Illinois’ Biometric Privacy Information Act Derails BNSF Railway Co.

Written By: David Trombly

First Ever Jury Trial for the Biometric Information Privacy Act.

On Oct. 12, a federal jury determined that BNSF Railway Co. violated Illinois’ Biometric Information Privacy Act (“BIPA”) and awarded 45,000 truck drivers 228 million dollars in the first-ever jury trial regarding BIPA. After a five-day trial, the jury decided that BNSF Railway Co. had recklessly or intentionally violated BIPA 45,600 times by collecting employee fingerprints without proper consent.

Illinois Constructed BIPA to Protect its Citizen’s Biometric Information.

Biometric data includes a person’s unique biological traits, which BIPA defines as a scan of the hand, retina, or iris scan, fingerprint, voiceprint, or face geometry. Illinois recognizes that a person’s biological trait is the most sensitive information that an individual possesses. A person’s biological makeup is unique and cannot get altered. As opposed to social security numbers that can change when compromised, biometric information cannot change. In a world of developing biometric technology, people can attach their biometric data to their finances and other sensitive information. If their biometric information gets compromised, their valuable information is at significant risk.

Illinois is among a few states that possess biometric privacy laws. Other states, such as Washington and Texas, also have biometric privacy laws. However, these states do not contain provisions for private causes of action. Only the state’s attorney general can enforce these laws. Illinois is unique in that BIPA allows for a private cause of action. This provision gives the act significant weight in targeting organizations that potentially violated BIPA. BIPA bases its authority on the idea that individuals have a right to their biometric identities. When an organization fails to follow Illinois’ privacy laws, it invades an individual’s statutory rights.

Illinois passed BIPA in 2008, however, its relevance has sprung up recently. The Illinois legislature created this law in response to the bankruptcy of Pay By Touch. Pay By Touch operated an extensive fingerprint scan system in places such as grocery stores, gas stations, and school cafeterias. When this company went bankrupt, many wondered what had happened to their fingerprints. After the creation of BIPA and Pay By Touch’s bankruptcy, the popularity of biometric information faded in Illinois.

Today, as technology advances, many corporations use biometric identifiers for customer convenience or to track employee hours. Illinois has been a hotspot for litigation regarding BIPA. Parties used BIPA to go after big tech giants such as Facebook, Google, and other companies within a wide array of industries.

BIPA Possesses Three Main Features that Protects an Individual’s Biometric Information.

Whenever an organization collects biometric identifiers for any purpose, BIPA requires them to perform three primary obligations. First, inform individuals that the organization is storing their biometric information. Second, notify the individual of the collected data’s purpose and length of time it gets held. Third, an organization must receive written consent from the affected individual to gather their biometric information. In addition, BIPA requires an organization to use a reasonable standard of care in storing this sensitive biometric data.

An Organization’s Violation of BIPA is Enough to Warrant a Lawsuit.

Individuals are subject to monetary compensation if there is a violation of BIPA. Opponents of this provision argue that individuals affected by BIPA need to show some type of injury, such as monetary damages, to bring an action against an organization that violates BIPA. However, the Illinois supreme court, in Rosenbach v. Six Flags, determined that waiting until physical harm, such as monetary loss defies the purpose of BIPA, which is to prevent and deter violations of people’s biometric data. Those who argue for the presence of some type of actual damage claim that the statute’s no-harm provision significantly detriments the state’s economy by hurting companies that must pay large sums of money for violating BIPA.

Where do We go From Here?

As our technology advances further, biometric identification systems will continue to grow. We will face two competing ideals regarding biometric identification systems within Illinois and the broader United States. The first ideal includes an individual’s right to control their biometric information. The second ideal involves the notion that the economic prosperity of companies aids the greater economy, and we cannot have legislative roadblocks that hinder these companies’ abilities to operate. In the future, legislatures and our society will have to wrestle with these two competing ideals when creating legislation on biometric information.


Skye Whitley, Christopher Brown, Paige Smith, BIOMETRIC PRIVACY PERILS GROW AFTER BNSF LOSES LANDMARK VERDICT (Oct.16, 2022 11:00 AM).

Biometric Information Privacy Act 14 § 10 Definitions (2008).

Charles N.Insler, Understanding the Biometric Information Privacy Act Litigation Explosion,106 Ill. B.J. 34, 35-49 (March 2018).

Steve L. Brennan, Illinois Supreme Court Gives Thumbs Up to Strict BIPA Enforcement, 29 No. 7 Ill. Emp. L. Letter 1, (February 2019).

Chloe Stepney, Actual Harm Means it is Too Late: How Rosenback v. Six Flags Demonstrates Effective Biometric Information Privacy Law, 40 Loy. L.A. Ent. L. Rev. 51 (2019).