In January 2019, the Illinois Supreme Court opened the floodgates to class action litigation pursued under the Illinois Biometric Information Privacy Act (“BIPA”) when the state’s highest court held in Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), that plaintiffs do not have to allege any actual injury or damages to pursue claims under the state’s biometric privacy statute; instead, mere technical violations of the law are sufficient. Today, the world of biometric privacy litigation experienced a development noteworthy enough to put it on equal footing with Rosenbach, with a jury finding in favor of a class of Illinois truck drivers in the first BIPA class action to be tried to verdict.
In that case, Rogers v. BNSF Ry. Co., No. 19 CV 3083 (N.D. Ill.), Richard Rogers (“Rogers”) alleged that his former employer, BNSF Railway Co. (“BNSF”), violated BIPA’s privacy policy, data retention/destruction, notice, and consent requirements when it collected and stored his and other truck drivers’ biometric data without obtaining their consent or informing them of the company’s data retention policies. Importantly, however, BNSF itself was not involved in any activities associated with the collection or use of biometric data. Instead, the company contracted with a third-party vendor, Remprex, to operate the equipment that collected Rogers’ fingerprints, which purportedly failed to follow the requirements of Section 15(b).
On the eve of trial, BNSF filed a motion in limine, moving to exclude evidence, testimony, or argument suggesting that it was or could be held liable under BIPA for the acts of any third parties, including Remprex. The court disagreed, finding that vicarious liability could be asserted in the context of BIPA disputes—and allowing the case to proceed to trial. After closing arguments, the jury needed less than an hour to return its verdict in favor of the class of truck drivers. The jury only decided the issue of liability and was not tasked with calculating damages, which will be assessed by the court at a later date. With that said, using back-of-the-envelope calculations—and assuming that the court applies BIPA’s lower $1,000 negligent violation statutory damages amount and awards damages only for the initial finger scan of each class member that ran afoul of the law (as opposed to every scan under a continuing violation theory), damages still amounts to a staggering $44 million.
The potential implications of Rogers cannot be overstated. For starters, the fact that a jury needed under an hour to reach its verdict indicates that it was not even a close call in the jurors’ eyes as to whether the conduct at issue violated BIPA. In addition, the fact that the jury found against the defendant—despite the fact that the railroad did not itself actively collect, use, or possess any biometric data—provides further support for the critical but unsettled issue of vicarious liability in BIPA class action disputes. Ultimately, the likely impact of the Rogers verdict will be an immediate uptick in the volume of BIPA class action filings moving forward. At the same time, the ruling will also almost certainly be used by plaintiff’s attorneys during settlement negotiations in future class actions to drive up the already-inflated value of BIPA claims.
Furthermore—beyond Rogers—consumers, employees, businesses, and their counsel are all anxiously awaiting the Illinois Supreme Court’s much-anticipated opinion in Cothron v. White Castle Sys., No. 128004 (Ill Sup. Ct.), which will definitively resolve the currently unsettled issue of claim accrual in BIPA litigation. Depending on how the court answers the question of whether every discrete failure to comply with BIPA’s requirements amounts to a separate, independent violation of the statute, the scope of liability exposure and damages underlying BIPA class actions may further increase once again for those companies that leverage the benefits of biometrics in their day-to-day operations.
Combined, companies that have put off evaluating their biometric data collection and processing practices should do so immediately with the assistance of experienced biometric privacy counsel to assess their level of compliance with BIPA and similar laws and remediate any gaps as soon as practicable.