February 4, 2023

Volume XIII, Number 35

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
Advertisement

February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

February 01, 2023

Subscribe to Latest Legal News and Analysis

BIPA Class Actions – 2022 Round-Up

Illinois Biometric Information Privacy Act (BIPA) class action lawsuits were heavily litigated again in 2022, as plaintiffs continued to target companies using biometric technology and their vendors. At the same time, avoiding liability continued to be a challenge for businesses defending BIPA cases.

We recently reported on the first BIPA class action to go to trial: a $228 million plaintiffs’ verdict. In this latest update, we review noteworthy 2022 court decisions involving a wide range of biometric technologies spanning several industries, including transportation, food service, and higher education.

Regulatory Background 

Enacted in 2008, BIPA regulates the collection, use, storage, retention, and destruction of biometric identifiers and biometric information. A “biometric identifier” is a biologically unique personal identifier, including a fingerprint, voiceprint, face geometry, or a retina or hand scan. “Biometric information” is any information based on an individual’s biometric identifier used to identify an individual.

Subject to limited exceptions, BIPA generally prohibits the collection or use of a person’s biometric identifiers and biometric information without providing notice, obtaining written consent, and developing a publicly available retention and destruction schedule. Companies in possession of biometrics may not profit from the data.

Although other states, such as Texas and Washington, have similar statutes, the Illinois statute provides a private right of action, permitting any person “aggrieved” by a violation to bring suit in state or federal court. The Illinois Supreme Court has held that a person may be “aggrieved” by a BIPA violation even if their biometric data was never misused, and they were never actually injured. It is sufficient for a plaintiff to point to solely technical violations of the statute. A prevailing plaintiff may recover actual damages or statutory damages of $1,000 for each negligent violation and $5,000 for each reckless or intentional violation.

Motor Carrier Industry: Preemption and the Dormant Commerce Clause

In July 2022, an Illinois federal judge denied a motion to dismiss a putative BIPA class action brought by a truck driver against a facial recognition technology provider for interstate motor carriers. Karling v. Samsara Inc., No. 22 C 295, 2022 WL 2663513 (N.D. Ill. July 11, 2022). The defendant, Samsara Inc., developed a dashboard camera that extracted biometric images of drivers’ faces to identify and monitor them for fatigue and distraction. The complaint alleged the plaintiff did not give Samsara permission to collect or store his biometric information, nor did he sign a written release.

Samsara moved to dismiss the complaint on preemption grounds, arguing BIPA’s requirements disrupt a “uniform scheme of federal regulation of truck safety technology.” Samsara did not rely on any particular federal statute. Rather, Samsara cited a variety of Congressional directives, a Department of Transportation website publication, and a Federal Motor Carrier Safety Administration Privacy Impact Assessment relating to equipping commercial vehicles with electronic logging devices, vehicle safety technology, and driver monitoring systems. The court determined the federal sources did not qualify as a uniform regulatory scheme. Although the sources touched on biometrics, the court said their “overwhelming aim” is traffic safety and, theoretically, companies can create truck safety technology while complying with BIPA. At the motion to dismiss stage, based on the allegations of the complaint and without the benefit of outside evidence, the court could not conclude that BIPA conflicts with Congressional intent regarding truck safety technology.

The court also declined to reach Samsara’s argument that BIPA is unconstitutional as applied to interstate motor carriers. Relying on the dormant Commerce Clause, Samsara argued BIPA burdens motor carriers and their technology providers and substantially interferes with interstate commerce. However, without discovery into Samsara’s process for scanning, storing, and using biometrics and the alleged burden of compliance with BIPA, the court could not determine whether there was a dormant Commerce Clause violation.

Identity Verification Software: Biometric Identifiers v. Biometric Information 

In another key BIPA decision, an Illinois federal judge rejected legal defenses raised by biometric software developer Onfido, Inc. Illinois, Sosa v. Onfido, Inc., No. 20-cv-4247, 2022 WL 1211506 (N.D. Ill. Apr. 25, 2022). The plaintiff filed a putative class action alleging Onfido violated BIPA through its facial recognition software. The software scans uploaded images of consumer identification cards and facial photographs to extract a unique numerical representation of each image (often called a “faceprint”). Online businesses use Onfido’s software to verify consumer identities.

Onfido moved to dismiss, arguing that information derived from photographs does not qualify as “biometric information” or “biometric identifiers.” Onfido relied on the statutory definition of “biometric identifiers,” which expressly excludes photographs. The court agreed that information derived from photographs does not constitute biometric information under BIPA, but concluded the “faceprints” Onfido created plausibly constitute biometric identifiers. The court also rejected Onfido’s argument that BIPA does not apply to a scan of a photograph rather than an actual face. The court concluded that nothing in BIPA’s text limits it to an “in person” scan.

