The Illinois Biometric Information Privacy Act is not preempted by federal statutes that regulate rail or ground transportation, a federal district court has ruled. The recent ruling was issued in Richard Rogers v. BNSF Railway Company, No. 19-cv-3083 (N.D. Ill. Oct. 31, 2019), a BIPA class action filed by Rogers, a truck driver who often visits BNSF Railway Company’s facilities to transport loads. Rogers’ suit alleges that BNSF required him to provide a biometric identifier (such as a fingerprint or hand scan) for identity verification at some of its facilities.
According to Rogers’ complaint, BNSF collects and stores biometric information without consent in violation of BIPA, an Illinois law regulating a private entity’s collection, storage, and use of an individual’s biometric data. 740 ILCS 14/15(a). Under BIPA, a company may not collect biometric information without prior written consent and must develop and make available to the public a written retention policy for the eventual destruction of such data. BIPA also restricts the disclosure and dissemination of biometric information and regulates its storage.
BNSF moved to dismiss Rogers’ claims, arguing that BIPA conflicts with and is preempted by the Federal Railroad Safety Act, the Interstate Commerce Commission Termination Act, and the Federal Aviation Administration Authorization Act.
U.S. District Court Judge Matthew Kennelly rejected BNSF’s preemption arguments and noted that “[BIPA] imposes disclosure, consent, and recordkeeping requirements related not to transportation of persons or property but rather to certain types of information.” The Court distinguished BIPA from the federal statutes, stating that “BIPA does not refer to, and has no connection with, motor carrier services, rates, or routes, and it does not concern transportation of property. Rather, it is a generally-applicable statute that in this situation just happens to apply to a railroad.”
Judge Kennelly found BNSF’s preemption argument “highly speculative, to say the least” because BNSF was unable to identify any federal regulation that governs the collection or storage of biometric information.
The Court also thwarted BNSF’s attempt to dismiss Rogers’ complaint on the grounds that it fails to adequately state a claim for negligent, reckless or intentional violation of BIPA, stating, “As Rogers points out, the BIPA took effect more than ten years ago, and if the allegations of his complaint are true – as the court must assume at this stage – BNSF has made no effort to comply with its requirements … . [T]his is certainly enough, at the pleading stage, to make a claim of negligence or recklessness plausible.”
Rogers’ suit against BNSF is similar to hundreds of other cases filed in the years since BIPA was enacted in 2008. Many of the lawsuits target companies such as grocery stores and hotel chains accused of fingerprinting employees for time-keeping purposes. Of note, in response to the rampant litigation under BIPA, the Illinois Senate proposed a bill in March of this year (SB 2134) which would eliminate the availability of a private cause of action under BIPA.
Rogers, whose claims against BNSF arise not from his position as an employee but rather as a frequent visitor to BNSF’s facilities, made similar allegations in another suit against freight moving company CSX Intermodal Terminals Inc. (Rogers v. CSX, No. 19-cv-02937 (N. Dist. Ill. September 5, 2019)). There, the district court judge allowed Rogers’ case to move forward because it was precisely the kind of BIPA violation the Illinois Supreme Court approved in its recent Rosenbach v. Six Flags decision. Rosenbach v. Six Flags Entm’t Corp., 129 N.E.3d 1197, 1202-03 (2019).
Judge Kennelly’s recent ruling may signal a trend of allowing cases involving privacy protections to proceed when a plaintiff’s allegations simply suggest a statutory violation. This is of particular significance as businesses prepare and implement policies for complying with the growing number of privacy laws that states are passing, including the California Consumer Privacy Act, which will take effect January 1, 2020.
The CCPA is California’s response to the increasing number of unauthorized disclosures of its citizens’ personal information. Similar to BIPA, the CCPA is likely to affect businesses across most industries and imposes statutory penalties for violations of the act. Companies would be well-advised to make documented efforts to comply with the CCPA now in order to reduce the risk of incurring steep penalties and limit exposure to costly litigation in the future.