIPA is a “generally-applicable statute” that is not directly connected to the federal transportation laws. BNSF next moved for summary judgment on various grounds, including on the basis that the plaintiff’s claims were time-barred and that the plaintiff should have sued the vendor instead. Again, the court rejected these arguments.

Trial Outcome

This case provides valuable insight into how damages may be calculated in BIPA suits moving forward. BIPA prescribes a private right of action for aggrieved persons, with the potential to recover up to $1,000 per negligent violation and up to $5,000 for each intentional or reckless violation. The Court instructed the jury not to calculate damages. Instead, they were to indicate how many times BNSF violated BIPA negligently and how many times the violations were reckless or intentional. The jury concluded that BNSF violated BIPA 45,600 times, which aligns with a defense expert’s estimated number of drivers whose fingerprints were registered in the database. The jury found that BNSF’s violations were reckless or intentional, meaning that damages were calculated by multiplying 45,600 by the $5,000 statutory damages, resulting in $228 million in statutory damages.

Despite BNSF’s emphasis on the fact that it did not actually collect, use, or possess any biometric data and even imposed contractual obligations for the vendor to comply with BIPA, this case provides support for the critical but unsettled issue of vicarious liability in BIPA suits.

Impact on Biometric Landscape

In January 2019, the prevalence of BIPA class action litigation increased significantly after the Illinois Supreme Court’s decision in Rosenbach held that allegations of mere technical violations of BIPA are sufficient for plaintiffs to establish standing in Illinois courts even if the plaintiffs do not allege any actual injury or damages. The recent Rogers decision and the staggering damages award will provide further incentive for plaintiff’s attorneys to pursue BIPA claims alleging mere technical violations and may influence plaintiffs to pursue the enhanced tier of $5,000 in damages by alleging intentional or reckless violations instead of $1,000 in damages for negligent violations.

This case also provides a further reminder that organizations cannot simply outsource their BIPA compliance obligations to vendors. Courts may hold organizations liable for BIPA violations under an agency theory of liability or the doctrine of respondeat superior, widening the scope of potential liability exposure for both vendors and their clients. Plaintiff’s attorneys will continue to use these liability theories to help establish actionable claims in BIPA litigation.

Separate from Rogers, we are awaiting the Illinois Supreme Court’s opinion in Cothron v. White Castle Sys., No. 128004 (Ill Sup. Ct.), which will resolve the issue of claim accrual in BIPA litigation. That case will address whether every discrete failure to comply with BIPA’s requirements is deemed a separate, independent violation of BIPA.

It is critical for companies deploying biometric technologies, particularly in Illinois, to work closely with experienced counsel on navigating the evolving landscape of compliance with biometric privacy laws like BIPA. We will continue monitoring these developments.