On March 15, 2022, the U.S. District Court for the Northern District of Illinois held in the case of Rogers v. BNSF Railway Company, No. 19-C-3083, 2022 WL 787955 (N.D. Ill. Mar. 15, 2022) (slip copy) that the Federal Railway Safety Act (“FRSA”), the Interstate Commerce Commission Termination Act (“ICCTA”), and the Federal Aviation Administration Authorization Act (“FAAAA”) do not preempt a claim under the Illinois Biometric Information Privacy Act (“BIPA”). The Court also held that for statute of limitations purposes, an individual’s claim accrues anew upon each BIPA violation they are subjected to, rather than only upon the first violation. This decision represents another blow to the arsenal of available defenses to defendants facing BIPA claims in state and federal court.
What You Need to Know:
- Section 15(b) of the Illinois Biometric Information Privacy Act (“BIPA”) prohibits private entities from collecting a person’s biometric identifiers without furnishing the individual with certain disclosures and obtaining their written consent for the collection.
- In the 2019 Illinois Supreme Court decision of Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the Court held that a BIPA plaintiff need not show any actual injury suffered in order to bring a BIPA claim against a company that improperly collects or uses biometric information from its customers or employees.
- The scope and applicability of BIPA have been hotly contested in state and federal courts across the country.
In Rogers, the plaintiff, a truck driver for a logistics company, routinely drove to BNSF facilities throughout Illinois to deliver freight items. BNSF, the defendant, is one of the largest freight and railroad networks in North America. Among the cargo items carried on BNSF railway lines are various hazardous materials such as crude oil for the Department of Homeland Security. In transporting these materials, BNSF is required to comply with various state and federal safety laws, including the FRSA, ICCTA, and FAAAA. For security purposes, drivers carrying hazardous freight to any of BNSF’s intermodal facilities in Illinois (where cargo is loaded from trucks to trains, and vice versa) are required to scan their fingerprint into a security system in order to gain access to the facility. Plaintiff regularly dropped off freight at BNSF facilities, and beginning in 2012, regularly scanned his fingerprint into the security system. Plaintiff was not provided with information about the purpose or length of time for the collection of his fingerprint scans, and did not execute a written release with BNSF.
Plaintiff sued BNSF for violation of Section 15(b) of BIPA, which prohibits a private entity from collecting or storing an individual’s biometric identifier(s) without informing the individual of certain details about the collection and retention and without receiving a written release. Specifically, Section 15(b) states:
(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:
- informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
- informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; an
- receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
Following discovery, BNSF moved for summary judgment arguing that the FRSA, ICCTA, and FAAAA preempted plaintiff’s BIPA claim. BNSF also argued that plaintiff’s claim was barred by BIPA’s five-year statute of limitations (as determined by the Illinois Appellate Court for the First District in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563). Specifically, BNSF argued that because plaintiff had first submitted his fingerprint into the electronic security system on December 5, 2012 and had not filed suit until April 4, 2019, his claim was barred.
Addressing each of BNSF’s preemption arguments, the Court looked to whether each of the FRSA, ICCTA, and FAAAA could be construed as preempting BIPA expressly or by conflict. “Express preemption applies when Congress clearly declares its intent to preempt state law.” Nelson v. Great Lakes Educ. Loan Servs., Inc., 928 F.3d 639, 646 (7th Cir. 2019). An express preemption clause is to be construed by its plain language, because that is the best indicator of Congress’s preemptive intent. CSX Transp., Inc, v. Easterwood, 507 U.S. 658, 663-64 (1993). Conflict preemption, on the other hand, occurs where the “state law stands as an obstacle to fully accomplishing the objectives of Congress” by the federal law. Nelson, 928 F.3d at 646-47.
I. FRSA Preemption
The Court held that the FRSA did not by express means or by conflict preempt plaintiff’s BIPA claim. With respect to express preemption, the Court noted that Congress enacted the FRSA “to promote safety in every area of railroad operations and to reduce railroad-related accidents and incidents.” 49 U.S.C. § 20101. The FRSA permits states to adopt additional regulations related to railway safety, and the U.S. Supreme Court has framed the FRSA’s preemption inquiry as whether the federal regulation “substantially subsumes the subject matter of relevant state law[,]” and it is not enough that the federal regulation merely “touches upon” the state law subject matter. Easterwood, 507 U.S. at 664. In order to abide by the FRSA’s regulatory obligations, BNSF voluntarily complies with the Customs-Trade Partnership Against Terrorism (“C-TPAT”), a quasi-government program which provides recommendations for protecting secure facilities. One of the provisions C-TPAT recommends is using biometric identifiers to prevent unauthorized access to secure facilities. Notwithstanding these requirements and recommendations, the Court held that the FRSA did not expressly preempt BIPA because BIPA was enacted to protect an individual’s personal information, rather than to promote secure transportation. The FRSA therefore does not “substantially subsume” BIPA’s subject matter so as to give rise to express preemption.
