Enacted in 2008, the Illinois Biometric Information Privacy Act (BIPA) continues to be the most consumer-friendly biometric privacy law in the country. In the wake of the Illinois Supreme Court’s seminal 2019 decision in Rosenbach v. Six Flags, plaintiffs have filed hundreds of class action lawsuits against businesses and employers in a broad range of industries, including manufacturing, logistics, retail, hospitality, food and beverage, health, and technology. These lawsuits have been filed because of a perception that BIPA, as interpreted by the Illinois Supreme Court in Rosenbach, creates significant liability where biometric information has been collected from an employee or consumer without first providing notification and obtaining consent, even if no actual damages have been suffered.
In the spring of 2020, however, there have been a handful of court decisions that have bucked the previously plaintiff-friendly BIPA trends and perceptions. In the biometric privacy wars between consumer, company and insurance carrier, these recent cases have ruled in favor of the company, in areas such as federal subject matter and personal jurisdiction, interpretation of BIPA obligations and exceptions and BIPA-related insurance coverage disputes.
BIPA and Article III Standing
For the last few years, there has been a controversy amongst federal courts as to the circumstances for how a BIPA lawsuit can meet Article III subject matter jurisdiction standards when the plaintiff has not alleged that he or she suffered any actual damages. Some federal district courts previously held that the mere collection of biometric information by an entity, without any accompanying actual damages, does not satisfy Article III’s injury-in-fact standing requirements. These rulings led to plaintiffs and, less frequently, defendants using the "ace card" of a motion to remand a case to state court as a way to undermine proceeding in federal court or slow down the litigation.
On May 5, 2020, the Seventh Circuit, in Bryant v. Compass Group USA, Inc., put an end to these legal maneuverings and held that the mere collection of biometric information is itself enough of an injury in fact to confer Article III standing. The court stated that a violation of BIPA’s requirement that notice is given to an individual before his or her biometric information is collected (codified in Section 15(b)) is not a purely procedural requirement. Rather, failure to provide the required notice deprives an individual of informed consent and the ability to decline participation in the activity for which collection is required. However, the court held that a violation of BIPA’s requirements as to proper policies and retention standards (codified in Section 15(a)) does not create an injury in fact, but rather is akin to "an invasion of [ person’s] private domain, much like an act of trespass would be." Thus, any claim based upon Section 15(a) cannot remain in federal court unless the violation in question caused actual harm.
The takeaway from Compass is that BIPA plaintiffs can sue in federal court and defendants can remove a Section 15(b) BIPA case filed in state court to federal court — if diversity requirements are met — without fear of the case being remanded for lack of standing.
Personal Jurisdiction and BIPA
Many companies have wondered about how far the requirements of BIPA extend jurisdictionally, and whether its strict provisions can apply to businesses having merely tangential contacts with Illinois. A recent case from the Northern District of Illinois has shed some light on this question.
In Bray v. Lathem Time Co., Case No. 3-19-CV-03157, an employee filed a class action lawsuit in an Illinois federal district court against Lathem Time Co. (Lathem), a Georgia-based company that designed and sold biometric-based timekeeping systems to his former employer, a lumber sales company, to track the time worked by hourly employees. The employee alleged that, even though he did not work for Lathem, the company violated BIPA by collecting, storing, using and/or disclosing his biometric information without giving notice and obtaining consent from him or establishing a biometric information retention policy as required by BIPA. Lathem moved to dismiss based upon lack of personal jurisdiction.
On March 27, 2020, the court granted Lathem’s motion. It held that Lathem did not have sufficient contacts with Illinois to establish personal jurisdiction. In particular, Lathem’s operation of a highly interactive website that could be used in Illinois was insufficient, absent any physical presence — offices or facilities — in Illinois or intentional targeting of Illinois customers (i.e., maintaining a sales or marketing program in Illinois, having advertising in Illinois, or sending representatives to Illinois). Moreover, the division of the plaintiff’s former employer with whom Lathem conducted business was actually in Arkansas, not Illinois. As such, the court held that the random, fortuitous or attenuated contacts that Lathem had with Illinois was insufficient for personal jurisdiction.
Lathem provides a reminder that irrespective of the strict nature of BIPA, courts will still require sufficient contacts to Illinois and a company can take proactive steps to avoid establishing these connections by being mindful of its physical presence in Illinois and whether it specifically markets to Illinois customers.
The Duty to Give Notice and the Definition of "Possession"
Many unresolved questions remain on the merit of BIPA claims, including the question of who exactly has the duty to seek consent from consumers — the initial collector or also other parties that come into possession of biometric information. In Corey Heard v. Becton, Dickinson & Co., Case No. 19 C 4158, a federal court in the Northern District of Illinois shined some light on when the obligations under BIPA to obtain consent are triggered, and what it means to actually "possess" biometric information for purposes of statutory liability.
In Heard, the plaintiff, a respiratory therapist in Illinois, filed a class action lawsuit against Becton, Dickinson and Company (Becton), which manufactured an automated medication dispensing system that was used by the plaintiff. Becton filed a motion to dismiss, contending that, as the manufacturer of devices used by other companies, Becton did not actively collect biometric information and thus it did not have the duty to provide notice and obtain informed consent from consumers, despite the fact that it retained the collected biometric information.
