The jury returned a verdict in favor of the plaintiffs in the first trial for violations of the Illinois Biometric Privacy Act (“BIPA”), which was conducted in the District Court for the Northern District of Illinois. Rogers v. BNSF Ry. Co., No. 1:19-cv-03083.  A jury found that BNSF Railway violated BIPA by maintaining an automated gate system that scanned fingerprints to identify individuals permitted to enter its rail yards without providing the statutory disclosures or obtaining a written release.  The lead plaintiff, a truck driver for a logistics company, regularly delivered freight to BNSF rail yards and, beginning in 2012, routinely scanned his fingerprints into the security system to access the rail yards.  The class action consists of more than 44,000 truck drivers, but the jury was not yet asked to calculate damages.  BNSF’s potential liability is still an open question and involves an issue pending before the Illinois Supreme Court. 

BIPA poses a risk to businesses that collect biometric identifiers because of BIPA’s private right of action and statutory damages—an incentive for attorneys to bring class action BIPA cases on contingency.  Additionally, BIPA does not require plaintiffs to establish actual injury to recover statutory damages.  Over the past few years, there have been hundreds of class actions filed, often in the employment context.

The plain language of BIPA provides statutory damages of up to $1,000 per negligent violation and up to $5,000 per intentional or reckless violation.  However, BIPA does not answer whether damages accrue only once, upon the first non-compliant collection or disclosure of biometric information, or whether damages accrue for each subsequent non-compliant collection or disclosure.  Especially in the employment context, the difference in potential exposure is drastic.

The Illinois Supreme Court will resolve that statutory ambiguity in Cothron v. White Castle Sys., Inc., No. 128004.  In Cothron, the named plaintiff is claiming that her employer violated BIPA by using a timekeeping system that captured her fingerprint data, arguing that each fingerprint scan represented a separate violation and right to collect an additional set of statutory damages.  The District Court agreed, holding the plaintiff could seek statutory damages for each scan of her fingerprints.  On appeal, the Seventh Circuit certified the question regarding the accrual of damages to the Illinois Supreme Court.  Cothron v. White Castle Sys., Inc., 20 F.4th 1156 (7th Cir. 2021).  The Illinois Supreme Court heard argument in May and could render its opinion any day.

The Cothron decision will mean the difference between millions and billions of dollars in damages in many cases.  However, regardless of how catastrophic the outcome, the continued flood of class actions—and the willingness of plaintiffs to bring the case to trial—demonstrate that companies should take extra caution in making sure that they know what biometric data they may be collecting and reevaluating their compliance regimes.