Illinois Biometric Privacy Act Update: An Overview of the Defenses

By Michael Simon

Biometrics has become big business, according to one report, with the global market expected to reach a staggering $59.1 billion by 2025. As biometrics has grown as an industry, so have the legal concerns over the proper use of this particularly personal information. After all, you can change a stolen password, but you can’t easily change your fingerprints or your face. 

The first law passed in this country to deal with this issue, the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., has become a hotbed of consumer and employee class actions in not just Illinois, but across the nation. The largest victim so far has been Facebook, which was forced to settle in July of this year a class action over photo-tagging facial recognition, for a staggering $650 million dollars. Fortunately for companies concerned about BIPA liability, we are now starting to see some viable defenses emerge.

Still Don’t Know BIPA? A Super-Brief BIPA Primer

Following an infamous bankruptcy case where the debtor, a maker of cash-register fingerprint scanners, threatened to sell its database, the Illinois legislature passed BIPA in 2008 to require any organization that uses the biometric information of Illinois consumers to:

  1. Publish a written policy with a retention schedule and destruction guideline;
  2. Obtain written consent before obtaining biometric information;
  3. Not sell, lease, trade, or “otherwise profit” from that information;
  4. Obtain consent before disclosing that information; and
  5. Protect that information in the same (or better) manner in which it protects its own confidential information. (740 ILCS 14/15(a)-(e))

While other states have passed biometric privacy laws or included biometric information under their definitions of “personal data,” BIPA remains unique in that it creates a private right of action, with statutory damages of $1,000 per violation for negligent violations or $5,000 for willful violations, plus attorneys’ fees. But BIPA lawsuits often failed to clear the hurdle set by the US Supreme Court in Spokeo v. Robins inArticle III standing, which “requires a concrete injury even in the context of a statutory violation.” However,  the Illinois Supreme Court effectively removed that hurdle last year.

The Illinois Supreme Court Creates What Some Call a BIPA “Judicial Hellhole”

Last year, in Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court bypassed Spokeo to hold that failure to comply with BIPA requirements can subject a company to statutory damages even in the absence of a showing of actual injury or adverse effect. After Rosenbach, we predicted that “the number of BIPA class actions is bound to increase” – and we were right. Over 150 class actions have been filed post-Rosenbach, which is nearly as many that were filed in total in the ten years prior. This led to the 2019/2020 “Judicial Hellholes” report featuring the headline “Illinois Supreme Court Opens The Floodgates To ‘No-Injury’ BIPA Lawsuits.”

More recently, in West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., the Illinois Appellate Court for the First District held that an insurer had a duty to defend a BIPA claim against its insured and thereby opened up a new source of funds that may result in encouraging plaintiffs’ lawyers to file more BIPA cases. But there are defenses that can potentially be effective in BIPA lawsuits – and some that are not. Here’s our take on the current state of which are which.

Defenses That Appear to Be Effective

Arbitration clauses may serve as a potential defense as shown earlier this year, in Vernia Miracle-Pond et al. v. Shutterfly Inc., in which the Northern District of Illinois granted defendant’s motion to compel arbitration in a consumer class action based upon an arbitration clause added a year after the plaintiff first clicked “Accept” on the website’s Terms of Use. Despite the fact that the defendant first sent notice on the amendment three months after the beginning of the lawsuit, the court found that a provision in Terms of Use allowed the defendant to update those Terms at will. However, another Northern District decision from this year, Acaley v. Vimeo, Inc., illustrates why contracts must still be carefully constructed, as the court denied the motion to compel arbitration because the contract contained an “Exceptions to Arbitration” clause for claims arising from “invasion of privacy.”

Collective bargaining agreement preemption has become a growing trend of defense, as many BIPA claims arise out of the employment context. In June 2019, the Seventh Circuit Court of Appeals held in Miller v. Southwest Airlines that the Railway Labor Act (RLA) provided the exclusive dispute resolution procedure for any disputes arising under an applicable collective bargaining agreement. While the RLA covers only a limited set of employers, the Labor Management Relations Act (LMRA) has a nearly identical preemptive effect with a far broader scope of coverage and so far, two Northern District of Illinois opinions this year (Gail v. University of Chicago Medical Center and Peatry v. Bimbo Bakeries USA) have made the leap from the RLA to the LMRA to dismiss cases.

HIPAA exclusions can also be effective as the courts are at times willing to read broadly BIPA’s HIPAA exclusion in section 25(b). For example, in Vo v. VSP Retail Development Holding, Inc., the Northern District of Illinois dismissed a class action claim against an online eyewear retailer for their virtual software that allowed consumers to use their smartphones to scan their faces and “try on” glasses. The court held that the “Class I medical devices,” namely prescription eyewear, and the online fitting services, similar to those performed by eye care professionals, fell under the definition of “health care” under HIPAA and were thus excluded.

