New Verdict in First Biometric Privacy trial in Illinois
In spite of the fact that dozens of businesses and corporations have been fined hundreds of millions of dollars in the past few years for violating the Illinois Biometric Information Privacy Act (BIPA), all of these companies have declined to go to trial as it pertains to the allegations that have been levied against them. Subsequently, BNSF Railway Co., defined as “one of the largest freight railroad networks in North America, with 32500 miles of rail across the western two-thirds of the United States”, recently lost a class action lawsuit after a group of truck drivers within the state accused the company of violating the biometric data privacy rights that all citizens of Illinois are afforded under the law.
As stated in a Bloomberg Law news article concerning the matter “A class of more than 45,000 truck drivers won a $228 million judgment in the first biometrics privacy class action to go to trial in Illinois, after a jury found that BNSF Railway Co. violated state law by collecting employee fingerprints without proper consent. Jon Loevy, the lead trial attorney for the plaintiffs, confirmed the verdict to Bloomberg Law.” For reference, the provisions of the BIPA prohibit businesses from collecting the biometric data of Illinois residents, including their fingerprints, among other things, without their consent.
Settings a new precedent
To this last point, due to the overwhelming lack of data privacy legislation that currently exists within the United States, there have been very few instances of businesses standing trial with regard to alleged violations of personal privacy. Contrarily, many businesses will instead look to settle out of court in instances where they are faced with class action lawsuits, in a practice that has perhaps been best exemplified by the actions of current Meta CEO Mark Zuckerberg, as well as his fellow executives.
To illustrate this point further, in spite of the fact that the infamous Cambridge Analytica scandal involving Facebook took place several years ago, none of the parties involved have been taken to trial as a result of their alleged actions. Instead, Meta agreed to pay a record $5 billion monetary fine to the Federal Trade Commission (FTC) in 2019, as none of the executives that were working for Facebook at the time in which the privacy violations occurred have ever testified in court regarding their involvement.
However, BNSF Railway Co. deviated this from approach, and instead opted to take their case to trial within the state of Illinois. Consequently, “After a five-day trial, the jury found that BNSF had recklessly or intentionally violated BIPA 45,600 times, one violation per class action member. The decision subjects BNSF to the maximum BIPA penalty of $5,000 per violation.” For this reason, many privacy advocates around the country are arguing that this landmark legal decision stands to change the manner in which major corporations protect the privacy of their customers, as the state of Illinois continues to take a rigorous stance on data protection.
BNSF Railway Co.
On the other hand, BNSF spokesperson Lena Kent was quoted as saying “We disagree with and are disappointed by the jury’s verdict and think the decision reflects a misunderstanding of key issues.” To this end, the primary defense that BNSF Railway Co. established during the course of the trial was that the company should not be held responsible for the biometric data collection practices of a third-party company that had been working on behalf of the railway company, Remprex LLC. Likewise, attorneys for BNSF argued that Remprex LLC. had failed to obtain the proper consent from the class action members involved in the lawsuit, and the matter was essentially out of BNSF’s hands.
Nonetheless, in what has been a recurring trend for companies that have been found in violation of the Biometric Information Privacy Act, a judge ultimately ruled that BNSF still had an obligation to obtain consent from Illinois residents prior to collecting their biometric information, irrespective of the role that any third-party may have played in facilitating this collection of personal data. With all this being said, companies that serve consumers within the state of Illinois will have to begin reexamining their data collection, processing, and retention practices, as actions that are perfectly legal and virtually every other part of the world have effectively been outlawed since the enactment of the BIPA in 2008.
While it remains to be seen whether or not other businesses will take heed of the manner in which the Illinois Biometric Information Privacy Act has been enforced in the past few years, it is clear that the Illinois State Legislature is making a concerted effort to punish organizations that fail to comply with the provisions of the law. Furthermore, government officials within the state have not hesitated to impose million-dollar fines against massive tech companies such as Google and Youtube, in contrast to many other government agencies around the country.