A jury in the matter of Rogers v. BNSF Railway Co, Case No. 1:19-CV-03083 (N.D. Ill.) recently rendered the first verdict under Illinois' Biometric Information Privacy Act (BIPA). This class action matter involved the collection of biometric fingerprint data on each truck driver who entered the railyard without first obtaining the drivers' informed, written consent. Because the breaches were found to be intentional and/or reckless, the court awarded the plaintiff class $5,000 per alleged breach, resulting in a judgment of $228 million.
Why Does This Matter for Employers?
A number of class action cases have been filed against employers in Illinois to date, some of which have resulted in high-six- to mid-seven-figure settlements. In recent months, new BIPA class actions have been piling up at a rapid rate, indicating that such cases are likely to be around for the foreseeable future.
While the Rogers class action matter did not involve an employer-employee relationship, the case provides insight into the extent of liability employers may face if they fail to comply with the BIPA, as it is the first case to reach a jury verdict under the BIPA.
Companies that operate a business in the state of Illinois are required by law to obtain written, informed consent from any employee from whom the company will collect biometric data. Such biometric data may include fingerprints used for timekeeping systems, or voice IDs or hand/face/eye scans associated with company security protocols. Whatever type of biometric data a company may collect, in addition to obtaining informed consent, employers are required to do the following:
- Establish a written policy, made available to all employees, identifying the company's retention schedule and guidelines for destroying biometric data; and
- Protect employee biometric data in a manner at least as protective as the method the company uses to protect other confidential information.
Under the BIPA, employers are prohibited from selling, trading, disclosing, disseminating, or otherwise profiting from biometric data. Violations of the BIPA carry liquidated damages ranging from $1,000 per violation for negligent acts and up to $5,000 for intentional or reckless acts (as in the case of the BNSF matter).
What if I Don't Operate in Illinois?
There is no better time than the present to begin preparing for biometric privacy legislation to come to your state. Employers in Texas, Washington, and California should already be aware of state-specific laws governing biometric privacy. States with pending legislation either introducing or strengthening biometric privacy laws include California, Maine, Maryland, Massachusetts, Missouri, and New York. Employers in any of these states would be wise to consult with an attorney to understand the full scope of the legislation in each of these states and what they need to do to prepare for compliance.
If this recent verdict is any lesson, the costs associated with delays in compliance can be severe.