As the use of biometric data continues to grow and become more prevalent across industries of all types and sizes, complying with data security and privacy laws has never been more critical or challenging. This is particularly true for businesses subject to the Biometric Information Privacy Act (BIPA), an Illinois law widely acknowledged as the leading law governing biometric security. BIPA imposes strict requirements on private, non-governmental entities that collect, store, use, or profit from biometric data belonging to Illinois residents.1 As discussed in our prior alert regarding BIPA compliance, BIPA has driven hundreds of class action lawsuits over the past several years.
The BIPA avalanche has only grown stronger following the Rosenbach v. Six Flags Entertainment Corp. decision by the Illinois Supreme Court in January 2019, where the Illinois Supreme Court held that plaintiffs need not have suffered or even allege actual harm beyond a procedural violation to bring a claim and, therefore, seek relief under BIPA. In August 2019, the Ninth Circuit weighed in on this issue, affirming the lower court’s finding that plaintiffs who did not consent to a company’s use of facial recognition technology had standing sufficient to assert a BIPA claim, thereby allowing a class to continue to pursue their claims in federal court.2 In light of these and other decisions, companies subject to BIPA have begun to explore new defenses to these claims.
While adherence to BIPA’s requirements and robust compliance efforts are the most obvious ways to mitigate exposure under BIPA, below is an overview of some potential defenses for parties already in litigation.
Article III of the US Constitution grants federal courts the power to hear cases and controversies and limits the matters over which federal courts may preside.3 The US Supreme Court has interpreted Article III to require that plaintiffs suffer an actual or concrete injury in fact in order to seek redress in federal court.4 As a constitutional requirement, plaintiffs must therefore demonstrate an injury that is particularized and that affected them personally in order to bring suit in federal court.5 The injury must also be real rather than merely abstract, hypothetical, or conjectural.6
Most, but not all federal courts in Illinois have dismissed complaints where plaintiffs have not demonstrated an injury in fact sufficient to confer standing to litigate their BIPA claims. As a statutory matter, BIPA gives anyone who is aggrieved by a privacy violation under the act the opportunity to bring a claim.7 What constitutes an “aggrieved” person is not further defined under BIPA. Federal courts in Illinois have held that even if a person is “aggrieved” for purposes of satisfying the statutory requirement under BIPA, that allegation alone is not sufficient to satisfy the Article III standing requirement. Therefore, Article III standing is a separate issue from statutory standing under BIPA in that a plaintiff could conceivably be aggrieved under BIPA, but otherwise fail to satisfy the constitutional standing requirement under Article III.8 That said, at least one federal court in Illinois has held that a defendant’s alleged violation of a plaintiff’s right to privacy was enough to satisfy standing.9 Further chipping away at the standing defense is a decision out of the Northern District of California, which held that BIPA codifies an individual right of privacy in one’s biometric information, the violation of which constitutes a concrete injury; this decision was affirmed by the Ninth Circuit in August 2019.10
Following the Rosenbach decision from the Illinois Supreme Court in January 2019,11 Illinois state court plaintiffs may not need to allege actual harm to establish standing necessary to pursue a BIPA claim. In March 2019, an Illinois appellate court, applying the Rosenbach decision, reversed a lower court’s dismissal because the plaintiff did not allege any actual damages – the appellate court found that alleging a statutory violation of BIPA was sufficient for standing pursuant to Rosenbach.12 It is unlikely that defendants in BIPA actions will give up the standing argument entirely, however, in part because allegations of harm can differ from complaint to complaint.
Moreover, although a motion to dismiss is the most common vehicle for raising a Spokeo/standing challenge, it is not the only one. Challenges to a plaintiff’s injury, or lack thereof, may also be raised by other means later in the litigation, such as at the class certification phase by arguing that not all class members have been injured or at the summary judgment phase by arguing a lack of evidence (and thus lack of triable fact) of injury.