In addition, the court rejected Onfido’s argument that BIPA violates the First Amendment as a content-based restriction on commercial speech. The court concluded BIPA does not restrict Onfido’s speech by requiring it to obtain informed consent before collecting an individual’s biometric data because BIPA does not restrict what an entity may do with biometric data once it is collected. The court also concluded BIPA is a content-neutral regulation, explaining that the definitions of biometric identifiers and biometric information do not “relate to the communicative content of that information.” Because BIPA is a content-neutral regulation, the court applied intermediate scrutiny, concluding BIPA survived because it advanced the government’s substantial interest in protecting consumers’ rights to privacy and control over their biometric information.

Restaurant Point-of-Sale Technology

In April 2022, an Illinois federal judge held that third-party providers of a point-of-sale (POS) system may be liable under BIPA. See Ronquillo v. Doctor’s Assocs., LLC, No. 21 C 4903, 2022 WL 1016600 (N.D. Ill. Apr. 4, 2022). A Subway restaurant employee who used the POS system to clock in and out and unlock the registers filed a class action complaint alleging the system’s hardware and software providers “collected and obtained her biometric information” without notice. Specifically, the POS system scanned, stored, and used the employee’s fingerprints to identify her each time she used the system. The complaint alleged the employee did not consent to the “capture, collection, use, or retention of her biometric information.”

The technology providers moved to dismiss the complaint on the basis that BIPA’s notice and consent requirements do not apply to third-party vendors of technology an employer uses to obtain its employees’ biometric data. The court disagreed, saying BIPA contains no text that limits its reach to employers. The court also rejected the argument that the vendors had no opportunity to obtain consent from Subway’s employees, because the vendors could have required Subway, as a “contractual precondition” to use the biometric POS system, to obtain its employees’ written consent to the vendors obtaining their data.

Additionally, the court disagreed that the “extraterritoriality doctrine” barred the employee’s BIPA claims against a non-Illinois resident. Because the alleged scanning of the employee’s fingerprints took place “primarily and substantially” in Illinois, the extraterritoriality doctrine did not apply.

Remote Exam Proctoring in Higher Education

In 2022, Illinois federal courts also addressed BIPA claims in a series of putative class actions brought against higher education institutions and a remote exam proctoring software company called Respondus. In each case, plaintiffs alleged that Respondus’s exam software uses student webcams to capture biometric data through scans of students’ facial geometry in violation of BIPA. In each case, the schools argued BIPA does not apply to them because they fall within an exemption for “financial institutions” subject to Title V of the Gramm-Leach-Bliley Act. Specifically, the schools argued they qualify as financial institutions because they make and administer student loans. While the schools achieved mixed results, the decisions in these cases suggest that the financial institution exemption could be a potentially winning argument for many schools subject to BIPA suits.

In Fee v. Illinois Institute of Technology, No. 21-cv-2512, 2022 WL 2791818 (N.D. Ill. July 15, 2022), the court concluded the financial institution exemption applies to institutions of higher education that are “significantly engaged in financial activities, such as making or administering student loans.” In doing so, the court rejected the plaintiff’s argument that “financial institution” should encompass only traditional financial institutions, such as banks. The plaintiff argued a broader reading could swallow BIPA given the prevalence of consumer financing and credit in retail. Nevertheless, the court concluded there was insufficient evidence that the Illinois Institute of Technology was regularly extending or administering student loans and, therefore qualified as a financial institution exempt from BIPA.

Similarly, in Patterson v. Respondus Inc., No. 20-cv-7692, 2022 WL 7100547 (Oct. 11, 2022), the court denied Lewis University’s bid for dismissal. Although Lewis University presented evidence that it participates in programs through which its students obtain loans from third-party lenders, it did not establish that the university itself was significantly engaged in lending funds to students.

Finally, and most recently, in Powell v. DePaul University, No. 21-cv-3001, 2022 WL 16715887 (N.D. Ill. Nov. 4, 2022), the court dismissed BIPA claims asserted against DePaul University. The court discussed prior court decisions addressing the financial institution exemption in the higher education context, including Fee and Patterson, and held there is a consensus that the exemption “applies to institutions of higher education that are significantly engaged in financial activities such as making or administering student loans.” Unlike Fee and Patterson, however, the Powell court took judicial notice of public records establishing that DePaul University participates in federal student aid programs and provides direct loans to students. On the basis of that evidence, the court concluded that DePaul University qualified as a financial institution exempted from BIPA.

