Throughout much of 2023, businesses found themselves in a challenging position as they continued to grapple with defending against Illinois Biometric Information Privacy (BIPA) class action lawsuits. The year began on a somber note with the Illinois Supreme Court delivering unfavorable decisions on two pivotal threshold matters. However, rays of hope emerged when the same court issued two favorable decisions, one affirming union preemption, and another concerning medical exemptions under BIPA. These welcomed developments provided a reprieve for businesses contending with the longstanding challenges posed by the statute. As we navigate the complexities of BIPA, it becomes crucial for businesses to recognize and consider the various exemptions embedded within the legislation—many of which have proven effective in legal defenses over the past few years.

Procedural History of BIPA

Enacted in 2008, BIPA regulates the collection, use, and handling of biometric identifiers and information by private entities. After a relatively quiet period spanning nearly a decade, the statute experienced a significant surge in activity following the landmark decision in Rosenbach v. Six Flags (2019 IL 123186). This ruling established that a plaintiff need not plead actual harm or injury resulting from an alleged BIPA violation to seek relief under the Act. Subsequently, more than 1,500 BIPA lawsuits have been filed in Illinois.

The statute, having been largely untested before Rosenbach, gave rise to a series of critical threshold matters in the years that followed, many of which proved unfavorable for Illinois businesses. For instance, in early 2022, the Illinois Supreme Court, in McDonald v. Symphony (2022 IL 126511), decided that the Illinois Workers’ Compensation Act did not preempt BIPA. Approximately a year ago, the Illinois Supreme Court issued two highly anticipated decisions. First, in Tims v. Black Horse Carriers (2023 IL 127801), the Court held that the “catch-all” five-year statute of limitation under 735 ILCS 5/13-205 applies to all BIPA claims, as opposed to the one-year limitation period provided under 735 ILCS 5/13-201. Two weeks later, in Cothron v. White Castle (2023 IL 128004), the Court held that a claim under BIPA accrues each time a person scans or otherwise transmits biometric information.

While the White Castle decision initially reverberated through Illinois businesses facing potential exposure under BIPA, a careful examination of the ruling offers guidance and optimism for businesses navigating their defenses. At a point where many in the plaintiffs’ bar were ready to seize on separate $1,000 (negligent) or $5,000 (reckless/intentional) statutory damages for each scan, the high court reminded and acknowledged that a trial court has the power to fashion a damage award that fairly compensates the class and deters future violations without destroying a defendant’s business. 2023 IL 128004, ¶ 42. The majority seems to advocate for a sensible approach to damages under the statute, recognizing necessity for robust incentives for compliance while emphasizing that “the General Assembly chose to make damages discretionary rather than mandatory under the Act” and underscoring that “there is no language in the Act suggesting legislative intent to authorize a damage award that would result in the financial destruction of a business.” Id.

Although the majority’s decision held that a statute should be adopted “even though the consequences may be harsh, unjust, absurd or unwise,” id. ¶ 40, the Illinois Supreme Court, like state and federal courts throughout the country, has applied a contrary rule known as “the absurdity doctrine,” which holds: “[w]e will not make any determination that will construe an act of the legislature so as to lead to absurd, inconvenient or unjust consequences.” Loyola Academy v. S&S Roof Maintenance, Inc., 146 Ill. 2d 263, 273 (1992), citing McCastle v. Sheinkop, 121 Ill. 2d 188, 193 (1987); see also Evans v. Cook County State’s Attorney, 2021 IL 125513, ¶ 27 (“Statutes must be construed to avoid absurd or unjust results.”) (emphasis added), citing People v. Hamma, 207 Ill. 2d 486, 498 (2003). Citing this fundamental rule of statutory construction, the dissenting opinion in Cothron argued that the legislature could not have intended to impose punitive, crippling liabilities on businesses “wildly exceeding any remotely reasonable estimate of harm.” Cothron, ¶ 63. In response, the majority held that the risk of such “absurd” consequences is overblown. Accordingly, the most reasonable interpretation of Cothron’s holding is not that it embraces or invites absurd results, but that it requires trial courts applying BIPA’s non-mandatory damages provision to fashion appropriate remedies that are fair, equitable and suited to the circumstances of each case. The majority also makes clear that such damages should be tailored to deter future violations “without destroying defendant’s business.” Id., ¶ 42.

The White Castle decision firmly underscores the discretionary nature of damages under BIPA, emphasizing the importance of proportionality. However, Illinois businesses shouldn’t hold out hope that a jury will be so mindful. In recent years, businesses have achieved success by strategically leveraging applicable exemptions, and the Illinois Supreme Court’s recent recognition for certain exemptions, further underscores the need for businesses in Illinois to thoroughly explore every available avenue for exemptions. Therefore, it’s imperative for Illinois businesses to meticulously examine and leverage any relevant exemptions to navigate the challenging landscape of BIPA.

