Federal Court Dismisses Biometric Privacy Class Action Brought Against University, On Basis It Was a Regulated “Financial Institution”
For almost four years now, attorneys have remained relentless in their quest to extend the outer boundaries of the Illinois Biometric Information Privacy Act (BIPA) as far as courts are willing to allow. During this period, many defendants have struggled with procuring dismissals of BIPA class claims.
One particular defense, however, has developed into an extremely robust tool for companies engaged in biometric privacy class suits: BIPA’s “financial institution” exemption. Contrary to what its name suggests, the benefits of this entity-level carve-out extend to a range of entities well beyond traditional banks and financial institutions. A recent BIPA opinion issued by a Northern District of Illinois court demonstrates the expansive scope of the exemption and provides several key takeaways for defendants to defend against—and outright defeat—BIPA claims at a time when biometric privacy class action exposure continues to grow.
The Powell Decision
On November 4, 2022, an Illinois district court dismissed Powell v. DePaul Univ., No. 21-C-3001, 2022 U.S. Dist. LEXIS 201296 (N.D. Ill. Nov. 4, 2022), which was an educational biometric privacy case, on perhaps an unintuitive conclusion that the university involved was a financial institution and as such specifically exempt from complying with the Illinois Biometric Information Privacy Act (BIPA).
In Powell, a student brought a putative class action against the defendant (an university) in an Illinois state court, alleging that it violated BIPA by using an online remote proctoring tool for distance learners to capture, store, and disseminate their students’ biometric data, including, among others, their facial-recognition and detection data, without disclosing it to the students, obtaining their consent, or informing them how it disposes of their data.
The defendant removed the lawsuit to a district court for the Northern District of Illinois and moved to dismiss it for failure to state a claim under the Federal Rule of Civil Procedure 12(b)(6). The defendant argued dismissal was proper because it is a financial institution subject to Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA) and which is consequently exempt from BIPA.
Enacted in 2008, the Illinois BIPA restricts private entities’ collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and provides for a private right of action, allowing Illinois residents to file lawsuits against private entities seeking damages for the Act’s violation. Under BIPA, a private entity that collects biometric information “must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.”
BIPA requires the private entity to first inform a person in writing that it collects, captures, buys, receives through trade, or otherwise obtains that person’s biometric identifier and the purpose and length for which it collects and stores such information and then obtain that person’s informed written consent. However, BIPA specifically exempts from its scope financial institutions or their affiliates that are already subject to Title V of the GLBA and its reporting standards. A financial institution, under the GLBA definition, is “any institution the business of which is engaging in financial activities.”
In this case, the Court found the defendant to be such an institution because it “participates in the federal student aid programs and provides direct loans to consumers.” Consequently, the Court determined that the defendant should be exempt from compliance with BIPA.
To arrive at its determination, the Court thoroughly considered regulatory and judicial authorities on the issue. Specifically, the Court relied on the Federal Trade Commission (FTC), noting that it considers colleges and universities that are “significantly engaged in lending funds to consumers” to be financial institutions subject to Title V of the GLBA.
The Court then reviewed the Department of Education’s (DOE) public guidance issued in 2020, in which the DOE stated that “the GLBA required financial institutions to have information privacy protections, and that the FTC has enforcement authority for the requirements and has determined that institutions of higher education . . . are financial institutions under GLBA.”
The Court additionally relied on the privacy rules of the Consumer Financial Protection Bureau (CFPB), which considers universities that are “significantly engaged in financial activities” to be financial institutions.
Lastly, the Court looked at five prior rulings regarding similar circumstances to this litigation, all of which considered BIPA exemption to apply to institutions of higher education “that are significantly engaged in financial activities such as making or administering student loans.”
With these analytical underpinnings, the Court turned to the facts of the lawsuit, taking under judicial notice the defendant’s Participation Agreement with the DOE, among other publicly available documents. The documents revealed that the defendant participates in the federal student aid programs and administers direct loans to students. Under the GLBA definition, these functions qualified the defendant to be a financial institution, leading the Court to dismiss the lawsuit.
Analysis and Takeaways
BIPA’s Financial Institution Exemption Extends Well Beyond Traditional Financial Institution Entities
The key takeaway from the Powell decision is that a private entity may be exempt from complying with BIPA’s requirements based on the financial institution exemption, even if its business is not that of a financial institution in the traditional sense of this word. BIPA’s exemption is quite broad, exculpating even institutions of higher education from compliance with BIPA when they participate in the federal student aid programs and administer loans to students.
From a broader perspective, any entity that is subject to the GLBA’s privacy-related requirements—commonly known as the Financial Privacy Rule—is entitled to utilize the exemption as a complete defense in BIPA class litigation. On this issue, courts are in unison that the proper definition of “financial institution” applicable in the context of BIPA is that which is set forth in the GLBA to describe GLBA-regulated entities, as opposed to the common law meaning of the term.
This is a significant issue for defendants that face increasing BIPA liability exposure, as the definition of financial institution under the GLBA is extremely broad, encompassing any institution the business of which is engaging in financial activities, such as lending, exchanging, transferring, investing for others, or safeguarding money or securities; providing financial, investment, or economic advisory services; and underwriting, dealing in, or making a market in securities, among others.
Ensure Motions Seeking Dismissal Pursuant to the Financial Institution Exemption Are Supported by Sufficient Case-Specific Evidence
With that said, defendants embroiled in BIPA lawsuits will not be able to procure a dismissal from class litigation simply by virtue of the fact that they are GLBA-regulated entities. Instead, defendants must be able to clearly establish their entitlement to invoke this exemption. This task is especially critical in connection with the pursuit of early motions to dismiss, where the scope of evidence that can be considered by a judge in ruling on the motion is curtailed.
As illustrated in Powell, the university in that case supported its motion to dismiss by attaching judicially noticeable documents indicating its participation in federal student aid programs requiring GLBA compliance. The court found this evidence established the university’s status as a financial institution within the meaning of the GLBA, which in turn necessitated the dismissal of the BIPA claims brought against it.
As such, those that seek dismissal from BIPA litigation pursuant to their status as a financial institution under the financial institution exemption must ensure that their motions are properly supported with sufficient evidence to allow the court to conclude that BIPA’s financial institution exemption applies specifically to the particular activities engaged in by the defendant in order to maximize the likelihood of a favorable outcome on a motion seeking to definitively end the litigation.
For more on this, stay tuned. CPW will be there to keep you in the loop.