On October 12, the first jury trial to decide a case under Illinois’ Biometric Information Privacy Act (BIPA) found that BNSF railroad intentionally violated the law and entered a $228 million dollar verdict against the company. The case centered around BNSF’s use of fingerprint scanning technology to verify the identity of truck drivers delivering cargo at its railyards. Throughout the case and the trial, BNSF argued that its vendor that sold and administered the technology was solely responsible for the alleged violations of BIPA. After just one hour of deliberations, the jury disagreed, finding that BNSF was independently responsible for violating the law.
Biometric Information Privacy Act (BIPA) Background
By way of background, Illinois enacted BIPA in 2008 after a company called Pay-by-Touch started a pilot program at Chicago-area retail stores to enable customers to pay for purchases using fingerprint scans linked to their credit cards. When Pay-by-Touch subsequently filed for bankruptcy after collecting customers’ biometric and financial account information, the bankruptcy trustee listed the customers’ biometric information as an asset and sought to sell it to pay off creditors. This motivated the Illinois legislature to enact BIPA.
BIPA’s Requirements
BIPA contains the following five different subsections regulating the use of biometric information, which BIPA defines as including a scan of a retina, fingerprint, voiceprint, or hand or face geometry:
- First, anyone in possession of biometric information must develop a publicly available retention policy.
- Second, prior to collecting any biometric information, the collecting party must disclose the purpose and length of time for which the information will be used and obtain a release from the subject of the information.
- Third, biometric information cannot be disclosed without the subject’s authorization.
- Fourth, a party cannot profit from selling biometric information under any circumstances.
- Finally, a party must protect biometric information using the standard of care in the industry, and at least the same protection measures that the party uses for other personal and confidential information.
Both Judge and Jury Rejected BNSF’s Arguments
The case focused on BNSF’s automated gate system (AGS), which required truck drivers like the plaintiff to scan their fingerprint when entering BNSF’s facilities to verify their identity. BNSF hired a vendor, Remprex, to provide the fingerprint scanning devices and manage the databases of biometric information that the system used to verify identities.
The plaintiff contended that when truck drivers like himself registered to use the AGS for the first time, they were never given the disclosures required by BIPA prior to scanning their fingerprints, and they were not asked to affirm their consent in writing to the collection and use of their biometric information.
BNSF argued throughout the case, including at summary judgment and at trial, that its vendor had the sole responsibility to comply with BIPA, because only the vendor collected and processed the drivers’ biometric information. However, the judge rejected BNSF’s motion for summary judgment, finding that there were factual disputes regarding the extent to which BNSF was involved in managing the system and directing the work of the vendor’s employees. Those same factual disputes were presented to the jury, who found that BNSF violated the law independently from its vendor.
Class Damages
BIPA includes a private right of action that awards plaintiffs statutory damages in the amount of $1,000 per negligent violation and $5,000 per intentional or reckless violation. The jury found that BNSF intentionally or recklessly violated the law and awarded $5,000 for each of the approximately 45,600 class members (other truck drivers who used BNSF’s AGS in Illinois), resulting in a verdict of $228 million.
Notably, the jury’s verdict could have been larger. An open question under BIPA is whether a plaintiff can recover for only one violation, or whether each separate scan constitutes a separate violation, allowing plaintiffs to stack their damages. In BNSF’s case, each truck driver scanned their fingerprints numerous times during the relevant time period, which could have resulted in a verdict that reached well into the billions. The jury was instructed that they could decide the number of violations for which BNSF would be held accountable, and the jury decided to limit its verdict to one violation per class member.
The Illinois Supreme Court is currently considering a separate case that should resolve this very issue, Cothron v. White Castle System, Inc., and a decision could be entered on that matter shortly.
Takeaways
The practical reality of modern technology and data privacy is that companies frequently rely on vendors to implement new technologies and safeguard personal information. Those relationships need to be managed carefully to comply with the ever-evolving legal requirements for data privacy and security, while also effectively allocating risk between the parties. Part of the problem with BNSF’s defense was that its contract with its vendor failed to clearly identify the parties’ respective responsibilities for compliance with BIPA and other data privacy laws.
Octillo will continue to monitor any developments regarding BIPA and will update its guidance accordingly. Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also negotiate with vendors and handle any resulting disputes or litigation.
*Attorney advertising. Prior results do not guarantee a similar outcome