After a five-day trial and only an hour of deliberation, the nation’s first trial under the Illinois Biometric Information Privacy Act (BIPA) ended with a bang. The jury found that the defendant, BNSF Railway Company, recklessly or intentionally violated BIPA 45,600 times (once per class member), resulting in a $228 million judgment.

Plaintiff Richard Rogers first sued BNSF in April 2019. Rogers was a truck driver who dropped off and picked up loads at BNSF-operated railyards. He was required to register with an automated gate system (AGS) and to provide his fingerprint each time he entered the railyard. Rogers did not give written consent to the collection of his fingerprints, nor was he informed of the length of term for which his fingerprint data would be stored, as required under BIPA section 15(b).

In March 2022, Judge Matthew Kennelly certified a class of similarly situated individuals, whose fingerprints were registered using an AGS at one of BNSF’s four Illinois facilities any time between April 4, 2014, and January 25, 2020.

A key defense raised by BNSF before and after trial was that it was not the right defendant in the action. In September 2021, BNSF moved for summary judgment on the grounds that it did not actively or affirmatively collect biometric information, and that only the employees of Remprex (the third party that installed and managed the AGS at each of its facilities) collected such information. Judge Kennelly denied this motion, citing conflicting evidence regarding BSNF’s role in operating the AGS. Just before trial, BNSF raised this theme again by filing a motion in limine asking the court to exclude evidence, testimony, or argument suggesting that it is or can be held liable under BIPA for any acts by third parties such as Remprex. Judge Kennelly denied this motion, too, holding that BIPA does not abrogate the doctrines of agency law or vicarious liability, and, in any event, that the “otherwise obtain” language of BIPA is broad enough to reach a defendant who hires a third party to collect data on its behalf. At trial, BNSF continued to argue that it was the wrong defendant, and that Remprex was responsible for any consent or retention violations—especially given that the vendor had contractually agreed to comply with local laws such as BIPA.

The verdict against BNSF, however, suggests that the jury was unconvinced. In fact, after deliberating for only an hour, the jury went so far as to find that BNSF’s BIPA violations were reckless or intentional (as opposed to merely negligent). On this front, the jury may have been influenced by the fact that BNSF did not change its practices in response to the 2019 lawsuit (though it did turn off the fingerprint scanners in response to COVID-19 contamination concerns). And as confirmed by BNSF’s general director of hub operations, all BNSF needed to do in 2019 when the lawsuit was filed was tell Remprex to make changes. When asked how many times BNSF had violated BIPA, the jury responded with 45,600 times, which was the estimated total number of drivers who had their fingerprints registered in the AGS system. This number resulted in a $228 million judgment due to BIPA’s liquidated damages figure of $5,000 per violation. But the number could have been even higher given Judge Kennelly’s prior holding, at summary judgment, that a BIPA violation occurs each time a fingerprint is collected without BIPA-compliant notice and consent. (That issue of claim accrual is currently before the Illinois Supreme Court in Cothron v. White Castle System, Inc., 128004, which was argued on May 17, 2022.) Indeed, given the plaintiffs’ prior positions that the registration step requires three fingerprints, followed by additional scans each time the facility is entered, the award could have been exponentially higher had the court not granted BNSF’s motion to preclude argument on the total number of fingerprint scans.

© 2022 Perkins Coie LLP