Third-Party Biometric Timekeeping Provider Chops Down BIPA Liability
As the Illinois Biometric Information Protection Act (BIPA) class action saga continues to unfold, an Illinois federal court recently handed a victory to a biometric timekeeping provider, ruling that the court lacked personal jurisdiction over the Georgia-based defendant. By making its decision on jurisdictional grounds, the court sidestepped several thorny substantive issues, including the defendant’s assertion that third-party timekeeping providers like itself cannot be liable under BIPA to employees whose employers used its software.
In Bray v. Lathem Time Co., the plaintiff employee in Illinois filed a class action suit on behalf of a putative class of employees against the defendant, Lathem Time Co., alleging that the defendant’s biometric timekeeping software violated Illinois’ BIPA statute. The defendant’s biometric timekeeping software was used by the plaintiff’s employer, a lumber sales company, against whom the plaintiff is pursuing a separate BIPA class action in Illinois state court.
Although the plaintiff did not work for Lathem Time Co., he nevertheless alleged that the defendant was obligated under BIPA to provide him with notice and to obtain his consent, which the defendant allegedly failed to do. Further, the plaintiff alleged that the defendant failed to establish a biometric information retention policy, as required by BIPA.
Moving to dismiss the plaintiff’s BIPA claims, the defendant argued that no BIPA claim could be stated against the defendant, who did not employ the plaintiff, because “BIPA was not designed to apply to third-party technology vendors like itself.” The defendant argued that the plaintiff was “attempting to assert a claim that does not exist,” not to mention the fact that the court lacked personal jurisdiction over the defendant, a Georgia company.
The court granted the defendant’s motion to dismiss, but did not wade into whether BIPA provides a cause of action against “third-party technology vendors” like the defendant. It found instead that the court possessed neither specific nor general jurisdiction over the defendant timekeeping provider, because the company lacked sufficient contacts with Illinois. The court found that the defendant’s mere operation of a highly interactive website that was used in Illinois was insufficient, absent any presence in Illinois or intentional targeting of Illinois customers. Indeed, the division of the plaintiff’s employer with whom the defendant did business was located in Arkansas, not Illinois. The court held that the random and fortuitous contacts the defendant had with Illinois were insufficient to give rise to personal jurisdiction. Thus, the defendant was able to avoid, at least for now, significant potential liability that has become the hallmark of BIPA, and the bane of Illinois employers.
This Lathem Time Co. case provides employers and businesses with a helpful reminder that, while BIPA lawsuits present significant challenges with regard to substantive defenses, some procedural defenses still exist. Those defenses can be a bulwark against potential BIPA liability. And while the court did not rule on the defendant’s argument that an employee cannot assert a BIPA claim against it because it is not the employer, this is the type of creative argument that has become necessary to stymie, or at least gain leverage against, the onslaught of class action litigation faced by employers and businesses across the state. Employers would do well to take this decision as a periodic reminder to ensure that if they use biometric systems for their workforce, BIPA-compliant policies and practices are in place.