Illinois’ first jury verdict in a biometric privacy class action will likely encourage more litigation in the state and place pressure on businesses to settle those claims long before they reach trial, attorneys say.
A federal jury on Oct. 12 found that BNSF Railway Co. violated the state’s unique Biometric Information Privacy Act by collecting fingerprints from more than 45,000 truck drivers as a form of identity verification without first obtaining proper consent. The company, ordered to pay $228 million in damages, has vowed to appeal.
The trial’s outcome speaks to the strength of BIPA violation claims in general, and the significant risk they pose to companies, said class action defense attorney Jason Stiehl of Crowell & Moring LLP in Chicago.
“If you don’t have a strong factual defense at the outset, the prudent approach is to find an exit strategy very, very quickly,” Stiehl said. Otherwise, the damages will potentially be “company ending if you can’t get out early,” he said.
This, in turn, could embolden plaintiff’s lawyers to pursue larger settlements or push the case to trial, Stiehl said.
Illinois is the only state in the country that allows workers and consumers to sue businesses that improperly capture their facial scans, voiceprints, and other biometric data. Since BIPA’s enactment in 2008, class actions have been filed against tech companies like Snapchat, airlines, fast-food chains, retailers, universities, and more.
While the first wave of BIPA lawsuits targeted employers, Stiehl said he expects the verdict will hasten a surge in litigation filed by individual consumers against companies that collect biometric data.
David Oberly, a senior associate specializing in biometric privacy at Squire Patton Boggs in Cincinatti, said the BNSF verdict could have as much impact, if not more, on BIPA litigation as the Illinois Supreme Court’s 2019 ruling in Rosenbach v. Six Flags Entertainment Corp.
In that case, the state justices ruled that plaintiffs need not demonstrate actual injury to sue under the law. In the same way Rosenbach opened the door for a wave of class actions based on technical violations, the BNSF verdict demonstrated that such claims can prevail and win huge sums in damages, Oberly said.
Other attorneys aren’t convinced that an increase in litigation is necessarily in store.
“Both sides of the ‘v.’ are already well aware of BIPA, so whether there is any delta of increased BIPA filings from this verdict is an empirical question whose answer is not as obvious as we might think,” Rachel Geman, a partner with class action plaintiff’s firm Lieff Cabraser Heimann & Bernstein LLP in New York, said in an email.
Jon Loevy, the lead trial attorney for the BNSF truck drivers, agreed.
“Maybe earlier on companies were doing it ignorantly and didn’t know, but lawyers and companies at this point are likely changing their practices,” Loevy of Loevy & Loevy in Chicago said. “I would think that the number of cases that get filed is going to dry up, not increase, because people are aware of it now.”
The verdict could change how attorneys approach settlement discussions now that they know the defense could lose at trial, Loevy said.
Avoiding biometric privacy litigation starts with efforts to comply with the statute and reduce liability risks, attorneys say.
Companies have no excuses left to be non-compliant with a law enacted in 2008, Loevy said.
Compliance involves collecting written consent from individuals providing their biometric information, and informing them of how the data will be used, stored, and eventually destroyed.
It also means ensuring BIPA compliance by contractors.
In the BNSF case, the company entered into a contract with Remprex LLC, which collected and stored the drivers’ fingerprints as part of a system that controlled truck entries and exits at BNSF facilities.
Prior to trial, the US District Court for the Northern District of Illinois ruled that BNSF could be held liable for Remprex’s BIPA violations because the contractor gathered the biometric data on BNSF’s behalf.
Employers looking to avoid that pitfall need to review their contracts with employees and contractors with requirements of the BIPA statute in mind, said Carolyn Martin, senior counsel at Lutzker & Lutzker LLP.
Companies should require contractors to keep records of biometric data handling, and thoroughly investigate their past performance on handling information securely, she said.
However, who ultimately bears responsibility for BIPA violations when a third party such as a contractor is involved has yet to be set in stone, Oberly of Squire Patton Boggs said.
That liability issue will be examined and further clarified at the appeals level and likely the Illinois Supreme Court, Oberly said.
BNSF spokesperson Lena Kent said the company plans to appeal, saying “the decision reflects a misunderstanding of key issues.” But she declined to provide additional detail.
Other unresolved questions following the verdict include what constitutes an adequate showing of consent, said Brenda Leong, a partner with Burt and Hall LLP in Washington.
That issue is likely to become more urgent with the risk of voice-activated systems, where there’s no obvious mechanism for obtaining written consent, as is required under BIPA, she said.
Calculation of damages is another open issue. The damages outcome in the BNSF case could potentially change depending on how the Illinois Supreme Court rules in Cothron v. White Castle. The decision will clarify a key ambiguity in BIPA: whether defendants are liable for only the initial statutory violation per person, or whether each subsequent violation will incur damages.
“Of course nothing is over til it is over and the thin gentleman sings, but the verdict may also impact discussions in other cases involving the spectre of statutory penalties,” Lieff Cabraser’s Geman said.
To contact the reporters on this story:
To contact the editors responsible for this story: