By Jeff Bowen
The Biometric Information Privacy Act (BIPA), a 2008 Illinois law governing the collection, maintenance and disclosure of biometric data, has generated thorny jurisdictional issues for years. The statue places limitations on the collection and use of such data, mandates public disclosure of a plan governing the scope of use, and requires written consent from individuals whose data is obtained. BIPA also provides a private right of action for persons aggrieved by violation of those requirements. Under the 2016 Supreme Court case Spokeo v. Robins, 136 S. Ct. 1540 (2016), the harm alleged under a data privacy statute like this must be both concrete and particularized in order to give rise to standing in federal court. District courts applying Spokeo to BIPA claims have reached quite different results, with some allowing the claims to proceed and others remanding to state court or dismissing the claims outright. Earlier this year, the Seventh Circuit provided significant guidance as to the type of BIPA claims that may trigger federal jurisdiction, with individualized informational injury potentially meeting the standing threshold but violation of general disclosure requirements falling short. Bryant v. Compass Group USA, Inc., 958 F.3d 617 (7th Cir. 2020). The Bryant decision provides important information for both defense counsel and plaintiffs, though several other issues remain in play, such as the scope of preemption under statutes governing collective bargaining agreements and the availability of insurance coverage.
BIPA and Early Federal Court Decisions
BIPA subjects companies to potential liability for collecting, maintaining, or disclosing the biometric information of individuals without certain required disclosures and written consent. 740 Ill. Comp. Stat. § 14/1 et seq. (2008). “Biometric identifier” includes a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” while “biometric information” includes any information based on a biometric identifier that is used to identify an individual. Id. § 10. The Act requires publication of a retention schedule and guidelines for “permanently destroying biometric identifiers and biometric information.” Id. § 15(a). BIPA also prohibits the collection or receipt of biometric information without informing the subject of such collection and its purpose and then obtaining written consent. Id. § 15(b) Other provisions address the sale, disclosure, and retention of biometric information. Some BIPA claims involve biometric data collected from customers, such as through ticket sales or vending machines. Other cases involve claims brought by employees, whose employers use biometric data to track working hours or restrict access to certain hazardous or sensitive materials.
The Illinois supreme court has held that individuals who have suffered no injury beyond the violation of statutory rights under BIPA may still present a claim. Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197 (Ill. 2019). In Rosenbach, the claimant’s 14-year-old son had provided fingerprint data in order to obtain a season pass to the amusement park. She alleged that she had not received any information about the collection of his fingerprints, nor had she provided written consent, and she sued on behalf of a purported class of similarly situated park attendees. The defendants argued that she had alleged no actual or threatened injury, but the court held that violation of BIPA obligations “constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.” Id. at 1206. Because such a person is “aggrieved” within the meaning of the provision creating a private right of action, she is “entitled to seek recovery” without pleading any additional consequences. Id.
The availability of this private right of action gives rise to important standing questions in federal court, even when parties have satisfied other diversity requirements. Under Spokeo v. Robins, 136 S. Ct. 1540 (2016), claimants must allege an injury in fact that is both concrete and particularized in order to satisfy standing requirements. In that case, the Ninth Circuit had held that a search engine’s alleged publication of inaccurate information about the plaintiff in violation of the Fair Credit Reporting Act was sufficiently individualized to confer standing, but the Supreme Court reversed, remanding the case for determination of whether the injury was also sufficiently concrete. Id. at 1548-49. The Court stressed that the alleged injury need not be tangible in order to be concrete, but nor could it be a bare procedural violation. In the wake of Spokeo, violations of purely statutory rights may give rise to justiciable claims in state court, but federal jurisdiction requires specific allegations of concrete and particularized harm to the individual claimant.
Courts must therefore decide whether alleged violations of BIPA satisfy the Spokeo standard, and decisions rendered over the past several years reflect a variety of conclusions. Several district courts recognized allegations of concrete and particularized harm. One court found standing based on the sale of human resources software that collected and stored biometric data on employees without disclosure or consent. Figueroa v. Kronos Inc., 2020 WL 1848206 (N.D. Ill. Apr. 13, 2020). Another found standing based on the requirement that truck drivers provide fingerprint data in order to gain access to freight at railway terminals, which was obtained and disseminated without consent. Rogers v. CSX Intermodal Terminals, 409 F. Supp. 3d 612 (N.D. Ill. 2019). See also Namuwonge v. Kronos, Inc., 418 F.Supp.3d 279 (N.D. Ill. 2019) (finding standing under BIPA § 15(a) for failure to publish a data retention schedule but dismissing other claims for insufficiency of allegations).
By contrast, another court held that alleged anxiety over whether an employer would ever delete biometric information did not confer standing due to the absence of alleged concrete harm. McGinnis v. U.S. Cold Storage, Inc., 382 F.Supp.3d 813 (N.D. Ill. 2019). In Aguilar v. Rexnord, No. 17 CV 9019, 2018 WL 3239715 (N.D. Ill. July 3, 2018), the court found that employees forced to clock in through fingerprints obtained without written consent had failed to allege the necessary concrete injury. Similarly, the creation and retention of unique face templates did not in themselves cause the concrete injury required to establish standing. Rivera v. Google, Inc., 366 F. Supp. 3d 998 (N.D. Ill. 2018). See also Heard v. Becton, Dickinson & Co., 440 F. Supp. 3d 960 (N.D. Ill. 2020) (finding insufficient allegations of control by defendant over collected data); Colon v. Dynacast, 2019 WL 5536834 (N.D. Ill. Oct. 17, 2019) (finding lack of standing given absence of allegations that data had been collected without knowledge of the subjects).
At the circuit court level, the Seventh Circuit agreed that union airline workers had satisfied standing requirements based on an obligation to clock in and out with biometric data. Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019). The court noted that the need to bargain over employee consent or over the means of tracking time might affect the conditions of employment and that the employees had also alleged a heightened risk of disclosure. The Ninth Circuit also held that the use of facial-recognition technology by Facebook without informed consent satisfied standing requirements because plaintiffs alleged invasion of privacy. Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019). The Second Circuit, by contrast, held that the video game player plaintiff had effectively consented to the collection of his biometric data by permitting a lengthy scan of his face and proceeding with the creation of a game avatar. Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12 (2d Cir. 2017).
Bryant v. Compass Group
The Seventh Circuit attempted to synthesize these decisions and provide guidance on jurisdictional concerns in Bryant v. Compass Group USA, Inc., 958 F.3d 617 (7th Cir. 2020). Bryant used a vending machine in her company break room that required each employee to provide a fingerprint, which was then linked to a payment account set up by that employee. Id. at 619. Bryant alleged that her employer instructed employees to provide a fingerprint, and she did so. She generally understood why her biometric data was being collected but alleged that the lack of disclosure by the machine operator prohibited her from giving informed written consent. She sued on behalf of a class of similarly situated people, alleging violation of BIPA §15(a) for failure to provide a public schedule of data retention and guidelines and violation of §15(b) for failure to inform her about the collection, use, and storage of her data and failure to obtain her written consent. Bryant filed in state court, but the defendant removed to federal court under the Class Action Fairness Act. Bryant sought remand to state court, leaving the defendant to argue that the claimant had standing to pursue her claims in federal court. The panel ultimately concluded that Bryant lacked standing to bring her §15(a) claim but held that she could proceed with her §15(b) claim.
The Bryant panel distinguished between the vindication of public rights and redress for violation of the private rights of an individual plaintiff, relying in part on the Spokeo concurrence penned by Justice Thomas. While the §15(a) obligation was owed to the public generally, the court had “no trouble concluding that Bryant was asserting a violation of her own rights—her fingerprints, her private information” under §15(b) and that this was “enough to show injury-in-fact without further tangible consequences.” Id. at 624. After all, she had alleged invasion of her “private domain,” similar in many ways to an act of trespass.
The court further noted that the alleged inability to give informed written consent satisfied Seventh Circuit case law on standing for informational injury, which requires that the failure to disclose information impairs the “ability to use the information in a way the statute envisioned.” Id. Thus, in Groshek v. Time Warner Cable, 865 F.3d 884, (7th Cir. 2018), the plaintiff did not allege concrete injury because he merely received the required information in a larger document, rather than in a stand-alone disclosure, whereas in Robertson v. Allied Solutions, LLC, 902 F.3d 690 (7th Cir. 2018), the plaintiff alleged concrete injury because the failure to provide her with a copy of her background report meant she could not challenge the recission of her employment offer. In Bryant, too, the failure to provide substantive information about the use and storage of her personal data meant that Bryant could not give the informed consent required by the statute.
In the wake of Bryant, district courts have found no standing for similar general disclosure claims but potential standing for failure to provide information necessary for informed consent. In Cothron v. White Castle System, No. 19 CV 00382, 2020 WL 3250706 (N.D. Ill. June 16, 2020), the plaintiff alleged that White Castle required her to provide a fingerprint in order to access the computer system. Citing Bryant, the court permitted the claims under §§15(b) & (d) to proceed because they alleged failure to provide the information necessary to permit informed consent. In Kloss v. Acuant, Inc., No. 19 C 6353, 2020 WL 2571901 (N.D. Ill. May 21, 2020), the court remanded § 15(a) claims for lack of standing in light of Bryant and dismissed other claims for failure to allege sufficient facts in support.
