Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Recent Decisions Clarify Scope of Illinois Biometric Privacy Law

By Frank Nolan and Andrew Weiner
June 01, 2020

Companies that collect, store, and use biometric data of their employees and consumers are justifiably concerned about running afoul of the Illinois Biometric Information Privacy Act (BIPA). The statute, which imposes written consent and data retention requirements, is the only one of its kind to provide a private right of action, allowing recovery of $1,000 per violation ($5,000 if reckless or intentional), plus attorneys' fees. The statute has become a favorite tool of plaintiffs' attorneys, who have filed hundreds of putative class action lawsuits over the last few years.

The stream of BIPA suits filed each week remains steady, and multi-million dollar settlements have become commonplace. For users of biometric information subject to BIPA's rigorous requirements, the last two years have brought mostly bad news, most notably a smattering of unfavorable decisions on the question of whether plaintiffs must suffer an injury in order to avail themselves of BIPA.

Against this backdrop, however, courts have issued decisions on other aspects of BIPA, including the jurisdictional reach of the statute across state lines, the application of the law to third-party data vendors, the statute's health care data exemption, and the preemptive effect of labor laws. Although these decisions may not grab the same headlines as a half-billion-dollar settlement, they should begin to define the contours of the law and give parties to BIPA litigation some much-needed clarity.

|

Article III Standing

A central question in BIPA litigation has, thus far, been whether a plaintiff needs to allege an actual injury, separate and apart from a statutory violation of BIPA. The Illinois Supreme Court held, in January 2019, that no such requirement is imposed for complaints filed in Illinois state courts, including because the Illinois Constitution does not have an analog to the US Constitution's Article III injury-in-fact requirement. Later in 2019, the US Court of Appeals for the Ninth Circuit held that a plaintiff who had alleged a BIPA violation had satisfied the Article III standing requirement because BIPA was designed to protect an individual's common law right to privacy, which the court found was a concrete (and not merely procedural) injury. These decisions were largely at odds with the majority of decisions from district courts in Illinois, which had held that plaintiffs who only alleged violation of BIPA's statutory requirements, without some additional harm, did not have standing and could not pursue their claims.

Most recently, on May 5, 2020, the U.S. Court of Appeals for the Seventh Circuit weighed in on this issue in Bryant v. Compass Group USA, Inc., — F.3d —, 2020 WL 2121463 (7th Cir. May 5, 2020). The factual allegations in the complaint are straightforward: the plaintiff alleges that the defendant collected, stored and used her biometric information without her consent, in violation of BIPA. The procedural posture in the matter was more unusual. The defendant had removed the matter to federal court pursuant to the Class Action Fairness Act (CAFA), and the plaintiff subsequently sought to remand the matter back to state court. The plaintiff argued that the federal court lacked subject matter jurisdiction because she did not suffer a concrete injury-in-fact as required to satisfy the Article III standing requirement. The district court granted the motion to remand, and the defendant appealed to the Seventh Circuit, arguing that the plaintiff had alleged an injury-in-fact. Thus, the parties took positions at odds with those typically asserted by parties in their position in these matters, and the defendant carried the burden of showing to the appellate court that the plaintiff had suffered an injury.

The Seventh Circuit agreed with the removing defendant, finding that the alleged violation of BIPA's Section 15(b), which imposes consent requirements on the party collecting biometric information, amounted to an injury-in-fact in two respects. First, the violation amounted to an invasion of the plaintiff's "private domain," similar to that of an act of trespass. The court further noted that the common interest in protecting individuals' personal privacy bolstered its holding. Second, the court held that the defendant's alleged failure to obtain informed consent from the plaintiff equated to an informational injury, including because the defendant "withheld substantive information to which [the plaintiff] was entitled and thereby deprived her of the ability to give the informed consent section 15(b) mandates." Had the plaintiff been provided such information, perhaps she would have made another decision, i.e., to withhold her biometric data from the defendant.

Although it did not impact the ultimate holding in the case, the court separately found that an alleged violation of BIPA's Section 15(a), which requires publication of a retention and destruction schedule for the collected biometric information, was not enough to confer Article III standing on its own.

Although this decision resulted in a favorable ruling for the defendant, it is likely to be cited by future plaintiffs facing motions to dismiss for lack of standing. The decisions on standing have justifiably received the majority of attention. That said, a number of recent decisions touching on other issues are important for parties facing potential BIPA litigation to understand.

|

The Reach of BIPA

To date, the greatest number of BIPA lawsuits have been filed against employers that collect their employees' biometric data through fingerprint or facial recognition scans. Recently, a subset of BIPA class actions have been filed against the manufacturers and/or operators of biometric data timekeeping systems. In two such cases, the plaintiffs do not allege that the defendant companies had direct contact with employees, but rather that the defendants provided the plaintiffs' employers with the technology to collect, store, and use their biometric data (or collected and stored the data by way of the third-parties' relationship with the plaintiffs' employers). In two such cases — Figueroa v. Kronos Inc., No. 19 C 1306, 2020 WL 1848206 (N.D. Ill. Apr. 13, 2020), and Bray v. Lathem Time Co., No. 19-3157, 2020 WL 1492742 (C.D. Ill. Mar. 27, 2020) — the plaintiff employees alleged that the timekeeping system manufacturers violated BIPA by collecting biometric data without meeting the statute's notification and written consent requirements. The defendants in both cases challenged the respective courts' jurisdiction, leading to different outcomes.

