Recent Decisions Clarify Scope of Illinois Biometric Privacy Law

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

Companies that collect, store, and use biometric data of their employees and consumers are justifiably concerned about running afoul of the Illinois Biometric Information Privacy Act (BIPA). The statute, which imposes written consent and data retention requirements, is the only one of its kind to provide a private right of action, allowing recovery of $1,000 per violation ($5,000 if reckless or intentional), plus attorneys' fees. The statute has become a favorite tool of plaintiffs' attorneys, who have filed hundreds of putative class action lawsuits over the last few years.

The stream of BIPA suits filed each week remains steady, and multi-million dollar settlements have become commonplace. For users of biometric information subject to BIPA's rigorous requirements, the last two years have brought mostly bad news, most notably a smattering of unfavorable decisions on the question of whether plaintiffs must suffer an injury in order to avail themselves of BIPA.

Against this backdrop, however, courts have issued decisions on other aspects of BIPA, including the jurisdictional reach of the statute across state lines, the application of the law to third-party data vendors, the statute's health care data exemption, and the preemptive effect of labor laws. Although these decisions may not grab the same headlines as a half-billion-dollar settlement, they should begin to define the contours of the law and give parties to BIPA litigation some much-needed clarity.

Article III Standing

A central question in BIPA litigation has, thus far, been whether a plaintiff needs to allege an actual injury, separate and apart from a statutory violation of BIPA. The Illinois Supreme Court held, in January 2019, that no such requirement is imposed for complaints filed in Illinois state courts, including because the Illinois Constitution does not have an analog to the US Constitution's Article III injury-in-fact requirement. Later in 2019, the US Court of Appeals for the Ninth Circuit held that a plaintiff who had alleged a BIPA violation had satisfied the Article III standing requirement because BIPA was designed to protect an individual's common law right to privacy, which the court found was a concrete (and not merely procedural) injury. These decisions were largely at odds with the majority of decisions from district courts in Illinois, which had held that plaintiffs who only alleged violation of BIPA's statutory requirements, without some additional harm, did not have standing and could not pursue their claims.

Most recently, on May 5, 2020, the U.S. Court of Appeals for the Seventh Circuit weighed in on this issue in Bryant v. Compass Group USA, Inc. The factual allegations in the complaint are straightforward: the plaintiff alleges that the defendant collected, stored and used her biometric information without her consent, in violation of BIPA. The procedural posture in the matter was more unusual. The defendant had removed the matter to federal court pursuant to the Class Action Fairness Act (CAFA), and the plaintiff subsequently sought to remand the matter back to state court. The plaintiff argued that the federal court lacked subject matter jurisdiction because she did not suffer a concrete injury-in-fact as required to satisfy the Article III standing requirement. The district court granted the motion to remand, and the defendant appealed to the Seventh Circuit, arguing that the plaintiff had alleged an injury-in-fact. Thus, the parties took positions at odds with those typically asserted by parties in their position in these matters, and the defendant carried the burden of showing to the appellate court that the plaintiff had suffered an injury.

The Seventh Circuit agreed with the removing defendant, finding that the alleged violation of BIPA's Section 15(b), which imposes consent requirements on the party collecting biometric information, amounted to an injury-in-fact in two respects. First, the violation amounted to an invasion of the plaintiff's "private domain," similar to that of an act of trespass. The court further noted that the common interest in protecting individuals' personal privacy bolstered its holding. Second, the court held that the defendant's alleged failure to obtain informed consent from the plaintiff equated to an informational injury, including because the defendant "withheld substantive information to which [the plaintiff] was entitled and thereby deprived her of the ability to give the informed consent section 15(b) mandates." Had the plaintiff been provided such information, perhaps she would have made another decision, i.e., to withhold her biometric data from the defendant.

Although it did not impact the ultimate holding in the case, the court separately found that an alleged violation of BIPA's Section 15(a), which requires publication of a retention and destruction schedule for the collected biometric information, was not enough to confer Article III standing on its own.

Although this decision resulted in a favorable ruling for the defendant, it is likely to be cited by future plaintiffs facing motions to dismiss for lack of standing. The decisions on standing have justifiably received the majority of attention. That said, a number of recent decisions touching on other issues are important for parties facing potential BIPA litigation to understand.

The Reach of BIPA

To date, the greatest number of BIPA lawsuits have been filed against employers that collect their employees' biometric data through fingerprint or facial recognition scans. Recently, a subset of BIPA class actions have been filed against the manufacturers and/or operators of biometric data timekeeping systems. In two such cases, the plaintiffs do not allege that the defendant companies had direct contact with employees, but rather that the defendants provided the plaintiffs' employers with the technology to collect, store, and use their biometric data (or collected and stored the data by way of the third-parties' relationship with the plaintiffs' employers). In two such cases — Figueroa v. Kronos Inc., (N.D. Ill. Apr. 13, 2020), and Bray v. Lathem Time Co., (C.D. Ill. Mar. 27, 2020) — the plaintiff employees alleged that the timekeeping system manufacturers violated BIPA by collecting biometric data without meeting the statute's notification and written consent requirements. The defendants in both cases challenged the respective courts' jurisdiction, leading to different outcomes.

