About Us  |  About Cheetah®  |  Contact Us

Driver’s allegations that CSX required fingerprint scan in violation of BIPA were sufficient

By Joy P. Waltemath, J.D.

Citing state supreme court precedent, the court made it clear that BIPA gives individuals the right to give up biometric information only after certain conditions have been met—to “head off problems before they occur.”

Allegations by a former truck driver that CSX Intermodal Terminals required a fingerprint scan for him (and other proposed class members) to gain access to rail terminals for freight deliveries without first informing him of the purpose and time period for which his information would be collected, or obtain his content to its dissemination, stated a violation of the Illinois Biometric Information Privacy Act (BIPA). A federal district court in Illinois would not dismiss his claims based on CSX arguments that he could have withheld his consent or that it was not required to make its policy available before collecting the information, because the law gives individuals the right to give up biometric identifiers or information only after receiving written notice and providing informed written consent, and the driver had pleaded that CSX “failed to make publicly available any retention or destruction policies” period. But the driver had not adequately stated a claim that CSX intentionally or recklessly violated the act (Rogers v. CSX Intermodal Terminals, Inc., September 5, 2019, Aspen, M.).

Fingerprints collected. The former truck driver plaintiff had visited rail terminals operated by CSX to pick up and deliver freight as part of his job. At CSX’s facilities, the driver had to scan his fingerprints to gain access, and CSX allegedly collected and stored this information, disseminating it to its technology vendors. He sued on behalf of a proposed class as an aggrieved person under the BIPA alleging that before obtaining the driver’s fingerprints, CSX did not inform him in writing of the specific purpose or length of time for which his fingerprints were collected, nor did the driver sign a release or consent to its dissemination. He also claimed CSX does not have a publicly available policy regarding its retention of biometric data. He sought damages for knowing and willful—or at least negligent—violations of the BIPA.

“Voluntary” disclosure? CSX argued that the driver did not suffer any injury because he knew his fingerprints were being collected and could have withheld consent if he wanted. But the court stressed that an individual’s right to privacy in his biometric data includes the right to “give up” his biometric information only after receiving written notice of the purpose and duration of collection and providing informed written consent. In Rosenbach v. Six Flags Entm’t Corp., the Illinois Supreme Court concluded that “to qualify as an ‘aggrieved’ person” an “individual need not allege some actual injury or adverse effect, beyond violation of his or her rights” under the state law. That court stressed that the strategy of the law was to “head off . . . problems before they occur.” Because Rogers’ alleges his BIPA rights were violated, his ability to maintain a claim is wholly consistent with holding and reasoning of Rosenbach.

Dissemination to vendors. CSX did not address the driver’s allegation that CSX did not receive his consent prior to “collecting and/or disseminating [his] biometric information to any of its technology vendors.” Even before Rosenbach, dissemination of biometric information without consent qualified as an injury that allowed plaintiffs to bring a BIPA action, so even if the driver’s other allegations had been insufficient, his allegation that his information was disseminated without consent was sufficient.

Age of plaintiff not the issue. CSX’s effort to distinguish Rosenbach on the basis that the plaintiff in Rosenbach was a 14-year-old whose mother didn’t know her son’s information was being collected was unsuccessful. The Illinois high court did not make any mention of the plaintiff’s age or status as a minor except when outlining the background of the case, the court noted, and that precedent established the driver here qualifies as an aggrieved person under BIPA because his BIPA rights were violated. Accordingly, CSX’s motion to dismiss the BIPA claim was denied.

No policy. BIPA Section 15(a) requires private entities in possession of biometric information to develop a publicly available policy regarding its retention and destruction, and CSX contended the driver’s claim failed because he only alleged that CSX did not create such a policy before collecting his information, which is not required by BIPA. But that was not all the driver alleged; he also alleged that despite collection, CSX “failed to make publicly available any retention or destruction policies,” which was not time-specific and was enough to support his claim that CSX did not comply with Section 15(a) after his fingerprints were collected.

“Knowing and willful.” The driver asserted that CSX’s violations were “knowing and willful,” while BIPA allows for recovery of heightened damages from private entities that violate the act “intentionally or recklessly,” although those terms are not defined in the law. The driver’s conclusory statement of CSX’s intent was not enough to infer that CSX acted intentionally or recklessly, said the court, dismissing that claim with leave to amend.