On June 30, the Northern District of Illinois vacated the $228 million in damages awarded in the first jury trial arising under Illinois’ Biometric Information Privacy Act and ordered a new jury trial limited to the determination of damages. The case, Rogers v. BNSF Railway, Co., was brought on behalf of a class of truck drivers who claimed BNSF illegally required them to scan their fingerprints when entering its railyards.
The jury found that BNSF violated BIPA 45,600 times, equal to the estimated number of truck drivers in the class whose fingerprints were scanned during the relevant period. The jury also determined that BNSF’s BIPA violations had been “reckless or intentional” as opposed to “negligent,” an important distinction because the former carries damages of $5,000 per violation instead of $1,000 for the latter.
The court then multiplied the 45,600 “reckless and intentional” BIPA violations by $5,000, reaching a damages award of $228 million.
Afterward, the court granted BNSF’s motion for a new trial on damages, agreeing with BNSF that the jury should have decided the amount. In reaching this conclusion, the district court relied on the Illinois Supreme Court’s recent ruling in Cothron v. White Castle Sys., Inc., which stated that BIPA damages are discretionary rather than mandatory.
Rogers and Cothron’s conclusion that BIPA damages are discretionary is based on section 20 of the BIPA statute, which states that “[a] prevailing party may recover for each violation[.]” The use of “may” and “each violation” indicated to the Rogers court that the discretion doesn’t depend on the number of violations. The court further concluded that because damages under BIPA section 20 are discretionary, the jury should determine the damages award after a finding of liability.
Although the new trial on damages in Rogers is a reprieve for BNSF, the company might not fare any better before a jury than it did with the court. The case shows just how quickly damages can accrue under BIPA.
To avoid the potential for significant damages, all affected entities should note their obligations under BIPA and implement a proactive plan to minimize the risk of violations and the potential for large damages claims.
First, affected entities should assess whether they possess biometric data. Section 10 defines a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” “Biometric information” means any information based on an individual’s biometric identifier, regardless of how it was obtained.
If an affected entity possesses relevant information, it should develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric data. To be fully compliant, the written policy must be public.
Next, the entity must provide written notice to individuals whose biometric data it has collected or stored. The disclosure should include the specific purpose and length of term for which the biometric information would be used. To limit the potential period of liability under BIPA, written releases must be executed by the individuals.
To further prevent violations and statutory damages, entities need to store, transmit, and protect from disclosure the biometric data using the reasonable standard of care within the entity’s industry, and do so in a manner similar to how they handle other confidential and sensitive information. Then, private entities must ensure they’re complying with their retention schedule and destruction guidelines.
Affected entities should evaluate their contracts with third-party vendors that collect biometrics to assess the potential scope of liability and whether indemnification needs to be included. Lastly, they should review their insurance policies.
These steps will go a long way to avoid liability under BIPA and minimize potential damages.
The case is Rogers v. BNSF Railway, N.D. Ill., No. 1:19-cv-03083, opinion and order 6/30/23.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Joseph Kish is a shareholder at Segal McCambridge.
Erica Bury is a senior associate at Segal McCambridge.
Write for Us: Author Guidelines
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.