In what is believed to be the first jury verdict related to Illinois’ strict biometrics privacy law, a $228 million judgment has been entered against BNSF Railway in a class-action lawsuit over the railroad’s collection of fingerprint data.

“This is the first example of a jury standing up and saying, yes, this is important information that’s highly sensitive and worth protecting,” said David Gerbie, an attorney representing the truck driver who brought the suit.

In the federal lawsuit, Richard Rogers, a truck driver for a third-party company, said BNSF requires drivers to use fingerprints and “related biometric information” to access the railroad’s intermodal facilities. But the railroad failed to get written consent before collecting and storing biometric information and failed to disclose in writing the purpose for which it was collecting and storing the data, violating Illinois’ Biometric Information Privacy Act, he said in the suit.

The class-action lawsuit covered about 45,000 members. After the judgment, entered Wednesday, each could get about $5,000.

BNSF spokesperson Lena Kent said the railroad planned to appeal the ruling.

Advertising

“We disagree with and are disappointed by the jury’s verdict and think the decision reflects a misunderstanding of key issues,” the railroad said in a statement.

Illinois placed restrictions on businesses’ collection, storage and use of biometric data when the Legislature passed the Biometric Privacy Information Act in 2008. At the time the law was considered the toughest in the nation, requiring written notification and prior consent, prohibiting profiting from the data and allowing people to sue over allegations of violations.

Other companies have reached settlements in lawsuits brought under the law, including Google and the parent company of the app Snapchat. The BNSF case marks the first case to go to trial and reach a verdict.

Gerbie said he was pleased with the outcome, and the size of the award. The outcome shows the law is meaningful and a jury is willing to enforce it, he said.

“I think it will make it clear to companies that you should be really sure you need this data before you collect it,” he said. “And if you do need to collect it, you should comply with the law.”