When to Develop Written Retention and Destruction Schedule

In November 2022, an Illinois appellate court held that a company subject to BIPA must develop a written retention and destruction schedule before or at the time it first possesses an individual’s biometric data. Mora v. J&M Plating, Inc., 2022 IL App (2d) 210692, 2022 WL 17335861 (2022). In Mora, the plaintiff began clocking into work via fingerprint scan in 2014. In 2018, the defendant established a retention schedule and the plaintiff signed the policy. After the plaintiff was terminated in 2021, he filed a class action lawsuit alleging the defendant collected, stored, and used employee fingerprints without first publishing a retention and destruction schedule.

The trial court granted summary judgment for the defendant, holding that BIPA contains no time limit by which a retention schedule must be established, and the defendant ultimately established a schedule as required by the statute. The appellate court reversed, concluding that the duty to develop a written schedule is triggered by possession of the biometric data, meaning the schedule must exist on the initial date of possession, not afterward. 

What to Watch Going Forward: Statute of Limitations

As businesses have struggled to defeat BIPA claims, the Illinois Supreme Court is poised to clarify the scope of a key defense—the statute of limitations applicable to BIPA claims—in a pair of pending cases. In Tims v. Black Horse Carriers, the Court is reviewing an Illinois appellate court decision holding that a one-year statute of limitations applies to BIPA claims involving “publication” of biometric data and a five-year period applies to other BIPA claims. On appeal, the defendant argues a one-year statute of limitations should apply to all BIPA claims. In Cothron v. White Castle Systems, the Illinois Supreme Court will determine whether certain BIPA claims accrue only once upon the initial collection or disclosure of biometric information, or each time a company collects or discloses biometric information.

Companies that collect biometric data should closely monitor the outcome of the Tims and Cothron cases, as each will significantly affect the number and scope of claims they may face in BIPA class action litigation.

© 2023 ArentFox Schiff LLPNational Law Review, Volume XII, Number 343
Advertisement
Advertisement
Advertisement

About this Author

Robert D. Boley Litigation Attorney Schiff Hardin Ann Arbor, MI
Associate

Rob represents clients in a wide range of litigation matters, including complex commercial and environmental disputes, and white collar investigations and litigation. He has experience representing clients before state and federal courts, as well as in investigations by government agencies and self-regulatory organizations.

Before joining Schiff Hardin, Rob was a litigation associate in the Chicago office of an international law firm.

Experience

  • Represented a Fortune 100 manufacturer in multiple lawsuits by regulators and property owners asserting claims under...
734.222.1557
D. Reed Freeman FTC Defense Lawyer ArentFox
Partner

With nearly 30 years of experience in data privacy, data security, and FTC defense, Reed brings a mastery of the law and unparalleled experience to bear for the firm’s clients.

A recognized authority in privacy, data security, and FTC defense, Reed brings a mastery of the law and unparalleled experience to bear for the firm’s clients. He has represented clients in scores of FTC investigations involving privacy, data security, and advertising matters. He also defends companies in state consumer protection investigations and data breach responses...

202-350-3610
Paula M. Ketcham Litigation Attorney ArentFox Schiff Chicago
Partner

Clients frequently turn to Paula for high­-stakes, high-pressure, time-sensitive litigation.

Many of Paula’s cases involve employers and their departing employees, but she frequently defends clients in state and federal class actions that cross practice-area and industry boundaries. Her class action experience runs the gamut from defending employers in employment discrimination suits, fiduciaries in ERISA actions, and insurers and other companies in consumer class actions. She regularly litigates these cases beyond her Chicago home office.

...
312-258-5539
Adam L. Littman Boston Privacy Attorney ArentFox Schiff
Partner

Adam L. Littman is a Partner at ArentFox Schiff's Boston office. His practice focuses on business litigation, privacy and cybersecurity, and employment law.  

In his business litigation practice, Adam represents companies and individuals in a wide variety of complex disputes, including cases involving shareholders in closely-held businesses, commercial contracts, real estate and business transactions, non-competition and restrictive covenants, fiduciary duties, trusts and estates, and professional malpractice. Adam has significant experience in...

617-973-6195
Eva J. Pulliam Attorney Brand Protection Arent Fox Schiff Washington DC
Partner

Eva splits her time between Washington and San Francisco and concentrates her practice on brand protection: protecting data, brand image, and brand names. She advises clients across numerous industries on best practices in the areas of data privacy, advertising and marketing, and trademark. Household names, tech giants and startups, non-profits, and other innovative organizations call on Eva to guide them through product development and brand management. 

In the privacy space, Eva counsels clients around data collection, use, and transfer, as...

202-857-6323
Advertisement
Advertisement
Advertisement