Health Care Worker Medical Exemption

At the end of 2023, the Illinois Supreme Court issued a rarity – a favorable decision for Illinois medical providers defending against BIPA lawsuits. On November 30, 2023, the high court delivered a long-awaited ruling in Mosby v. The Ingalls Memorial Hospital (2023 IL 129081), providing clarity on the protection status of biometric information collected from health care workers under BIPA. The case addressed certified questions relating to whether (1) BIPA applies to health care workers (as opposed to patients) and whether, more narrowly, (2) biometric information collected from a health care worker, when utilized for purposes related to health care treatment, payment, or operations as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), falls within BIPA’s purview. Id., ¶ 1. Answering both certified questions in the affirmative, the Court’s decision established that when health care worker data is gathered for HIPAA-defined health care activities, it is exempt from BIPA protection. Id., ¶ 59.

In Mosby, nurses brought forth a putative class action, alleging that their biometric information was collected for identification purposes before administering medication to patients through use of an automated medication dispensary system. Id., ¶ 5. Both the trial court and the Illinois Appellate Court had previously determined that these collections were subject to BIPA, contending that BIPA’s exclusions for activities “under HIPAA” were primarily designed to safeguard patient data, not data pertaining to health care workers. Id., ¶¶ 7-8.

BIPA’s relevant exception states: “Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.” Id., ¶ 35. The Court, reversing the trial and appellate courts, applied principles of statutory construction, and emphasized that the use of the term “information” at the beginning of both phrases, separated by the disjunctive “or,” implied legislative intent to exclude two distinct categories of information. Id., ¶¶ 41-42, 52. Furthermore, the Court clarified that the term “under HIPAA” defined the scope of “health care treatment, payment, or operations” and that these terms pertained to activities performed by health care providers, not patients. Id., ¶ 53.

Nevertheless, the Court emphasized that it did not establish a sweeping, categorical exclusion of biometric identifiers from health care workers. Id., ¶ 57. Instead, the exclusion applied only when such information was collected for health care treatment, payment, or operations under HIPAA. Id. The extent to which lower courts will interpret and apply the Mosby decision, particularly in contexts beyond medication dispensing (i.e. time clock medical cases), remains a topic for future debate, and potentially another appellate review.

Union Exemption

Last year, the Illinois Supreme Court also gave employers a favorable decision when it decided that Section 301 of the Labor Management Relations Act (LMRA) preempts BIPA claims brought by bargaining unit employees covered by a collective bargaining agreement (CBA) where there is a broad management rights clause.

In Walton v. Roosevelt University (2023 IL 128338), the plaintiff alleged that he was required to scan biometric identifiers for timekeeping without being given notice and providing written consent, as required under BIPA. The trial court rejected Roosevelt University’s argument that the plaintiff’s claims were preempted by Section 301 of the LMRA. The Illinois Appellate Court reversed the trial court, relying on a 2021 Seventh Circuit BIPA decision in Fernandez v. Kerry, Inc., 14 F.4th 644, 646 (7th Cir. 2021), and explained that “when the employer invokes a broad management rights clause from a [CBA] in response to a [BIPA] claim, the claim is preempted because it requires an arbitrator to determine whether the employer and the union bargained about the issue or the union consented on the employees’ behalf.” See 2022 IL App (1st) 210011, ¶ 19.

Affirming the appellate court’s decision, the Illinois Supreme Court held that, “[g]iven the language in the CBA and the LMRA, it is both logical and reasonable to conclude any dispute [under BIPA] must be resolved according to federal law and the agreement between the parties. Therefore . . . we defer to the uniform federal case law on this matter and find that when an employer invokes a broad management rights clause from a CBA in response to a [BIPA] claim brought by bargaining unit employees, there is an arguable claim for preemption. Accordingly, because we do not believe the federal decisions were wrongly decided, and here the CBA contained a broad management rights clause, we find Walton’s [BIPA] claims are preempted by the LMRA.”

Although the ruling doesn’t entirely prohibit a BIPA claim by a bargaining unit employee under a CBA, Walton confirms the legitimacy of a preemption defense for employers who have established CBAs with expansive management rights clauses that may encompass mandated actions pertaining to BIPA claims. In such cases, employee claims under BIPA must adhere to the procedures specified in the relevant CBA, potentially involving individual private arbitration rather than class-wide proceedings.

Virtual Try-On Medical Exemption

As the plaintiffs’ bar continued to find creative ways to move beyond time clock BIPA cases, one trend included targeting businesses offering virtual try-on features for consumers to try various products at home, including glasses and makeup, through the use of a consumer’s computer or phone camera. But in September 2022, the court held in Svoboda v. Frames for America, Inc. (2022 WL 4109719 (N.D. Ill. Sept. 8, 2022)), that BIPA did not regulate the virtual try-on tool in this instance because it fell under the statute’s health care exemption.

