Northern District of Illinois Rejects Railroad’s Federal Preemption Defense Under State Biometric Data Privacy Law.
- On December 19, 2019
By: Paula E. Pitrak
On October 31, 2019, United States District Judge Matthew Kennelly of the Northern District of Illinois in Rogers v. BNSF Ry. Co., No. 19-cv-3083 (N.D. Ill. Oct. 31, 2019) ruled that BNSF cannot use a federal preemption defense for dismissal of a proposed class action alleging breach of state biometric privacy laws.
Biometric data is broadly defined as any information that can be used to identify a person based on biometric identifiers, such as fingerprints, retina scans, and facial geometry. There is currently no federal law regulating the collection and use of biometric data, and only three states have enacted biometric data privacy laws (Illinois, Texas and Washington). The Texas and Washington statutes are enforced by the state attorneys general. The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, requires companies doing business in Illinois give people written notice and get consent before collecting fingerprints or other biometric data; it is the only state biometric data privacy law that provides a private right of action.
In Rogers, the class action complaint alleges BNSF violated BIPA by collecting and storing biometric identifiers (such as fingerprints or hand scans) without providing written disclosures regarding the purpose and duration of its use of the information; without obtaining written consent of those whose information is collected; and without making available its retention or destruction policies—all of which, the complaint alleges, the BIPA requires.
BNSF moved to dismiss the amended complaint for failure to state a claim and under a federal preemption defense. BNSF contends the BIPA claim is preempted under one or more of three federal statutes (specifically, Federal Railroad Safety Act (FRSA), Interstate Commerce Commission Termination Act (ICCTA), and Federal Aviation Administration Authorization Act (FAAAA)) and the action’s failure to adequately allege a negligence or reckless violation of the BIPA.
Judge Kennelly denied BNSF’s motion to dismiss, thereby rejecting BNSF’s federal preemption defense and finding the complaint’s allegations adequately plausible for the pleading stage.
In its rejection of BNSF’s federal preemption defense under ICCTA, the Court makes clear BIPA “imposes no limits or restrictions on the movement of property or persons—rather, it imposes disclosure, consent, and recordkeeping requirements related not to transportation of persons or property but rather to certain types of information.” Further, the Court reasoned, “there is nothing inherent in the BIPA’s requirements suggesting that compliance with or enforcement of the statute has any bearing on how BNSF operates trains or tracks.” As such, the Court found BNSF has not shown “unreasonable interference with rail transportation, as required to sustain a preemption defense based on the ICCTA.”
In a similar rejection of BNSF’s preemption defense under FAAAA, the Court found “the impact of the BIPA on motor carrier prices, routes, or services ‘too tenuous, remote, or peripheral’ to give rise to FAAAA preemption.”
While analyzing BNSF’s FRSA preemption defense, the Court answer this question: “whether the Secretaries of Transportation or Homeland Security have issued regulations ‘covering’ the same subject matter as the BIPA.” In answering in the negative, the Court makes clear BNSF identifies no federal regulation that governs the collection or storage of biometric information or that, more generally, prescribes use of such information to identify persons who enter railroad facilities.
In so doing, the Court rejected BNSF’s argument that the following regulatory language preempts BIPA: “[railroads are required] to use physical security measures to ensure that unauthorized persons do not gain access to secure areas in railroad facilities.” The Court found this regulation at most touches upon the same subject matter as the BIPA and certainly does not substantially subsume the subject matter, as required.
Judge Kennelly further opined BNSF could not obtain dismissal of the action for the class’s failure to state a claim. Arguing that BNSF made no effort to comply with the ten-year-old BIPA’s requirements is “certainly enough at the pleading stage to make a claim of negligence or recklessness plausible,” thus satisfying Rules 8’s plausibility test.
Given the extraterritorial reach of Illinois’s BIPA and the fact that other jurisdictions are likely to enact their own versions, companies would be wise to evaluate their practices and policies related to the collection and use of biometric data. Specifically, railroads should be mindful that federal courts continue to reject the contention that all state laws and regulations related to railroad safety and security are preempted, and reliance on regulatory language allowing railroads to “use physical security measures to ensure that unauthorized persons do not gain access to secure areas in railroad facilities” has been deemed insufficient for federal preemption defenses under FRSA, ICCTA, and FAAAA.
Illinois’s BIPA is also the subject of a potential landmark lawsuit, Patel et al. v. Facebook, Inc.—which involves a class action lawsuit against Facebook for alleged violations of BIPA by using its facial recognition software to collect and store biometric information, in the form of face templates extracted from uploaded photographs in connection with its “Tag Suggestions” feature without first obtaining informed written consent.
The United States District Court for the Northern District of California denied Facebook’s motions for summary judgment and granted class certification. The Ninth Circuit Court of Appeals affirmed the District’s Court’s class certification and denied rehearing en banc. As recent as December 2, 2019, Facebook filed its petition for writ of certiorari with the Supreme Court of the United States. SCOTUS’s decision whether to review the Ninth Circuit ruling may have last impacts on biometric data privacy laws and class action lawsuits.
Contact Fletcher & Sippel’s Labor and Employment Group for more information.