Illinois Biometric Privacy Suit Survives Dismissal Based on Harm from Alleged Disclosure of Data to Outside Vendor
Last December, an Illinois appellate court, in the Rosenbach v. Six Flags decision (2017 IL App (2d) 170317 (Dec. 21, 2017)), dismissed biometric privacy claims lodged against theme park operators for collecting fingerprints to authenticate season-pass holders allegedly in violation of the notice and consent provisions of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information. BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party. In interpreting what “aggrieved” means under BIPA, the Rosenbach court ruled that a “person aggrieved by a violation of [the] Act” must allege some harm (“[A] plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under…the Act”). While federal courts have weighed in on whether litigants have Article III standing when asserting mere procedural violations of BIPA’s consent and data retention requirements, it was not clear if such procedural violations, without any showing of harm or data misuse, were actionable under the statute. Rosenbach was the first time an Illinois appellate court weighed in on the meaning of an “aggrieved” party under BIPA.
Following Rosenbach, we speculated whether the decision would curb the wave of BIPA class actions asserting procedural violations filed against employers and businesses that used biometrics to authenticate employees or customers; the answer to that question remains in flux, with subsequent rulings falling both ways. For example, at least two Illinois trial courts followed Rosenbach in dismissing BIPA claims, though without intensive analysis of the issue. See: Rottner v. Palm Beach Tan, Inc., No. 15-CH-16695 (Ill. Cir. Ct. Mar. 2, 2018) (bound by Rosenbach‘s holding that neither liquidated damages nor injunctive relief is authorized under BIPA when the only injury alleged is a statutory violation; court stated that plaintiff allowed defendants to scan her fingerprint and there had been no publication of plaintiffs private information to sustain injury to a privacy right); Sekura v. Krishna Schaumburg Tan, Inc., No. 16-CH-04945 (Ill. Cir. Ct. Jan. 16, 2018) (brief order dismissing claims “[f]or the reasons outlined in Rosenbach”) (on appeal).
However, the recent California district court ruling in the Facebook biometric privacy litigation parted company with a reading of Rosenbach that would require a litigant to show an “actual” injury beyond the invasion of privacy rights outlined under BIPA and instead ruled that the plaintiffs had “sufficiently alleged” an intangible injury to a privacy right to be “aggrieved” under BIPA. It should be noted that the California court did look differently at Rosenbach and other cases involving voluntary fingerprinting where individuals knew that their biometric data would be collected before they accepted services as opposed to the social media photo tagging situation where such plaintiffs allege that they were not put on adequate notice that biometric data could be collected from uploaded photos.
This past month, in a notable ruling, an Illinois appellate court followed Rosenbach yet still declined to dismiss a suit brought by a former employee who asserted BIPA and negligence claims, among others, against a senior living center (“Defendant” or “Smith”) and its time clock vendor over the scanning of her fingerprints onto an employee biometric timekeeping device. (Dixon v. The Washington and Jane Smith Community – Beverly, No. 17-8033 (N.D. Ill. May 31, 2018)). Specifically, the complaint alleged that Smith required new employees to have their fingerprints scanned by the defendant Kronos’s fingerprint scanner and entered into a database so employees could be authenticated when clocking in and out. According to the plaintiff, Smith, among other things, failed to give adequate notice or obtain written consent before colleting her fingerprints, or post a biometric data retention policy. Moreover – and really the allegation that pushed the complaint over the line – plaintiff claimed that, in addition to collecting and storing her biometric information, Smith also “systematically disclosed” that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric time clocks, without informing her that it was doing so.
In determining the standing issue, the Dixon court stated that “obtaining or disclosing a person’s biometric information without consent or knowledge necessarily violates that person’s right to privacy in her biometric information.” Tellingly, the court noted that the allegation that Smith disclosed plaintiff’s fingerprint data to its third-party vendor without informing her distinguished this case from others in which alleged violations of BIPA were determined insufficiently concrete. (See e.g., Goings v. UGN, Inc., No. 17-9340 (N.D. Ill. June 13, 2018) (remanding BIPA claims for lack of Article III standing because claims were too abstract and employee was aware he was providing fingerprint data to his employers and did not claim any non-consensual disclosure of such data). The court further stated that the fact that plaintiff voluntarily scanned her fingerprint to the biometric time clock Smith required her to use, just as the plaintiffs in other cases voluntarily allowed their fingerprints or faces to be scanned, “does not change the Court’s conclusion, because there is no indication that [plaintiff] ever consented to (or even knew about) Smith’s subsequent disclosure of her fingerprint scan to [Smith’s vendor] Kronos.”
Using similar reasoning, the court also ruled that, at least at this stage of the litigation, the plaintiff demonstrated that she is sufficiently “aggrieved” to show a cognizable claim under BIPA based upon the allegation that Smith failed to inform its employees that it discloses employees’ fingerprint data to its out-of-state third-party vendor. As such, the court held that BIPA established a right to privacy in such biometric information and that obtaining or disclosing a person’s biometric data without her consent or knowledge necessarily infringes on the right to privacy in that data, making such claims sufficient to make the plaintiff a “person aggrieved” within the meaning of the statute. In allowing the BIPA claims to go forward, the Dixon court recognized the holding in Rosenbach, yet distinguished the instant case because the Dixon plaintiff alleged an injury to a privacy right – that defendants either disclosed her biometric data without consent (in the case of Smith) or obtained it without her knowledge (in the case of Kronos). Hanging onto the allegation of third-party disclosure, the court also distinguished Rottner because the plaintiff in Rottner “did not allege that the defendant disclosed her biometric data to another party.”
Looking ahead, it remains to be seen how future courts will interpret the meaning of “aggrieved” under BIPA (and how such interpretation will affect class certification issues) and whether we will see more plaintiffs’ lawyers drafting complaints, where factually appropriate, to allege third-party disclosure of biometric data to overcome standing and BIPA statutory challenges. The ultimate outcome of the “aggrieved” party question will likely arrive when the Illinois Supreme Court issues its interpretation of BIPA – an opinion which will be forthcoming as Illinois’s high court accepted the appeal of the Rosenbach decision on May 30th, and presumably will answer the question of whether a person “aggrieved” by a violation of BIPA must allege some injury or harm beyond a procedural violation.