BIPA’s geographical reach or scope continues to remain somewhat of an open question. According to at least one court in the Northern District of Illinois in the Monroy v. Shutterfly 2017 decision, BIPA does not apply outside of Illinois as nothing in the statute indicates that it the Illinois legislature intended for it to have extraterritorial effect.13 The Monroy court held that the threshold question in determining whether the case even involves a potential extraterritorial application of BIPA is whether the circumstances giving rise to the case took place “primarily and substantially” within Illinois.14 If yes, then an extraterritoriality defense may not be viable. If no, then extraterritoriality, or the application of BIPA outside of its prescribed bounds, may be a potential issue to further explore. This is a case-by-case, fact-dependent exercise. Because this is fact-intensive, the strength of an extraterritoriality defense may not be fully known until the parties have engaged in some discovery.15
As a separate, but related issue, defendants faced with a BIPA claim should consider whether the issue of geography can be used as a defense tactic. For example, a defendant sued in a state court should evaluate whether the case may be removed to federal court and/or transferred to a more favorable or closer-to-home venue. Successfully removing a state court case to federal court within 30 days after service of the complaint16 would allow the defendant, once in federal court, to file a motion to transfer the case to a location of its choosing, provided the new venue is proper and satisfies all applicable venue requirements. But this tactic must be weighed in light of its potential costs. In removing to federal court and transferring to a new venue, defendants must rely in large part on the luck of the draw when it comes to the assignment of the judge in the new venue. Removal and transfer, if not carefully considered, can lead to unanticipated consequences later in litigation.
Constitutional and Statutory Defenses
As BIPA litigation continues to develop, defendants have raised various defenses grounded in both the US Constitution and BIPA itself, with varying degrees of success. For example, some BIPA defendants have asserted a lack of personal jurisdiction. Personal jurisdiction is ripe for a defense when the defendant is an out-of-state defendant that conducts limited, or even no, business or conduct within the state where the case is pending. For example, a company alleged to have provided Illinois employers with biometric timekeeping equipment filed a motion to dismiss in July 2019 in the Northern District of Illinois, in part, on personal jurisdiction grounds, arguing that it does not have offices, employees, or a registered agent in Illinois.17 The company additionally argued that the plaintiffs failed to allege that the company was the plaintiffs’ employer or that it could ensure that Illinois employers complied with BIPA. The company’s personal jurisdiction argument essentially rested on its position that holding it liable for alleged BIPA violations of other third-parties would violate the constitutional underpinning of personal jurisdiction.
Personal jurisdiction is both a statutory and constitutional requirement. States have their own rules regarding what level of activity within the state is sufficient for the court to have personal jurisdiction over the defendant while the Due Process Clause of the Fourteenth Amendment also requires that the defendant have sufficient contacts18 with the forum state.
The strength of a personal jurisdiction defense in BIPA cases is arguably questionable as courts in the Northern District of Illinois have granted and denied motions to dismiss for lack of personal jurisdiction in BIPA claims.19 In one case, the plaintiff alleged that there was personal jurisdiction over the defendant in Illinois because the defendant was registered in Illinois, had an office there, and offered its face recognition technology to millions of users, including Illinois residents.20 But the court granted the defendant’s motion to dismiss for lack of personal jurisdiction because the defendant did not specifically target Illinois residents with its conduct. In another case, Norberg v. Shutterfly, also in the same district, the defendants similarly argued that they offered their online services nationwide and did not specifically target Illinois customers.21 In the Norberg case, however, the court denied the motion to dismiss, holding that BIPA is an Illinois statute with strong interests in allowing in-state plaintiffs to litigate at home in Illinois.22 In other words, the success of a defense may hinge entirely on the judge hearing the case.
The dormant Commerce Clause presents another potential constitutional defense to BIPA, insofar as BIPA’s geographical reach may regulate activity outside of Illinois. The dormant Commerce Clause limits states’ authority to pass legislation that impacts interstate commerce.23 As with the other constitutional challenges to BIPA, the strength of this argument remains largely unknown. At least one defendant has raised this defense in conjunction with a challenge to personal jurisdiction, but a court in the Northern District of Illinois declined to address the issue because it was raised at too early a stage in the litigation without sufficient facts regarding how BIPA could affect the defendant’s business in other states.24
Finally, a defendant may also raise a constitutional due process challenge by arguing that the high statutory damages available under BIPA (up to $5,000 per single violation plus attorneys’ fees) bears no relation to the harm alleged by the plaintiff (often minimal at best).
