In 2008, the State of Illinois enacted the Biometric Information Privacy Act, 740 ILCS 14 et seq. (“BIPA”). Illinois was one of the first states to enact a law to address and regulate business’s collection of biometric data (Biometrics are unique physical characteristics, such as fingerprints, that can be used for automated recognition.) The use of biometric data in business is now widespread and common, which includes such uses as time management, security access, safety, and wellness programs.
At its core, BIPA contains a comprehensive set of rules for the collection and use of biometric data and has several key features:
For many years, BIPA flew under the radar in Illinois with few lawsuits filed alleging violations of BIPA’s collection and dissemination regulations. All of that changed in 2015, when five similarly situated class action lawsuits were filed against companies, alleging the unlawful collection and use of biometric data. A central question in the BIPA litigation that followed was whether a plaintiff must allege actual injury to recover damages from a BIPA violation. In 2019, the Illinois Supreme Court held that actual harm is not a requirement to recover damages under BIPA. Rosenbach v. Six Flags, 129 N.E.3d 1137 (2019).
On October 12, 2022, in Richard Rogers v. BNSF Railway Company (Case No. 19-cv-2038, N.D. Ill.), a federal court jury in Chicago returned a verdict in favor of the plaintiff in a class action lawsuit against BNSF Railway Company (“BNSF”), finding that BNSF recklessly or intentionally violated BIPA 45,600 times (the “BNSF Case”). The jury found that BNSF violated BIPA by collecting truck drivers’ fingerprints without consent, for identity purposes when entering BNSF rail yards to pick up or drop off loads. Following the jury’s verdict, the court entered judgment against BNSF in the amount of $228 million. The BNSF case is the first BIPA case to go to trial in Illinois.
The BNSF case demonstrates how damages are calculated in BIPA cases and the potential severity of such damages when a company violates BIPA, even when the plaintiff does not demonstrate actual harm.
BIPA requires all businesses in Illinois to protect biometric data. Under BIPA, a business is required to protect and store all biometric data to the same extent it protects other confidential information (such as SSNs or bank records). Businesses should have a robust BIPA compliance program in place and BIPA compliance programs should be reviewed and updated frequently.
Given the stakes, if you have any questions about BIPA, please contact one of the attorneys at Polales Horton & Leonardi. We have the experience necessary to proactively help businesses implement BIPA compliance programs to avoid BIPA lawsuits and, should the need arise, we have successfully litigated BIPA lawsuits if your business has received notice of an alleged BIPA violation.