Generally, biometric privacy laws seek to protect the unique attributes of human beings that could be leveraged to access sensitive information about them, such as fingerprints and the measurements utilized for facial recognition technologies.

Illinois has emerged as a leader at the forefront of biometric privacy law expansion.  When it first enacted the Biometric Information Privacy Act (BIPA) in 2008, Illinois was the only state to have a biometric data privacy law. Since then, multiple other jurisdictions have followed suit. Still, BIPA stands as an exemplar due to the broad scope of its coverage. This law requires advanced written notice and consent for the collection or storage of biometric identifiers or biometric information. Notably, unlike most other state biometric privacy laws, BIPA creates a private right of action authorizing minimum damages of $1,000 for negligent violations and $5,000 for reckless violations.

Under that private right of action, on October 12, 2022, a federal jury found that BNSF Railway violated BIPA resulting in a $228 million class damages award. The BNSF case marks the first time a BIPA case has proceeded through trial. Plaintiffs’ attorneys argued that BNSF went awry in the implementation of an auto-gate system used to secure its cargo facilities. To enter, truck drivers were registered into the auto-gate system in a process that included scanning the drivers’ fingerprints. BNSF did not obtain written consent and the truck drivers were never informed how long their fingerprint data would be stored. The jury determined that BNSF had either recklessly or intentionally violated BIPA 45,600 times—matching a defense expert’s estimation for the number of truck drivers who were fingerprinted.

This case serves as a milestone in biometric privacy law that could hold valuable lessons for the future. Businesses that use biometric data will need to adapt as more jurisdictions incorporate their own biometric information regulations. Woods Rogers Vandeventer Black Cybersecurity & Data Privacy attorneys recommend working with outside counsel to craft appropriate procedures and stay in compliance with biometric information laws and other privacy requirements.


Phillip Harmon, an Associate in the Cybersecurity & Data Privacy Practice contributed to this article.