Biometric Privacy Legal Landscape Case Law Developments Class Action Litigation Defense Strategies

First Biometric Privacy Jury Trial Results in Massive $228 Million Dollar Verdict

Amanda M. Noonan |

A federal district court in the Northern District of Illinois conducted the first-ever jury trial in an Illinois Biometric Information Privacy Act (“BIPA”) case. On October 12, 2022, the jury returned a verdict for the plaintiff—and more than 45,000 class members—regarding defendant BNSF Railway’s (“BNSF”) reckless violations of BIPA. See Rogers v. BNSF Railway Co., No. 1:19-cv-03083 (N.D. Ill. Oct. 12, 2022). Plaintiffs’ claims centered on BNSF’s collection of fingerprints to verify their identities and allow access to BNSF’s facilities without obtaining their written consent, as required under BIPA Section 15(b).

After a five-day trial—and only an hour of deliberations—the jury found BNSF not only violated BIPA 46,500 times, but did so intentionally or recklessly under 735 ILCS 14/20(2). The jury’s finding on that issue quintupled plaintiff’s damages award to $5,000 per violation, as opposed to $1,000 per negligent violation. As a result, District Judge Matthew Kennelly entered a $228 million dollar damages award in plaintiffs’ favor following the verdict. BNSF has stated it intends to appeal.

The implications of the verdict loom large. On the plaintiff’s side, counsel will likely increase the already large-scale BIPA filings and push for higher settlement amounts, using the prospect of a successful jury trial as a bargaining chip. Given the stakes, BIPA defendants may be more inclined to seek early resolution once named in a BIPA class action to avoid a bet-the-company litigation at all costs.

Considering the verdict, early compliance efforts by companies implementing biometric technology are even more crucial to avoid BIPA litigation in the first instance. Significantly, companies using any technology that could arguably constitute biometrics—regardless of the sophistication—may be targeted by zealous plaintiff’s attorneys seeking to join the ever-increasing cascade of BIPA class action filings. Biometrics privacy counsel should thus be consulted to address compliance strategies to protect against the catastrophic risks of a BIPA verdict at the earliest possible opportunity.

Biometric Privacy Compliance Tips

Beware of Hidden Pitfalls: Biometric Privacy Guidance for California Employers

David J. Oberly |

By now, most Golden State employers are well versed in the California Consumer Privacy Act of 2018 (“CCPA”), as well as its soon-to-be successor, the California Privacy Rights Act of 2020 (“CPRA”), which goes into effect at the start of 2023.

At the same time, more and more employers operating in California (and in other parts of the nation) are integrating biometrics into their operations in a variety of ways, including for timekeeping and access control purposes, among others.

Many of these employers need not worry about satisfying the onerous requirements of the CCPA because they do not meet any of the law’s three applicability thresholds: (1) $25,000,000 in gross revenue; (2) buying, receiving, sharing, or selling the personal information of more than 50,000 consumers, households, or devices; or (3) deriving 50 percent or more of revenue from the sale of personal information.

And those employers that do fall under the scope of California’s consumer privacy law are largely exempted from compliance in connection with the personal information of employees (and job applicants) under the CCPA’s employee information exemption.

Combined, many California employers operate under the assumption that there are no applicable legal requirements that must be satisfied when using biometrics in their day-to-day operations. Organizations that take this approach do so at their peril, as California Labor Code § 1051 imposes clear, unambiguous requirements and limitations on employers that utilize certain biometric data in the workplace. More than that, this California law—which often flies under the radar of many employers and even their biometric privacy counsel—can result in criminal penalties for noncompliance.

California Labor Code § 1051

Specifically, Labor Code § 1051 bars employers that require employees or job applicants to furnish their fingerprints from disclosing that fingerprint biometric data to any third party. For example, employers are generally barred under Labor Code § 1051 from disclosing fingerprints to other employers to prevent subsequent employment, or to law enforcement agencies unless required pursuant to a court order or subpoena. Any employer that violates Labor Code § 1051 is guilty of a misdemeanor.

Practical Compliance Tips

Consequently, California employers must proceed with caution when using fingerprint biometric data in the workplace and ensure they are in strict compliance with Labor Code § 1051 when collecting, using, or storing employee fingerprint biometrics.

To do so, employers should first ensure that their biometrics service providers and vendors are completely precluded from accessing any fingerprint data collected by the employer through the service provider/vendor’s technology.

In addition, employers must maintain robust policies and protocols to prevent inadvertent disclosures of employee fingerprint data to any third parties, as a mishap of this nature—while not intentional—still nonetheless runs afoul of Labor Code § 1051.

Similarly, employers must maintain robust security measures to safeguard employee fingerprint data, as any unauthorized acquisition of such data by hackers or other malicious third parties also constitutes a violation of Labor Code § 1051.

To make matters worse, any inadvertent disclosure or other data compromise event also likely constitutes a violation of employees’ right to privacy under the California Constitution. And if that wasn’t enough, breach incidents involving the compromise of fingerprint data will also oftentimes form the basis for an actionable violation of the CCPA, opening the door for class action litigation. It should be noted, however, that Labor Code § 1051 does not apply to employers’ use of other types of biometric data (only fingerprint data) and is inapplicable outside of the employment context.