Statute of Limitations
Defendants may also argue, if applicable, that plaintiffs have not brought their claims within the required time period, violating the applicable statute of limitations. BIPA does not specify a statute of limitations, and so the strength of this defense remains yet another potentially open issue in BIPA litigation.
Lastly, challenges to the certification, or court approval, of a class is a vital component of any defense of class action litigation. Under Rule 23 of the Federal Rules of Civil Procedure, a claim may proceed as a class action only if the class is so numerous that it would be impracticable to join each individual class member to the case separately; there are common issues to the class members; the claims or defenses of the class representatives are typical of those of the class; and the representatives will protect the class interests.
BIPA fact patterns may present grounds ripe for class certification challenges, for example, if issues such as consent or extraterritoriality require courts to evaluate them on an individualized, rather than class-wide basis.
BIPA defendants have an array of potential defenses at their disposal. The viability of these defenses will become clearer as BIPA jurisprudence continues to develop in the coming months and years. Defendants faced with allegations of BIPA violations should consider what defense tactics may best serve their business and desired outcomes in litigation while also considering what changes, if any, may be needed to their compliance programs to mitigate the risk of similar suits in the future.
1 BIPA exempts some private entities, such as financial institutions or their affiliates that are subject to the Gramm-Leach-Bliley Act of 1999.
2 See No. 18-15982, 2019 WL 3727424 (9th Cir. Aug. 8, 2019).
3 U.S. Const., art. III, § 2.
4Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547-48 (2016); Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992).
5Spokeo, 136 S. Ct. at 1548 (quoting Lujan, 504 U.S. at 560 n.1).
7 740 Ill. Comp. Stat. Ann. 14/20.
8See Aguilar v. Rexnord LLC, No. 17-CV-9019, 2018 WL 3239715, at **3-4 (N.D. Ill. July 3, 2018) (finding lack of standing due to absence of concrete harm where employee knew his biometric information was being collected to clock in and out); McCullough v. Smarte Carte, Inc., No. 16-C-03777, 2016 WL 4077108, at *4 (N.D. Ill. Aug. 1, 2016) (distinguishing BIPA from Article III).
9Monroy v. Shutterfly, Inc., No. 16-C-10984, 2017 WL4099846, at *8 n.5 (N.D. Ill. Sept. 15, 2017) (“[p]utting aside the question of whether a merely procedural or technical violation of the statute alone is sufficient to confer standing . . .” but finding that the plaintiff’s allegation of a privacy violation was sufficient).
10 290 F. Supp. 3d 948, 953-54 (N.D. Ca. 2018), aff’d, 2019 WL 3727424 (9th Cir. Aug. 8, 2019).
11Rosenbach v. Six Flags Entm’t, Corp., No. 123186, 2019 IL 123186 (Ill. Jan. 25, 2019).
12Rottner v. Palm Beach Tan, Inc., No. 1-18-0691, 2019 WL 1049107, at *1-2 (Ill. App. Ct. Mar. 4, 2019).
13Monroy, 2017 WL4099846, at *5.
14Id. at *6.
15Id. (allowing extraterritoriality defense to be raised at a later time “if and when the record affords a clearer picture of the circumstances relating to [the plaintiff’s] claim”).
16 28 U.S.C. § 1446(b).
17Duron v. UNIFOCUS (Texas), L.P., No. 1:18-cv-06479 (N.D. Ill. July 29, 2019), ECF No. 64.
18See Int’l Shoe Co. v. Washington, 326 U.S. 310, 316-17 (1945).
19 No. 15-C-7681, 2016 WL 245910 (N.D. Ill. Jan. 21, 2016) (granting motion to dismiss for lack of personal jurisdiction); Norberg v. Shutterfly, Inc., 152 F. Supp. 3d 1103 (N.D. Ill. 2015) (denying motion to dismiss for lack of personal jurisdiction).
20 2016 WL 245910, at *2.
21See Norberg, 152 F. Supp. 3d at 1105 (explaining defendant’s business).
23Healy v. Beer Inst., 491 U.S. 324, 326 n.1 (1989).
24Monroy, 2017 WL 4099846, at *7-8.