Biometric Privacy Violations Derail BNSF

Sean Griffin is a member with Dykema. Courtesy photo.

It is no secret that Illinois has some of, if not the, strictest laws related to the collection and use of individuals’ biometric information. The state’s Biometric Information Privacy Act (BIPA), signed into law in 2008, prohibits companies from collecting, using, or storing a person’s biometric information, such as fingerprints, unless the company gives adequate notice of the practice, obtains express written consent on an individual basis, and makes disclosures as specific by law. While a negligent violation carries a $1,000 per instance penalty, a reckless or even intentional violation has a $5,000 penalty for each incident. 

In October 2022, an Illinois jury handed down a first-of-its-kind verdict: BNSF Railway Company was found liable for no fewer than 45,600 reckless or intentional BIPA violations, for total damages of $228 million.  We were able to discuss the case and its significance with Sean Griffin, a member at Dykema who practices in data privacy and cybersecurity. While some have said the Rogers decision will bring a plethora of BIPA-related claims, Sean Griffin, a member at Dykema who practices in data privacy and cybersecurity, called it “a lodestar for BIPA litigation.”