Other BIPA Jurisdictional Issues
Bryant resolved many significant jurisdictional questions, but BIPA, of course, will likely continue to generate substantial litigation. Although Bryant set forth the type of claims that may give rise to standing in federal court, allegations of an individual informational injury do not guarantee federal jurisdiction. For example, employees subject to collective bargaining agreements governed by state or federal statutes may need to bring their claims before an adjustment board or similar entity. Even though the employees in Miller v. Southwest Airlines, 926 F.3d 898 (7th Cir. 2019), alleged sufficient concrete and particularized harm to confer standing, the Railway Labor Act required their claims to be heard by an adjustment board. Moreover, the scope of claims that must be submitted to such an entity continues to generate litigation. One court found that that § 301 of the Labor Management Relations Act preempted BIPA claims arising after the collective bargaining agreement governing the plaintiff’s employment went into effect but permitted the plaintiff to proceed with claims relating to alleged violations prior to that date. Peatry v. Bimbo Bakeries USA, Inc., 2020 WL 919202 (N.D. Ill. Feb. 26, 2020). See also Darty v. Columbia Rehabilitation and Nursing Ctr., 2020 WL 3447779 N.D. Ill. June 24, 2020) (agreeing that the LMRA preempted BIPA claims but noting that the named plaintiff was not herself a member of the union, thus requiring remand to state court). Another court found that the Illinois Worker Compensation Act only preempted accidental claims, thereby permitting an assembly worker’s BIPA claims against the manufacturer to proceed. Treadwell v. Power Solutions Intl., 427 F.Supp.3d 984 (N.D. Ill. 2019).
Similarly, the Bryant decision does not preclude enforcement of valid arbitration clauses, and plaintiffs whose claims fall within the scope of an employment arbitration agreement may need to arbitrate those claims. In Crooms v. Southwest Airlines Co., — F.Supp.3d —-2020 WL 2404878 (N.D. Ill. May 12, 2020), for example, the court held that all of the plaintiff ramp agents and supervisors were subject to arbitration of their claims under their employment agreement. Three of the plaintiffs, however, needed to bring their claims before the Railway Labor Board, as the Railway Labor Act preempted immediate arbitration of those claims.
Another lingering issue involves the location of the injury and any potential extraterritorial application of the statute. Thus, the maker of a cloud-based point-of-sale system that allowed restaurants and other businesses to track employee time through a biometric finger scanner challenged the extraterritorial application of the statute. Neals v. PAR Technology Corp., 419 F.Supp.3d 1088 (N.D. Ill. Dec. 18, 2019). The district court rejected the extraterritoriality claim but noted the absence of allegations that the plaintiff restaurant was located in Illinois. The court therefore dismissed the complaint but with leave to amend.
Insurance Coverage For BIPA Claims
Finally, given the number of BIPA claims in recent years, potential insurance coverage for those claims has also become an issue. Depending on the nature of the claims, companies facing exposure under BIPA may turn to several different types of insurance coverage. Cyber policies may respond to a claim based on the unauthorized collection or release of biometric data, depending on the policy definitions of data and the presence of employment related exclusions. General liability policies might cover BIPA claims under the “personal and advertising injury” coverage, though any exclusions related to loss of data or to statutory violations could come into play. Employment practices liability policies could respond to claims brought by employees, though, again, potential exclusions would need to be considered.
Some of these insurance claims have already appeared in federal litigation, though very few decisions have been rendered. In 2018, Zurich filed a declaratory judgment action after its policyholder was sued in Illinois for allegedly using fingerprint data to regulate access to stored medications. Zurich Am. Ins. Co. v. Omnicell, No. 3:18-cv-05345, 2018 WL 4198057 (Compl.) (N.D. Cal. Aug. 30, 2018). The insurer pointed to exclusions in its general liability policy for statutory violations, but no decision was reached because the case was stayed pending resolution of the underlying matter. Zurich Am. Ins. Co. v. Omnicell, No. 3:18-cv-05345, 2019 WL 570760 (N.D. Cal. Feb. 12, 2019). In another recent case, the issuer of a multi-peril policy filed a declaratory judgment action in Illinois federal court, arguing that its employment practices policy excluded liability for violations of law, and that the other coverage forms issued, including general liability and professional liability, all contained exclusions for injuries to employees. Church Mut. Ins. Co. v. Triad Senior Living Inc., Case No. 1:19-cv-07599 (Compl.) (N.D. Ill. Nov. 18, 2019). The case was voluntarily dismissed without prejudice before any decision was entered. Finally, another insurer recently filed a declaratory judgment action arguing that its general liability policy excluded employment practices involving the collection and use of data. Am. Family Mut. Ins. Co. S.I. v. Schmitt South Eola LLC, No. 1:20-cv-01872 (compl.) (N.D. Ill. Mar. 19, 2020) The underlying case alleged that a MacDonald’s restaurant violated BIPA by requiring employees to scan their fingerprints and then sharing that biometric data within the nationwide McDonald’s computer system.
Outside of federal court, one Illinois court held that an insurer had a duty to defend a BIPA claim under a general liability policy. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan Inc., No. 1-19-1834, 2020 IL App (1st) 191834, 2020 WL 1330494 (Ill. App. Mar. 13, 2020) (unpub). The underlying case alleged that the defendant required customers to provide fingerprint data along with membership and then automatically entered that data in a national L.A. Tan database. The court concluded that publication to one third-party vendor was sufficient to constitute “publication” under the policy, thus triggering potential coverage under the advertising and personally liability coverage. Id at ¶¶ 34-37. The court also held that an exclusion for statutory violations did not apply to BIPA claims because it was limited to statutes governing certain methods of communication. Id. at ¶¶42-43. Although this decision was rendered in an Illinois appellate court, federal practitioners can expect the body of case law relating to insurance coverage for BIPA claims to continue to expand.