$228M award vacated in first Biometrics Information Privacy Act trial

July 5, 2023

Tyson Fisher


A federal judge has vacated a fine worth more than $200 million against BNSF Railway for violations of Illinois’ Biometric Information Privacy Act.

On Friday, June 30, an Illinois vacated $228 million in damages handed down to BNSF Railway. A new trial was ordered in the first case under the state’s Biometric Information Privacy Act to go to a jury.

According to the second amended complaint, truckers were required to visit various railyards, including the Illinois facilities owned and operated by BNSF. At BNSF facilities, truckers were required to register their biometric identifiers and/or biometric information into biometrically-enabled “Auto-Gate Systems” that partially control entrances and exits at the facilities.

Essentially, drivers were required to provide fingerprint identification to BNSF for scanning.
BNSF collected, captured and stored truckers’ biometric identifiers. However, the railroad company failed to provide any written disclosures describing the purpose and duration of the use of such information. Furthermore, BNSF failed to obtain written consent from the truckers, a violation of BIPA.

A federal jury found BNSF liable for one count of violating Illinois’ BIPA and awarded plaintiffs $228 million. The complaint claims at least 44,000 truckers may be eligible for compensation.

This is the first such case to go to trial.

Biometric Information Privacy Act

Enacted in 2008, Illinois’ Biometric Information Privacy Act regulates the collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information, according to the complaint.

A “biometric identifier” is defined as “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.”

The Biometric Information Privacy Act “prohibits private entities from collecting, capturing, purchasing, receiving through trade or otherwise obtaining a person’s biometric information unless the private entity:

  • Informs that person in writing that identifiers and information will be collected and/or stored.
  • Informs the person in writing of the specific purpose and length for which the identifiers or information is being collected, stored or used.
  • Receives a written release from the person for the collection of that data.
  • Publishes publicly available written retention schedules and guidelines for permanently destroying said data. LL

Related stories:
Old Dominion tells federal court to dismiss biometric privacy lawsuit