In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA), a first-of-its-kind state law that established standards for the collection, use and sharing of individuals’ biometric data by companies and potential penalties for violations of the statute. Earlier this month, in the first biometric privacy class-action suit brought under the law, a federal jury awarded plaintiffs $228 million — a warning for companies to not run afoul of BIPA.

The ruling

In Richard Rogers v. BNSF Railway Co., tried in the U.S. District Court for the Northern District of Illinois, truck driver Richard Rogers sued on behalf of a class of 45,600 fellow drivers whose fingerprints were scanned for identity verification when visiting BNSF Railway’s rail yards to pick up and drop off loads. The truck drivers alleged that BNSF collected the fingerprint scans without written, informed permission or notice.

Under BIPA, a company cannot collect, use or store biometric data — including scans of fingerprints, hands, faces or eyes — without first providing notice, obtaining written consent and making certain disclosures, including providing written biometrics policies to the individuals from whom the biometric data is collected. the statute provides for an award of $1,000 for each negligent violation of the law and a maximum of $5,000 for each reckless or intentional violation.

BNSF said it outsourced the collection of the biometric information to a third-party vendor, Remprex LLC, which it had contracted to install and operate the equipment that captured the fingerprint scans. BNSF argued that it was therefore not liable under BIPA.

Prior to trial, the court considered the issue of whether BNSF could be liable for the conduct of Remprex. The court referred to common law agency-principal relationships as Illinois statutes are generally construed under common law. The court held that under common law, principals may be held liable for the conduct of their agents, and so BNSF could be held liable for Remprex’s actions.

After a week-long trial, on October 12, 2022, the federal jury found in favor of the plaintiffs. The jury determined that BNSF was liable under BIPA and recklessly or intentionally violated BIPA 45,600 times, an amount equal to the number of truck drivers in the class who had their fingers scanned from April 4, 2014, through January 25, 2020. Based on this — and allowing the maximum award of $5,000 for each violation — the court calculated and awarded damages in the amount of $228 million.

Next steps for collectors of biometric data

Although BNSF has stated its intention to appeal the verdict, the Rogers ruling will have aftershocks for companies that collect biometric data in Illinois. The verdict will clearly embolden the plaintiffs’ bar to file more BIPA lawsuits, which means companies will need to focus on BIPA compliance. Importantly, the ruling establishes that an organization cannot avoid liability by shifting the burden to a vendor.

In light of the decision, organizations that collect biometric data in Illinois should:

• Review contracts with employees and contractors, with BIPA requirements in mind.

• Request that their third-party vendors keep records of biometric data handling.

• Investigate third-party vendors’ historical BIPA compliance records.

• Discuss with counsel the inclusion of indemnification clauses in third-party vendor contracts.

• Work with their brokers to review the terms and conditions regarding privacy coverage in cyber insurance policies.

For more information on BIPA and the collection of biometric data, please read Biometric Data: Privacy, Cybersecurity & Insurance Considerations (opens a new window) or email cyber@lockton.com.