Frames for America, Inc., which operates FramesDirect.com (an online platform selling prescription and non-prescription eyewear), offered a virtual feature on its website that allowed consumers to digitally try on glasses or sunglasses. The plaintiff alleged that Frames for America utilized software to scan a consumer’s facial geometry from a uploaded photograph and then digitally superimposed the eyewear on the consumer’s face. Id. at *1. Applying the same crucial exemption as in Mosby, the court dismissed the plaintiff’s complaint, reasoning that she qualified as a “patient receiving a health care service in a health care setting” when using the virtual try-on tool. Id. at *3. Even though the plaintiff did not seek medical treatment, consult an eye doctor, or make a purchase during the virtual try-on experience (id. at *1), the court concluded that “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses are all Class 1 medical devices.” Id. at *2. Consequently, the court held that the plaintiff “would have received a health care service had she purchased the glasses….” Id. Drawing an analogy, the court equated the virtual try-on feature in this case to services offered in optometrists’ offices. Id.

Illinois businesses providing a virtual try-on tool must meticulously assess the applicability of the medical exemption, particularly in situations where a potential connection can be argued between the product offered and a medical service. This careful analysis is crucial to navigate the complex regulatory landscape and ensure compliance, or exemption, with relevant statutes.

State Contractor Exemption

BIPA explicitly states that private entities that are “a contractor, subcontractor, or agent of a State or local unit of government when working for that State agency or local unit of government” are not subject to its mandates. (BIPA, Section 25(e)). While the exemption for state contractors under Section 25(e) has not been extensively explored by reviewing courts, the sole appellate decision addressing this provision, in Enriquez v. Navy Pier, Inc., clarifies that an entity qualifies for exemption if it meets three criteria: (1) it is a contractor, (2) of a unit of government, and (3) was working for that unit of government when collecting or disseminating biometric information. 2022 IL App (1st) 211414-U, ¶ 19, appeal denied, 201 N.E.3d 582 (Ill. 2023).

This interpretation aligns with previous rulings by trial courts, as exemplified in Thornley v. CDW-Government, LLC, 2022-CH-04246 (Cir. Ct. Cook Cty., Ill. June 25, 2001). The court in Thornley dismissed a class action lawsuit, reasoning that Section 25(e) of BIPA is straightforward and unambiguous. According to the court, the term “working” is commonly understood to mean “relating to or designating one that works,” leading to the conclusion that Section 25(e) applies to “one whom a state agency or local unit of government engages to … provide services….” The appellate court’s ruling in Enriquez not only affirms this interpretation but also provides a comprehensive analysis and a clear roadmap for businesses contracted to provide services for a state agency or local unit of government seeking to assert a defense under BIPA.

Financial Institution Exemption

According to Section 25(c) of BIPA, the provisions of the Act do not apply “in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 [GLBA] and the rules promulgated thereunder.” In a notable 2022 case, DePaul University successfully had a BIPA class action lawsuit dismissed by invoking this financial institution exemption. The plaintiff had alleged that the university violated BIPA by using an online remote proctoring tool that purportedly captured, collected, and stored plaintiff’s biometric information. Powell v. DePaul Univ., 2022 WL 16715887, at *1 (N.D. Ill. Dec. 6, 2022).

DePaul University argued that its participation in U.S. Department of Education’s Federal Student Aid Program qualified it as a financial institution under the GLBA. Id. Supporting its stance, DePaul highlighted the acknowledgment by both the Federal Trade Commission (FTC) and the Department of Education that universities fall under the definition of financial institutions as per the GLBA. Id. Moreover, DePaul emphasized that rulemaking authority for Title V lies with the Consumer Financial Protection Bureau, which adopted and republished the privacy rules initially promulgated by the FTC. Id. at *2. According to the FTC rules, any institution “significantly engaged in financial activities” is considered a financial institution. Id. The court sided with DePaul, concluding that BIPA’s Section 25(c) applies to higher education institutions. The court was swayed by DePaul’s reliance on the FTC’s consistent and reasoned interpretation of the GLBA it administers. Id.

Despite being in the context of higher education, this decision should prompt any Illinois business facing BIPA claims to carefully analyze its reporting obligations and affiliations to determine whether they are in fact subject to Title V of the GLBA, and/or the rules promulgated thereunder.

Aside from analyzing compliance with and exposure under BIPA, Illinois businesses should be mindful of the everchanging landscape of the statute as lawsuits continue to progress. Businesses falling short of compliance standards should thoroughly examine whether any applicable BIPA exemptions may provide relief.