By: Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Z. Zmick
Duane Morris Takeaways: In Trio v. Turing Video, Inc., No. 21-CV-4409, 2022 WL 4466050 (N.D. Ill. Sept. 26, 2022), the Court issued yet another plaintiff-friendly decision under the Illinois Biometric Information Privacy Act (“BIPA”), putting businesses on notice that the statute can apply to technology used to screen individuals for purposes of preventing the spread of COVID-19. The Court denied the three arguments raised in the Defendant’s motion to dismiss, and held that: (1) personal jurisdiction existed because the Defendant sent “biometric” devices to multiple Illinois-based customers; (2) the Plaintiff’s claims were not preempted by the Labor Management Relations Act; and (3) Plaintiff adequately alleged claims under BIPA. The ruling in Trio ought to be required reading for corporate counsel dealing with privacy class action litigation.
Background
Plaintiff alleged that Defendant Turing Video, Inc. sold “products integrated with artificial intelligence,” including the Turing Shield, a “kiosk that allows Turing’s customers to screen their employees for COVID-19.” See Mem. Op. & Order at 2. According to Plaintiff, the Turing Shield works by screening a user’s temperature through the device’s camera, thereby using its “artificial intelligence algorithm” to recognize the user based on his or her facial geometry, and detecting whether the user is wearing a protective mask. Plaintiff also alleged that data collected through the Turing Shield was transmitted to third parties who host that data.
Plaintiff previously worked in Illinois for New Albertson’s, Inc. d/b/a Jewel-Osco, where she used the Turing Shield at the start of each workday as part of the store’s COVID-19 screening process. Based on her use of the device, Plaintiff claimed that Turing violated the BIPA by: (i) failing to inform her that the Turing Shield would collect her biometric data, and (ii) disseminating her biometric data to third parties without her consent.
Turing moved to dismiss on three grounds, including: (1) that the Court lacked personal jurisdiction; (2) Plaintiff’s claims were preempted by the Labor Management Relations Act; and (3) Plaintiff failed to state a claim upon which relief could be granted.
The Court’s Decision
The Court denied Turing’s motion to dismiss on all three grounds.
Personal Jurisdiction
Turing argued that the Court lacked specific personal jurisdiction because Turing was a non-forum (i.e., California) resident that sold the devices used by Plaintiff to a non-party, Jewel-Osco (also a non-forum resident), and Jewel-Osco brought the devices into Illinois without Turing’s involvement.
The Court held that the evidence – which showed Turing had over 30 Illinois-based customers and had shipped Turing Shields into Illinois – established that Turing had the requisite minimum contacts with Illinois to establish personal jurisdiction.
Labor Management Relations Act Preemption
The Court next addressed Turing’s argument that Plaintiff’s claims were preempted by Section 301 of the Labor Management Relations Act (the “LMRA”), which establishes federal jurisdiction over “suits for violations of contracts between an employer and a labor organization representing employees in an industry affecting commerce.” Courts typically interpret Section 301 as preempting state law claims that are “substantially dependent on analysis of a collective-bargaining agreement.” Id. at 18.
Here, Plaintiff was represented by a union and subject to a collective bargaining agreement (“CBA”) while employed at Jewel-Osco. Based on those facts, Turing claimed that resolving Plaintiff’s BIPA claims for alleged privacy invasions sustained through her work required the Court to interpret the CBA. The Court disagreed. It held that Plaintiff’s claims were not preempted because the Court could resolve the claims without interpreting the CBA.
The Court recognized that the Seventh Circuit has held that federal law preempts BIPA claims brought by certain union-represented employees against their employers. See Miller v. Southwest Airlines Co., 926 F.3d 898, 903 (7th Cir. 2019); Fernandez v. Kerry, Inc., 14 F.4th 644, 646-47 (7th Cir. 2021). The Court distinguished those cases because Turing was not a party to the CBA, and “Turing’s obligations under BIPA stand wholly independent of whether Plaintiff’s union may have consented to Jewel-Osco . . . collecting and disseminating her biometric data. In other words, resolution of the state law BIPA claims would not require this Court to interpret any [CBA], and instead depend upon the entirely unrelated question of whether Turing provided Plaintiff with the necessary disclosures and obtained from her the required written release before it collected and disseminated her biometric information.” Mem. Op. & Order at 20-21.
Extraterritoriality & PREP Act Immunity
Finally, the Court rejected Turing’s arguments that: (i) Plaintiff failed to allege that Turing’s relevant conduct occurred in Illinois, and (ii) the Public Readiness and Emergency Preparedness Act (the “PREP Act”) immunized Turing from BIPA liability. Regarding extraterritoriality, the Court held that Plaintiff sufficiently alleged that Turing’s conduct occurred “primarily and substantially” in Illinois, thereby satisfying the “extraterritoriality doctrine.” Id. at 25. Regarding PREP Act immunity, the Court noted that the PREP Act provides immunity from liability relating to the “use of a covered countermeasure” upon the declaration of a public health emergency by the Secretary of the Department of Health and Human Services. The Court held that PREP Act immunity did not apply because the Food and Drug Administration had not approved the Turing Shield, meaning the device did not satisfy the definition of a “covered countermeasure.” Id. at 28.
Conclusion
Trio can be added to the list of recent plaintiff-friendly BIPA decisions, as it reinforces the growing consensus that multiple private entities can be subject to liability under the statute for what may seem like a single “violation.”
The case also raises a potential hurdle to asserting jurisdictional defenses to BIPA claims based on its holding that personal jurisdiction can exist even where the defendant does not send into Illinois the specific device used to collect a plaintiff’s “biometric” data. Other courts, however, appear more willing to dismiss BIPA claims on personal jurisdiction grounds. See, e.g., Gutierrez v. Wemagine.AI LLP, Case No. 21-CV-5702, ECF No. 32, Mem. Op. & Order at 1 (N.D. Ill. Oct. 7, 2022) (available here) (dismissing BIPA case for lack of personal jurisdiction despite plaintiffs’ allegation that defendant’s app “derives substantial revenue from nearly 5,000 Illinois-based users”).