I. What is BIPA?
The Illinois Biometric Information Privacy Act, or BIPA, is an Illinois statute that regulates the collection, use, retention, and destruction of individuals’ biometric identifying information, such as fingerprints, retina scans, and facial geometry scans. The Illinois Legislature enacted BIPA to address the growing use of biometric information by businesses to streamline financial transactions and security screenings. The purpose of BIPA is to provide special protection for such information, both to reduce the risk of identity theft and to encourage the public to participate in biometric-facilitated transactions.
BIPA applies broadly to any private entity that operates or does business in Illinois (regardless of whether the entity is headquartered in Illinois). BIPA includes five key provisions:
- Written Policy: Private entities in possession of biometric information must “develop a written policy, made available to the public, establishing a retention schedule” for the information, as well as “guidelines for permanently destroying” the information “when the initial purpose for collecting or obtaining [it] has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.” 740 ILCS 14/15(a).
- Informed Consent: Private entities may not “collect, capture, purchase, receive through trade, or otherwise obtain” an individual’s biometric information unless they inform the individual (or a legally authorized representative) that her information is being collected, identify in writing the specific purpose and length of term for which the information is being collected, stored, and used, and receive a written release from the individual. 740 ILCS 14/15(b).
- Usage: Private entities may not “sell, lease, trade, or otherwise profit” from an individual’s biometric information. 740 ILCS 14/15(c).
- Disclosure: Private entities may not “disclose, redisclose, or otherwise disseminate” an individual’s biometric information unless the individual (or a legally authorized representative) gives consent, the disclosure completes a transaction authorized by the individual (or a legally authorized representative), or the disclosure is required by law or compelled by warrant or subpoena. 740 ILCS 14/15(d).
- Security: Private entities must “store, transmit, and protect from disclosure” an individual’s biometric information using “the reasonable standard of care” in the entity’s industry and in a manner that is “the same as or more protective than” the manner in which the entity protects its other confidential information. 740 ILCS 14/15(e).
Importantly, BIPA includes a private right of action that allows any individual aggrieved by a violation of these rules to bring a lawsuit in state or federal court. A prevailing party can recover $1,000 (or actual damages) for a negligent violation or $5,000 (or actual damages) for a reckless or intentional violation, plus attorneys’ fees and costs. BIPA also authorizes courts to award injunctive relief in appropriate cases.
II. Why is there so much BIPA litigation?
Illinois was the first state in the country to pass a biometric information privacy law, in 2008. Although several other states—including California, New York, Texas, Washington, and Arkansas—have passed or modified similar laws, Illinois’ BIPA is unique in that it provides aggrieved parties with a private right of action (whereas other states rely on public authorities to bring enforcement actions). This feature, along with the availability of statutory damages and attorneys’ fees, has made BIPA an attractive vehicle for plaintiffs lawyers seeking to bring class actions against companies that operate or do business in Illinois.
But the most important factor behind the recent surge in BIPA litigation is the Illinois Supreme Court’s 2019 decision Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186. There, the Illinois High Court held that a plaintiff does not need to plead that she suffered an actual injury as a result of the defendant’s alleged BIPA violation to qualify as an “aggrieved” person with statutory standing to bring a claim. Rather, it is enough that the plaintiff merely pleads that the defendant committed a technical violation of BIPA, and thereby infringed her privacy rights, to gain standing and file suit.
This decision was important because BIPA plaintiffs are often unable to plead that the defendant’s conduct caused them to suffer harm beyond a violation of their rights. Thus, whereas defendants were sometimes able to secure early dismissal of such claims on standing grounds pre-Rosenbach, they are now more likely to enter discovery and face a tough decision: Whether to shoulder the substantial costs and uncertainty of defending themselves through trial, or settle with the plaintiff and putative class at an earlier stage for a significant sum. Indeed, after Rosenbach, several large companies settled BIPA class actions for eye-popping amounts. These include Facebook (settled for $650 million); Tik Tok (settled for $92 million); Six Flags Entertainment (settled for $36 million); and ADP Security (settled for $25 million).
In light of these results, it is not surprising that BIPA litigation is on the rise. In 2020, the number of court rulings that referenced BIPA more than doubled from the year before. That number is higher again in 2021.
III. What are the key decisions and unresolved issues?
Although there have been some significant BIPA decisions at the appellate level, most of the caselaw that exists has been developed by state and federal trial courts. As a result, while several issues have been raised and litigated in recent years, little has been resolved in a way that gives parties certainty as to the meaning and applicability of BIPA. Below, we highlight some of the most important developments and outstanding issues.
- Article III Standing
A significant issue at the outset of many BIPA class actions is whether the plaintiffs have standing to proceed in federal court. In a typical case, the plaintiff files suit on behalf of a putative class in state court and the defendant removes to federal court under the Class Action Fairness Act because it anticipates a more advantageous federal forum. The question then becomes whether the federal court must remand the case to state court because the plaintiffs lack Article III standing. While Rosenbach set a low bar for plaintiffs to establish statutory standing (opening the door to state court), a spate of Seventh Circuit cases over the past two years has put a patchwork of rules in place outlining the standing requirements of Article III (a condition to proceeding in federal court).