Defenses That Do Not Appear to Be Successful, to date

Illinois Workers’ Compensation Act (IWCA) preemption is a “frequent argument in BIPA cases,” per the Northern District in Cothron v. White Castle System. As to this defense, the judge in Cothron found that “courts have unanimously rejected it—and for good reason.” Last month, the Illinois Appellate Court became the first higher-level state court to reject that defense in McDonald v. Symphony Bronzeville Park LLC, concluding that a BIPA claim for statutory damages is not compensable under the IWCA and thus exempted.

Exclusion of “photographs” is yet another defense that seems to be brought up often, but also fails to prevail as defendants attempt to extend the express exclusion in the BIPA definitions for “photographs” to the biometric information derived from them. This September, in one of the first cases to deal with claims stemming from the use of photos from the photo-sharing website Flickr to train facial recognition systems, Vance v. International Business Machines Corp., IBM became the latest defendant to once again unsuccessfully raise this defense.

Potential Defenses – The Jury is Still Out on These

Statute of Limitations defenses often arise in BIPA litigation because many of the systems that lead to claims have been in use for years. BIPA does not contain its own statute of limitations and, so far, plaintiffs have prevailed in the few lower court cases on this issue that the Illinois five-year “catch-all” limitations period applies. Defendants have argued by analogy, so far unsuccessfully, for the application of either the one year period for “Defamation – Privacy” or the two-year period for “Personal Injury – Penalty.”

When the claim accrues is a related issue that came up in one of the two cases to decide the applicable statute of limitations period, Robertson v. Hostmark Hospitality Group, as the state court trial judge concluded that certain BIPA claims accrue with the first and only “injury,” that is when consent should have been but was not obtained. In contrast, a few months after ruling on the IWCA preemption issue, the federal judge in Cothron v. White Castle System found that every scan taken was a separate actionable violation. Multiple Illinois trial courts have certified questions for immediate interlocutory appeal on the statute of limitations issue and the Illinois Appellate Court’s First District agreed earlier this year to review some of these appeals.

Lack of Standing claims can no longer score a knock-out win after Rosenbach, but they can at least slow down the case by knocking it back from Federal to state court. Unfortunately, results will vary depending on your jurisdiction. Last year, in Patel v. Facebook, Inc., the Ninth Circuit rejected Facebook’s Spokeo-based argument that plaintiffs lacked standing for a “bare procedural violation” instead holding that any BIPA violation “would necessarily violate the plaintiffs’ substantive interests” – which ultimately forced Facebook to agree to that massive settlement we mentioned earlier. That decision put the Ninth Circuit into conflict with the Second Circuit, which had held two years earlier in Santana v. Take-Two Interactive Software, Inc., that procedural violations of BIPA did not create Article III standing.

This year, in Bryant v. Compass Group USA, Inc., the Seventh Circuit, where the majority of BIPA cases are pending, effectively split the difference between the Ninth and the Second Circuits. The Seventh Circuit held that a violation of BIPA section 15(b), failure to obtain consent, “leads to an invasion of personal rights that is both concrete” to satisfy the Spokeo injury-in-fact requirement. However, a violation of BIPA section 15(a), failure to publish a retention policy, violates a duty “owed to the public generally” and so does not create the “particularized harm” necessary to support standing.

Duty to give notice and “possession” of the data – or more specifically the lack of each – has been hailed as a potential defense for manufacturers of biometric equipment thanks to the Northern District of Illinois last year in Heard v. Becton, Dickinson & Co., when the court held that a company whose equipment was merely used by the entity that collected the data had neither a duty under BIPA section 15(b) to obtain written consent nor “possession” of that data. Some have claimed that this logic may also exempt software providers and even Cloud storage companies because the data stored by users of these systems is not accessible to the provider and therefore technically not in their “possession.” However, other judges in the Northern District of Illinois have explicitly disagreed with the findings in Heard, and instead found that manufacturers, at least in the oft-litigated area of time clock systems, do in fact collect and possess biometric data that can make them subject to BIPA claims (Neals v. PAR Tech. Corp. and Figueroa v. Kronos Inc.), leaving this issue far from settled.

Your Best Defense Is Not to Need a Defense

The best defense to a BIPA lawsuit is to never need a defense because you avoided violating BIPA in the first place. The time to assess any technology within your organization or any third-party provider that could be collecting, storing, using, or transferring biometric information and all related policies is before you get served with a class-action complaint. We can help with that assessment and in reworking any policies as needed. As always, luck – especially the kind of luck that follows from staying out of court – favors the prepared!