In Bray, the court did not reach the question of whether makers and sellers of timekeeping systems are subject to enforcement actions pursuant to BIPA's private right of action. Instead, the court found that it lacked personal jurisdiction over the defendant, a Georgia-based company with no physical presence in Illinois, and no connection to the state beyond its alleged collection and storage of the plaintiffs' data through the use of the defendant's software by the plaintiff's employer. The defendant advertised its products online to residents of Illinois, but the residents to whom it advertised were the third-party employers (the users of the technology), not the plaintiff and members of the proposed class (whose data was collected at the direction of the employers). Moreover, the court noted that the plaintiff's employer purchased the specific device used to collect the plaintiff's biometric data outside of Illinois. As a result, there were insufficient contacts between Illinois and the defendant.

In Figueroa, there was no similar discussion of personal jurisdiction given that the defendant timekeeping system maker sold thousands of its systems within Illinois. Further, the Figueroa court found that BIPA liability extends to any private entity that obtains biometric information — and that the collection of employees' biometric data by a timekeeping system can create distinct BIPA duties on the part of both the employer and the maker of that system. The plaintiffs also alleged that the defendant unlawfully disseminated employee data to other firms, further violating BIPA.

Left unresolved by these opinions is a clear standard for what level, incidence, or frequency of Illinois contacts or biometric data collection would subject a system manufacturer to the jurisdiction of the state's courts for purposes of BIPA liability. It will be left to future cases to narrow the range of contacts — thousands in Figueroa and a single system at issue in Bray — to provide a more predictable guide. On another note, the Figueroa court decision leaves open for now the question of whether the plaintiff employees have an actionable injury for purposes of standing, given that many were unaware they were interacting with the defendant company as a result of its failure to notify them. These caveats aside, both cases are instructive for defendants in BIPA litigation who lack a clear and definitive connection to Illinois residents protected by the statute.

|

BIPA's Healthcare Exemption

BIPA provides a number of exemptions, including for biometric data "obtained from a patient in a health care setting" or "collected, used, or stored in connection with healthcare treatment, payment, or operations under HIPAA." 740 ILCS Citation. A recent decision from an Illinois federal court clarifies what type of data is and is not within the scope of this exemption. See, Vo v. VSP Retail Dev. Holding, Inc., No. 19 C 7187, 2020 WL 1445605 (N.D. Ill. Mar. 25, 2020).

In Vo, the defendant's software application scans the user's face geometry and then overlays digital eyewear on the scan, allowing the user to remotely "try on" both prescription and non-prescription glasses. The plaintiff alleged that the software collected her biometric data when she used it in Illinois, in violation of BIPA notification requirements. Taking into consideration the HIPAA definition of "healthcare," the court dismissed the plaintiff's claims and held that the defendant's biometric data collection software fell within the scope of the exemption. The software offered both prescription eyewear and replicated services that would typically be performed by an eye care professional, and thus the defendant "collected biometric information from a patient in a health care setting" akin to an initial medical evaluation. Whether defendants in future BIPA lawsuits can use the HIPAA exemption (or other exemptions) as effectively as the defendant in Vo remains to be seen.

|

Preemption Arguments

Finally, some defendants have successfully argued that BIPA claims brought by employees are preempted by federal law. In Peatry v. Bimbo Bakeries USA, Inc., No. 19 C 2942, 2020 WL 919202 (N.D. Ill. Feb. 26, 2020), for example, the court dismissed a portion of the claims that arose during a time period covered by a collective bargaining agreement to which the plaintiff was subject. Peatry followed other courts, including the U.S. Circuit Court of Appeals for the Seventh Circuit (see, Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019) (considering preemption under the Railway Labor Act)), in holding that federal labor law preempts BIPA claims in certain contexts. That said, some courts have held that BIPA claims are not preempted in other contexts. See, e.g., Treadwell v. Power Solutions Int'l, Inc., — F. Supp. 3d –, 2019 WL 6838940 (N.D. Ill. Dec. 16, 2019) (considering preemptive effect of Illinois Workers Compensation Act with respect to non-physical and non-psychological injuries alleged in BIPA complaint). The viability of a preemption argument is specific to each complaint and the respective federal or state labor law at issue.

|

Conclusion

Companies that collect, store, and use biometric information belonging to residents of Illinois should take steps to comply with BIPA's strict statutory requirements. In the event such companies nevertheless find themselves facing BIPA litigation — and mounting pressure to settle potentially lucrative class claims — they may have strong defenses available, particularly as the case law continues to develop.

*****

Frank Nolan is a litigation partner in the New York office of Eversheds Sutherland. Frank represents companies in litigation arising from BIPA and other consumer protection statutes and counsels clients on complying with these and other laws.

Andrew Weiner, also with Eversheds Sutherland (US) LLP in New York, is a not yet admitted to practice.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.