For example, in Bryant v. Compass Grp. USA, Inc., 958 F.3d 617 (7th Cir. 2020), the court held that the plaintiffs had Article III standing to pursue their Section 15(b) claim that the defendant failed to obtain their informed consent before collecting their biometric information (a “concrete” and “particularized” injury to each plaintiff), but did not have Article III standing with respect to their Section 15(a) claim that the defendant failed to publish a written data retention and destruction policy (an obligation that is “owed to the public generally” and does not inflict any “particularized harm”). In Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146 (7th Cir. 2020), the Court added nuance to its Section 15(a) analysis in Compass, holding that the plaintiffs in that case had Article III standing to pursue their Section 15(a) claim because they alleged that the defendant failed to comply with its established data policy—as opposed to failing to create and publish one in the first place—by retaining the plaintiffs’ information longer than the policy allowed.
The Seventh Circuit added another important layer in Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1246 (7th Cir. 2021). There, the Court explained that while a plaintiff could potentially establish Article III standing to pursue a Section 15(c) claim in federal court (i.e., unlawful profiting from an individual’s biometric information), she has the ability as “master of her complaint” to plead that she did not suffer harm beyond a bare violation of her rights, in order to block Article III standing. In other words, under Thornley, plaintiffs are permitted to avoid removal, and guarantee themselves a state forum, by strategically pleading their claims in a way that disavows Article III standing—namely, by circumscribing their claims and class to only those who did not suffer an actual injury on account of the defendant’s conduct.
Given the perceived benefits of litigating in federal versus state court for BIPA defendants, we anticipate further development of the law surrounding Article III standing in future cases.
- Statute of Limitations
BIPA does not specify its own limitations period. This has led to a dispute between plaintiffs and defendants at the trial court level as to which of Illinois’ general statutes of limitations applies to BIPA claims: a one-year period that covers claims involving the “publication of matter violating the right of privacy,” 735 ILCS 5/13-201, or a five-year period that applies to civil claims where no other limitations period is specified, 735 ILCS 5/13-205.
In September 2021, the Illinois Appellate Court, First District, weighed in and split the baby in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563. There, the court held that a one-year period applies to claims under BIPA sections 15(c) and 15(d) because those claims involve allegations that the defendant “published” or otherwise disseminated the plaintiff’s biometric information. The court held further that, in contrast, a five-year period applies to claims under BIPA sections 15(a), 15(b), and 15(e) since, although those claims concern privacy, they do not include an element of publication or dissemination.
The Illinois Supreme Court is expected to resolve the statute of limitations issue in a future case, either on appeal of Black Horse Carriers or in another appeal pending in the Illinois Appellate Courts.
BIPA entitles a prevailing plaintiff to recover at least $1,000 in statutory damages “for each violation” of the statute. In August 2020, a court in the Northern District of Illinois interpreted this provision broadly, finding that the plaintiffs could recover $1,000 for each and every time their employer acquired their fingerprints using a fingerprint scanner over a multi-year period (which was used to restrict computer access). Cothron v. White Castle Sys., Inc., 477 F. Supp. 3d 723 (N.D. Ill. 2020). The court noted that this interpretation “may penalize violations severely,” but concluded that it was demanded by BIPA’s plain text.
The defendant appealed the district court’s decision and the Seventh Circuit heard oral argument in September 2021. A decision is anticipated in the next few months.
* * * *
Given all that is at stake, we expect that BIPA litigation will steadily mount and that, as a result, the law surrounding BIPA will develop rapidly in the foreseeable future. Likewise, we anticipate that the claims and legal theories pursued by BIPA plaintiffs will continue to evolve, testing increasingly sophisticated areas of technology and its applications by businesses in our daily lives. Indeed, while the first wave of BIPA cases targeted mostly employers who use fingerprint scanners to track activities like employee timekeeping and customer admissions, more recent cases have taken issue with companies’ use of faceprints and voiceprints to identify individuals for the purpose of improving their customer experience.
Quinn Emanuel is closely tracking all of the latest developments and has been engaged as defense counsel in a number of the highest-profile BIPA cases in the country. We have achieved victories on behalf of our clients in BIPA arbitrations and have successfully leveraged BIPA settlements at well-below market settlement rates. We are also an industry leader in devising defense-side strategies for technology clients, including in cases where BIPA plaintiffs are threatening novel approaches to litigation, such as “mass action” arbitrations.
We would be pleased to schedule a meeting to discuss how we can help ensure your company’s compliance with BIPA and defend the company against any anticipated or pending BIPA litigation.
If you have any questions about the issues addressed in this memorandum, or if you would like a copy of any of the materials mentioned in it, please do not hesitate to reach out to us.