Labor & Employment Law Update

If companies that employ Illinois residents and use any type of equipment to scan fingers, hands, face, or eyes were not yet aware of and concerned by the Illinois’ biometric privacy law, the Illinois Biometric Privacy Act (BIPA), they should be now. On October 12, 2022, after a week-long trial, a federal jury returned a verdict finding that one of the nation’s largest railway companies, BNSF, had violated BIPA—to the tune of a $228 million judgment.

Critically, the plaintiffs were successful in convincing a jury that BNSF recklessly or intentionally violated BIPA, resulting in the maximum damages of $5,000 for each violation (instead of $1,000 for a negligent violation). The jury found one BIPA violation for each of the 45,600 class members.

BIPA makes it illegal for a company to capture, collect, or store the biometric information of anyone, including employees, unless written consent is received from the individual.  A written policy describing the capture, collection, and storage must also be in place. The mere failure to inform employees, in writing, of the specific purpose and length of time for which their fingerprints are being collected, stored, and used, and to obtain their informed written consent—without more—can translate into astronomical exposure and potential damages.

The BNSF case appears to also deflate a company’s opportunity to shift liability to another entity. BNSF took the position that it was not liable under BIPA as their third party vendor implemented and operated the biometric system that scanned fingerprints to let employees in and out of the work site. While BNSF vigorously argued this point to both the court and the jury, it ultimately failed in convincing either that it was not liable for the BIPA violations. Attorneys for BNSF have stated they plan to appeal the verdict. Their likely focus will be on this issue of vicarious liability. 

This verdict (which took the jury all of one hour to reach after a 5 day trial), and the findings by the court both before and during the trial are significant as they likely add gasoline to an already-hot fire.

1. First, it makes no difference if you are relying upon another company or service provider for the collecting and/or maintaining of the biometric data. A potential defense of pointing the finger at some other entity appears to be a loser of an argument.
2. Second, a reckless or intentional violation of BIPA appears not hard to come by. Companies should evaluate their potential liability based on $5,000 per violation rather than the $1,000 per violation for negligence under BIPA. The facts supporting a finding of a reckless or intentional violation were not as egregious as some companies likely envisioned. Instead, the court instructed the jury that BNSF acted “recklessly” if it consciously disregarded or was utterly indifferent to the plaintiffs’ rights, and it acted “intentionally” if it intended to violate the law.

Notably, though BIPA has discretionary language whereby a prevailing party “may” recover for each violation, the court, not the jury, imposed the maximum-statutory, liquidated damages of $5,000 per class member. The jury was not made aware of what a finding in favor of the plaintiff-class would mean in terms of damages. So, after the jury found reckless or intentional violations of BIPA, one for each of the 45,600 class members, the court calculated damages, multiplying the class members by $5,000 for an eye-popping total of $228,000,000.

Although this is the first BIPA case to go to trial and reach a verdict, the outcome is not that surprising given the way courts have expansively read BIPA to favor plaintiffs. Now more than ever, companies must ensure compliance with BIPA and know that this verdict may embolden plaintiff’s counsel.