With respect to conflict preemption, the Court held that BIPA does not impose duties that conflict with the FRSA and therefore is not preempted. In doing so, the Court rejected BNSF’s argument that BIPA prohibits mandatory use of biometric identifiers for security purposes and thereby precludes BNSF from fully complying with C-TPAT recommendations. The Court noted that BIPA does not prohibit the collection or use of biometric identifiers, but rather just requires furnishing certain disclosures and obtaining informed consent. The Court also rejected BNSF’s contention that BIPA conflicts with FRSA’s purpose of creating nationally uniform safety procedures for transporting hazardous materials and, by requiring railway operators to obtain a driver’s informed consent before collecting biometric identifiers, deprives railways of the most effective means of securing their facilities. These arguments, the Court held, lacked merit because the FRSA only requires uniformity in security procedures “to the extent practicable” (42 U.S.C. § 20106(a)(1)) and therefore does not prevent BNSF from employing its preferred access methods.
II. ICCTA Preemption
The Court next addressed whether the ICCTA preempts plaintiff’s BIPA claim by conflict (BNSF apparently did not argue express preemption), and held that it does not. Specifically, the Court rejected BNSF’s argument that complying with BIPA in its collection of biometrics would have a significant impact on its ability to comply with the ICCTA requirements related to intermodal transportation. The Court found that BNSF had failed to point to any particular evidence showing that its compliance with BIPA would require it to unreasonably modify its ICCTA compliance procedures. The ICCTA therefore does not preempt plaintiff’s BIPA claim.
III. FAAAA Preemption
The Court then turned to BNSF’s final preemption argument pursuant to the FAAAA. The FAAAA bars state law claims “related to a price, route, or service of any motor carrier . . . with respect to the transportation of property.” 49 U.S.C. § 14501(c). Under U.S. Supreme Court precedent, however, it does not preempt state laws “affecting carrier prices, routes, and services in only a tenuous, remote, or peripheral manner.” Dan’s City Used Cars, Inc. v. Pelkey, 569 U.S. 251, 261 (2013). BNSF argued that implementation of the BIPA requirements would hinder the efficiency of its facilities’ operation, in that its employees would need to manually verify their identities before accessing secure areas instead of simply scanning their fingerprint. The Court rejected BNSF’s argument. Essential to the Court’s decision was the fact that there was evidence that BNSF had actually been able to implement an alternative security system that did not require the use of biometric identifiers, and that at least one other U.S. rail carrier had been able to implement an informed consent regime that complied with BIPA’s requirements. The Court therefore concluded that BNSF’s FAAAA preemption argument, like its ICCTA preemption argument, was too speculative and that the FAAAA did not preempt plaintiff’s BIPA claim.
IV. Statute of Limitations Accrual
After determining that plaintiff’s claims were not preempted, the Court addressed BNSF’s statute of limitations argument. Though BNSF argued that plaintiff’s claim only accrued when he first submitted his biometric information to BNSF absent BIPA’s informed consent safeguards, the Court disagreed. In examining the language of Section 15(b) of BIPA, the Court specifically held:
Of note, the statute premises a violation on the triggering actions of collecting, capturing, etc., rather than the failure to provide notice or receive consent. The statutory language also does not differentiate between the initial and subsequent instances of when an entity collects biometric information, which might otherwise indicate a limitation on when a violation occurs. Accordingly, the Court agrees with [plaintiff] and finds the plain text dispositive: the statute clearly provides that a private entity violates the law each time it fails to comply with the statute through one of the triggering terms, rather than only the first time.
Because the Court found the plain text of the statute dispositive, it rejected BNSF’s contention that the Court should apply the “one-and-done accrual rule” typically followed by Illinois courts adjudicating privacy torts.
The Court’s decision provides helpful guidance on the extent to which federal laws may preempt BIPA. Further, and by holding that a BIPA violation occurs upon each and every submission of biometric information without compliance with BIPA’s informed consent safeguards, it also sheds light on how courts may interpret the controversial statutory damages framework under BIPA (whereby defendants may face up to $1,000 in damages per violation, and up to $5,000 for every negligent and/or intentional violation). It is expected that the plaintiff’s bar will rely on this holding to promote the argument that plaintiffs are entitled to statutory damages for each and every BIPA violation they are subjected to, rather than a one-time failure to obtain informed consent.
For questions about this ruling, the Illinois Biometric Information Privacy Act, or other matters relating to data privacy and cybersecurity, please contact the authors or other members of the Saul Ewing LLP Cybersecurity and Privacy Practice Group.