By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik
Duane Morris Takeaways: In Barnett v. Apple Inc., Case No. 1-22-0187, 2022 Ill. App. LEXIS 556 (Ill. App. 1st Dist. Dec. 23, 2022), after a trial court dismissed a biometric privacy class action lawsuit involving the use of facial and fingerprint recognition features, the Illinois Appellate Court affirmed the dismissal order. In an important decision defining the parameters of liability under the Illinois Biometric Information Privacy Act (“BIPA”), the Illinois Appellate Court held that the users of the technology themselves were responsible for possessing, capturing, and collecting their biometric data
For businesses that are confronted with biometric privacy class action allegations in the context of recognition software, this monumental victory for Apple provides an excellent roadmap to attack such claims at the pleading stage.
Case Background
Plaintiffs alleged that Apple violated the Biometric Information Privacy Act, 740 ILCS 14/1 et seq., by offering users of its phones and computers the option of utilizing face and fingerprint recognition features without first instituting a written policy regarding the retention and destruction of the users’ biometric information; and without first obtaining the users’ written consent. Id. at *1-2. Plaintiffs claimed Apple was “in possession of,” “collected,” and “captured,” the users’ biometric information, since Apple designed, owned, and had the ability to remotely update the software. Id. at *2.
On January 3, 2022, the trial court granted Apple’s motion to dismiss. Id. at *9. First, the trial court held that Plaintiffs failed to allege that their biometric information was sent to Apple’s servers or any third party server. Rather, Plaintiffs expressly alleged that the information was stored locally on Plaintiffs’ own devices. Second, the trial court held that Plaintiffs did not allege that Apple stored any of Plaintiffs’ biometric data in Apple databases. Third, the trial court held that it was clear Plaintiffs voluntarily chose to use Face ID and Touch ID features, and could delete their biometric information from their devices if they chose. On February 2, 2022, Plaintiffs filed a timely notice of appeal. Id. at *11.
The Illinois Appellate Court’s Decision
The Illinois Appellate Court affirmed the trial court’s dismissal of Plaintiffs’ complaint. Addressing the issue of “possession,” the Appellate Court explained that the term was not defined in the BIPA statute. Id. at *16. Plaintiffs argued that Apple ‘possesse[d]” their information because Apple software collected and analyzed their information. Id. at *17. Rejecting Plaintiffs’ argument, the Appellate Court opined that based on the facts alleged by Plaintiffs, it seemed as though Apple designed these features with the express purpose of handing control to the user. Id. at *17-18. The Appellate Court also noted that these features were completely elective, explaining that the user must undertake a series of affirmative steps in order to use them. Id. Finally, the Appellate Court found that Plaintiffs’ arguments were not persuasive since Plaintiffs alleged that the information is stored on the users’ own individual devices, and that users may delete the information and disable the features at their convenience. Accordingly, the Appellate Court held that Plaintiffs failed to properly allege that Apple possessed their biometric information.
Turning to the issue of whether Apple collected and captured Plaintiffs’ biometric information, the Appellate Court explained that these terms were also not defined in the BIPA statute. Id. at *20. In support of their proposed definitions, Plaintiffs cited a BIPA class action in the employment context, where the employee plaintiff was required to use the biometric scanner or lose her job. Id. at *22-23 (citations omitted). Rejecting Plaintiffs’ argument, the Court noted that the biometric features in this care were wholly optional, the information was stored exclusively on Plaintiffs’ devices, and Plaintiffs could delete the information at will. Further, the Court noted that Plaintiffs specifically alleged that the information is stored only on their devices. Accordingly, the Appellate Court held that Plaintiffs failed to properly allege that Apple captured and collected their biometric information.
In conclusion, the Appellate Court summarized its findings as follows: “[P]laintiffs do not dispute that the user’s biometric information is stored on the user’s own device; that Apple does not collect or store this information on a separate server or device; that these features are completely optional; that the user is the sole entity deciding whether or not to use these features; that, to enable the features, the user employs his or her own device to capture and collect his or her own biometric information on that device; that, to utilize these features, the user must undertake a number of steps, which are all documented in photos in plaintiffs’ complaint; and that the user has the power to delete this biometric information from the device, at any time, without negatively impacting the device.” Id. at *22-23. Accordingly, the Appellate Court affirmed the trial court’s dismissal of Plaintiffs’ BIPA class action.
Implications For Employers
Facial recognition technology is rapidly becoming more prevalent in both the employment and consumer contexts. This decision underscores the importance of carefully analyzing the allegations in biometric privacy class action pleadings. In situations where users maintain control over their own biometric data, this may be a helpful decision to seek an early exit from the lawsuit. Finally, Apple’s victory further provides some optimism for companies defending biometric privacy class actions, as the recent tide of key decisions has largely been adverse to defendants.