On Feb. 24, 2020, the court granted Becton’s motion, and, carefully construing the language of BIPA, held that the consent requirement (codified in Section 15(b)) only applied to entities that directly collected information, as opposed to a company whose device was merely used for the collection. The court also held that the plaintiff did not sufficiently allege that Becton had "possession" of biometric information — so as to invoke other BIPA provisions. The court noted that there were no allegations in the complaint that Becton "exercised any form or control over the data or that it held that data at its disposal."
Heard is an important case that could have broad-reaching implications. First, it may allow a path to victory for timekeeping or other manufacturing or technology companies whose devices are merely used by another party, and who do not actively target consumers for collection. Heard may also provide a defense to cloud-service companies who have been sued under BIPA, and who merely host biometric data collected by other parties, but do not have actual access to the data in a readable form. Heard also provides a reminder that federal pleading standards are not automatically met by "merely parroting" the statutory language of BIPA in a complaint. Finally, at least one other federal court in the Northern District of Illinois – Figueroa v. Kronos Inc., No 19 C 1306 – has disagreed with the rationale in Heard and has allowed BIPA cases against outside vendors to proceed.
BIPA's Healthcare Exemption
BIPA contains a statutory provision exempting from its requirements for information captured from a patient in a health care setting, or information collected for health care treatment.
In Vo v. VSP Retail Development Holding, Inc., the plaintiff filed a class action lawsuit in the United States District Court for the Northern District of Illinois against VSP Retail Development Holding, Inc. (VSP), a manufacturer and seller of prescription and non-prescription eyewear. VSP’s website offered a virtual software that allowed consumers, like the plaintiff, to use their smartphones and other web-camera enabled devices to "try on" eyewear remotely after using the phones' cameras to scan the consumer’s facial geometry. The plaintiff alleged that VSP scanned her face and used the information regarding her facial geometry without giving notice and obtaining her consent or establishing a biometric information retention policy as required by BIPA. VSP filed a motion to dismiss the complaint based upon the healthcare exemption.
On March 25, 2020, the court granted VSP’s motion to dismiss, holding that VSP’s alleged face scan was obtained from a patient in a health care setting. The court examined HIPAA’s definition of “health care,” which is: (1) "[p]reventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body" and (2)"[s]ale or dispensing of a drug, device, equipment, other item in accordance with a prescription." The court noted the complaint alleged VSP manufactured and sold prescription and non-prescription eyewear, which federal regulations classify as Class I medical devices. The court further found that VSP’s collection of facial geometry was similar to the diagnostic service typically performed by an eye care professional in order to ensure the proper fit for the corrective eyewear and that the collection is therefore from a patient in a health care setting.
Under BIPA, the health care exemption can be a powerful weapon for certain defendants, as Vo helps highlight. It can be creatively applied to industries traditionally not considered "healthcare."
Insurance Coverage for BIPA Claims
In BIPA litigation, a key question is whether the defendant to a BIPA claim is entitled to any insurance coverage under a pre-existing policy. This question is dependent upon the specific coverage language used in the policy.
In West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., the defendant to a BIPA lawsuit, Krishna Schaumburg Tan (Krishna), sought coverage from its insurance carrier West Bend. The carrier agreed to defend Krishna under a reservation of rights, and then filed suit seeking a declaration that it had no duty to defend or indemnify Krishna. The trial court held that West Bend had a duty to defend under the insurance agreement.
On March 20, 2020, the Illinois Appellate Court for the First District affirmed the trial court’s decision. The key question focused on how to interpret the insurance policy’s definition of "personal injury," and whether the underlying BIPA lawsuit fell under this term. The policy defined "personal injury," in part, as injuries arising out of "oral or written publication of material that violates a person’s right of privacy." The court held the underlying lawsuit’s allegations that Krishna disseminated biometric information to third parties satisfied the "publication" aspect of the policy’s definitions. The court also narrowly interpreted a data-privacy related coverage exclusion, stating that it only applied to violations of statutes governing "methods of communication" such as emails, faxes and phone calls, and "not to other statutes that limit the sending or sharing of certain information."
The West Bend case has important implications for insurance coverage of BIPA claims. It also has a potentially significant effect on the proper statute of limitations under BIPA, which is silent on the limitations period. Defendants have argued that the one-year catch-all statute of limitations for slander, libel or for publication of matter violating the right of privacy found in the Illinois Code of Civil Procedure applies, and, interestingly, this catch-all has nearly identical language to the policy definition in West Bend. It remains to be seen whether the effects of the West Bend ruling will extend beyond the insurance context.
These cases show that the language of BIPA, as interpreted by the courts, is nuanced and there are some important defenses for defendants to consider. One thing is certain — due to the hundreds of BIPA cases that have been filed in state and federal courts in the last year, it is expected that there will be many more decisions on important procedural and merits issues in the next six months.
Taft attorneys remain committed to monitoring this ever-changing area of the law and providing counseling and litigation services for companies who are dealing with issues related to the collection of biometric information.