The Illinois Biometric Information Privacy Act (BIPA) requires businesses that collect biometric data (fingerprints, facial scans, etc.) to provide certain disclosures to the people from whom they collect the data, to obtain their consent to collect the data, and to publish a policy explaining what the businesses will do with the collected data. 740 ILCS 14/1 et seq. BIPA also provides that individuals who are “aggrieved” by a business’s violation of those requirements can bring a private right of action. 740 ILCS 14/20. Other states have enacted biometric privacy laws, like Texas and Washington, though no other state laws currently include a private right of action. See Texas Statute on the Capture or Use of Biometric Identifier (Tex. Bus. & Com. Code Ann. §503.001) and Washington House Bill 1493 (“H.B. 1493”).
Though BIPA was enacted in 2008, it was not until last year that plaintiffs’ counsel started regularly pursuing class actions under BIPA. Over 30 class actions were filed in state and federal courts in Illinois by the end of 2017, alleging violations of BIPA and seeking statutory damages of up to $5,000 per violation (in some, arguing each fingerprint or face scan was a separate violation). Defendants include a range of businesses: hospitality employers that use fingerprint time clocks and businesses like amusement parks, tanning salons and gyms that use fingerprints for customers to access facilities.
Thus, courts in Illinois have only recently had the opportunity to address the parameters of BIPA liability, including what types of claims are actionable. In particular, two recent decisions—one in the Illinois Appellate Court and one in the United States District Court for the Northern District of Illinois—provide an early roadmap for attorneys defending BIPA lawsuits and identify issues that may be raised in other states.
Recovery Under BIPA Requires Actual Harm
In the first important decision, the Illinois Appellate Court held that a plaintiff must suffer actual harm resulting from the claimed BIPA violation to state a BIPA claim.
In Rosenbach v. Six Flags Entertainment Corporation & Great America LLC, 2017 IL App (2d) 170317, the plaintiff claimed that the defendants violated BIPA when Great America—a local amusement park—fingerprinted her son when he purchased a season pass. Plaintiff alleged that defendant did not provide her or her son with written notice of the purpose and time period for which her son’s thumbprint would be collected, stored, and used, and that neither signed a written release. Plaintiff did not allege that she or her son suffered any actual injury but that, if she had known of defendants’ use of her son’s biometric data, she would not have allowed her son to purchase the pass.
Plaintiff brought a class action on behalf of all similarly situated theme park customers for maximum damages ($5,000 per violation) under BIPA.
Defendants moved to dismiss the complaint, arguing that a person who suffers no actual harm has not been “aggrieved,” as that term is used in the statute. The trial court denied the defendants’ motion to dismiss but later certified the issue for appellate review.
On appeal, the Illinois Appellate Court agreed with defendants, and held that for a plaintiff to qualify as a “person aggrieved,” the plaintiff must allege some “actual harm.” The court explained “[i]f a person alleges only a technical violation of the Act without alleging any injury or adverse effect, then he or she is not aggrieved and may not recover” under the Act, either for injunctive relief or damages. The court relied on the dictionary definition of “aggrieved” and decisions addressing similar statutory language in other jurisdictions. Additionally, the court noted that finding a technical violation of the statute to be actionable would render the word “aggrieved” in the statute superfluous, and therefore would be contrary to the legislature’s intent.
This was the first Illinois Appellate Court decision interpreting BIPA and its definition of “person aggrieved.”
Removal of a BIPA Action to Federal Court May Be Expensive and Unsuccessful
Defendants facing a lawsuit involving class allegations will often remove the case to federal court, almost reflexively. However, that may not be the best approach for class actions alleging BIPA violations. In BIPA cases where the defendant will argue that the plaintiff cannot show he has suffered actual harm, the defendant may need to remain in state court, as it may be unable to meet its burden of demonstrating that a federal court has jurisdiction if it cannot (or does not want to) show that plaintiff has suffered an injury sufficient to confer standing.
For example, in Barnes v. Aryzta, LLC, plaintiff, on behalf of himself and a class of similarly situated individuals, alleged that the defendant violated BIPA by collecting employee fingerprints without appropriate disclosure, policies, or consent, and was therefore liable to the plaintiffs for statutory penalties of up to $5,000 per violation. Case No. 17- CV-7358, 2017 BL 455579 (N.D. Ill. Dec. 20, 2017). Plaintiff filed his lawsuit in state court on August 17, 2017. Defendant removed it to federal court, claiming jurisdiction under the Class Action Fairness Action (“CAFA”), on October 12, 2017.
After removal, defendant filed a motion to dismiss under Rule 12(b)(1) and 12(b)(6), arguing, among other things, that because plaintiff had not sustained an Article III injury, the court lacked subject matter jurisdiction. Then defendant did an about-face. Four days after filing the motion to dismiss, defendant sought leave of the court to withdraw its motion and to file an amended motion raising only Rule 12(b)(6) arguments for dismissal. The court granted the motion for leave, but shortly thereafter plaintiff filed a motion to remand the case to state court, arguing that defendant had not met its burden of proving that the district court had jurisdiction, because defendant did not prove plaintiff had an injury sufficient to confer standing. (Of course, given that the defendant has the burden of proof for removal purposes, the plaintiff was not put in the awkward position of demonstrating that he in fact had not been injured.)
Defendant argued in opposition to plaintiff’s motion to remand that removal was proper, because the case satisfied the CAFA requirements, and that it could raise the Article III standing issue at some later point in the proceedings in federal court. Defendant further argued that the court need not finally address standing at the motion to dismiss stage.
The court granted plaintiffs motion to remand, citing Mocek v. Allsaints USA Ltd., 220 F. Supp. 3d 910 (N.D. Ill. 2016), and stating, “Defendant has gone from arguing that this Court does not have jurisdiction to taking the position that federal jurisdiction may or may not later prove to be lacking. In short, Defendant does not even attempt and thus necessarily fails to persuade the Court that federal jurisdiction exists.” The court then went on to award plaintiffs their fees and costs incurred with the removal.
Of course, every case is unique, and if a plaintiff was actually harmed by a violation of BIPA, federal court may well be the best place for the lawsuit to proceed, from both parties’ perspectives. But, given the risk of paying the other side’s fees and the burden of proof on removal, BIPA defendants should thoughtfully consider whether removal is the best strategy in each case.
Illinois courts will likely resolve other BIPA issues soon, including what constitutes biometric data for purposes of BIPA (i.e. is a partial scan or numeric representation of a fingerprint enough?) and what is actual harm (i.e. does transmittal of data across state lines or in an insufficiently secured manner create a sufficient risk of harm that it should be actionable?).
Other states outside of Illinois are also analyzing how to address the increasingly prevalent collection of biometric data. As we mentioned, Texas and Washington have statutes similar to BIPA, but without private rights of action. Other states, including Idaho, have considered enacting biometric data privacy statutes with private rights of action, but none has yet been enacted. And the FTC has offered recommended best practices for businesses that collect biometric data, though no formal rules, yet.
Regardless of whether your clients do business in Illinois or work with companies that do business in Illinois, attorneys should keep this evolving area of law in mind as they advise clients that may be updating timekeeping devices or expanding client services platforms, which may require new disclosures and policies.