In Bray, the court did not reach the question of whether makers and sellers of timekeeping systems are subject to enforcement actions pursuant to BIPA's private right of action. Instead, the court found that it lacked personal jurisdiction over the defendant, a Georgia-based company with no physical presence in Illinois, and no connection to the state beyond its alleged collection and storage of the plaintiffs' data through the use of the defendant's software by the plaintiff's employer. The defendant advertised its products online to residents of Illinois, but the residents to whom it advertised were the third-party employers (the users of the technology), not the plaintiff and members of the proposed class (whose data was collected at the direction of the employers). Moreover, the court noted that the plaintiff's employer purchased the specific device used to collect the plaintiff's biometric data outside of Illinois. As a result, there were insufficient contacts between Illinois and the defendant.

In Figueroa, there was no similar discussion of personal jurisdiction given that the defendant timekeeping system maker sold thousands of its systems within Illinois. Further, the Figueroa court found that BIPA liability extends to any private entity that obtains biometric information — and that the collection of employees' biometric data by a timekeeping system can create distinct BIPA duties on the part of both the employer and the maker of that system. The plaintiffs also alleged that the defendant unlawfully disseminated employee data to other firms, further violating BIPA.

Left unresolved by these opinions is a clear standard for what level, incidence, or frequency of Illinois contacts or biometric data collection would subject a system manufacturer to the jurisdiction of the state's courts for purposes of BIPA liability. It will be left to future cases to narrow the range of contacts — thousands in Figueroa and a single system at issue in Bray — to provide a more predictable guide. On another note, the Figueroa court decision leaves open for now the question of whether the plaintiff employees have an actionable injury for purposes of standing, given that many were unaware they were interacting with the defendant company as a result of its failure to notify them. These caveats aside, both cases are instructive for defendants in BIPA litigation who lack a clear and definitive connection to Illinois residents protected by the statute.

BIPA's Healthcare Exemption

BIPA provides a number of exemptions, including for biometric data "obtained from a patient in a health care setting" or "collected, used, or stored in connection with healthcare treatment, payment, or operations under HIPAA." A recent decision from an Illinois federal court clarifies what type of data is and is not within the scope of this exemption. See, Vo v. VSP Retail Dev. Holding, Inc.

In Vo, the defendant's software application scans the user's face geometry and then overlays digital eyewear on the scan, allowing the user to remotely "try on" both prescription and non-prescription glasses. The plaintiff alleged that the software collected her biometric data when she used it in Illinois, in violation of BIPA notification requirements. Taking into consideration the HIPAA definition of "healthcare," the court dismissed the plaintiff's claims and held that the defendant's biometric data collection software fell within the scope of the exemption. The software offered both prescription eyewear and replicated services that would typically be performed by an eye care professional, and thus the defendant "collected biometric information from a patient in a health care setting" akin to an initial medical evaluation. Whether defendants in future BIPA lawsuits can use the HIPAA exemption (or other exemptions) as effectively as the defendant in Vo remains to be seen.

Preemption Arguments

Finally, some defendants have successfully argued that BIPA claims brought by employees are preempted by federal law. In Peatry v. Bimbo Bakeries USA, Inc., (N.D. Ill. Feb. 26, 2020), for example, the court dismissed a portion of the claims that arose during a time period covered by a collective bargaining agreement to which the plaintiff was subject. Peatry followed other courts, including the U.S. Circuit Court of Appeals for the Seventh Circuit (Miller v. Southwest Airlines Co.) in holding that federal labor law preempts BIPA claims in certain contexts. That said, some courts have held that BIPA claims are not preempted in other contexts. See Treadwell v. Power Solutions Int'l, Inc., (N.D. Ill. Dec. 16, 2019). The viability of a preemption argument is specific to each complaint and the respective federal or state labor law at issue.

Conclusion

Companies that collect, store, and use biometric information belonging to residents of Illinois should take steps to comply with BIPA's strict statutory requirements. In the event such companies nevertheless find themselves facing BIPA litigation — and mounting pressure to settle potentially lucrative class claims — they may have strong defenses available, particularly as the case law continues to develop.

Frank Nolan is a litigation partner in the New York office of Eversheds Sutherland. Frank represents companies in litigation arising from BIPA and other consumer protection statutes and counsels clients on complying with these and other laws.

Andrew Weiner, also with Eversheds Sutherland (US) LLP in New York, is not yet admitted to practice.