Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jennifer Riley and special counsel Justin Donoho with their analysis of a recent Illinois federal court ruling issued in a BIPA class action involving identify verification software in R.S., et al. v. IDology Inc.
Check out today’s episode and subscribe to our show from your preferred podcast platform: Spotify, Amazon Music, Apple Podcasts, Samsung Podcasts, Podcast Index, Tune In, Listen Notes, iHeartRadio, Deezer, and YouTube.
Episode Transcript
Jennifer Riley: Thank you for being here again for the next episode of our weekly, podcast the Class Action Weekly Wire. I’m Jennifer, Riley partner at Duane Morris and joining me today is Justin Donoho. Thank you for being on the podcast Justin.
Justin Donoho: Thank you, Jen. Great to be here.
Jennifer: Today we wanted to highlight a recent ruling in a case that alleges violations of a state privacy statute, the Illinois Biometric Information Privacy Act, or BIPA. The BIPA was enacted in 2008. It requires companies collecting users’ biometric information to inform the person in writing of what data is being collected or stored; to inform the person in writing of the specific purpose and the length of time for which the data will be collected, stored, and used; and to obtain the person’s written consent. The law also prohibits any company from selling or otherwise profiting from consumers’ biometric information. Justin, can you give our listeners some background on the BIPA ruling that we are going to be discussing today?
Justin: Yes, this case involves an individual who visited an online gaming platform, and to participate in the platform she was required to upload a selfie in order to register as well as a copy of her photo ID so that the gaming platform could take some data from both of those, and then compare the two to see if there was a match, or, in other words, to verify whether the individual was who she said she was. In order to do this comparison, or matching function, the gaming company used what is called an application programming interface, or API, embedded in the gaming software which had been developed by a separate company marketing itself as an identity verification platform, and also the defendant in this case.
So, plaintiff here sued the back-end software company doing the verification, not the gaming company whose front-end online platform she visited. She alleged that the verification company’s API obtained her “scan of face geometry” in violation of BIPA, and failed to inform her that it was doing so. Thus triggering the staggering statutory damages under BIPA that has made it such a popular statute to sue under these days anytime someone uses any software at all relating to a face.
Jennifer: Thanks, Justin. So, this lawsuit was initially filed in state court and then removed to federal court in July of 2022. The defendant thereafter moved to dismiss the action, arguing that the court lacked personal jurisdiction over IDology because it is a Georgia corporation. The defendant also argued that the plaintiff failed to allege some essential prerequisites to certain aspects of the BIPA claims, and pled other aspects only in a very conclusory manner. The ruling on that motion came earlier this week. Justin, can you tell our listeners how the Court ultimately came down?
Justin: Yes. So yeah, the defendant raised a number of arguments, but really focused mostly on two: (1) lack of personal jurisdiction under Rule 12(b)(1), and also (2) failure to plausibly allege a BIPA violation under Rule 12(b)(6), both of which had to do basically with whether the plaintiff had alleged a sufficient connection between the events alleged in the complaint and the state of Illinois. The crux of the defendant’s argument was that although the plaintiff uploaded her selfie and photo ID to the gaming platform while she was in Illinois, the defendant, during all of this, was located in Georgia, and not really doing anything itself since the API had already been embedded in the gaming platform’s software.
The Court considered these arguments, ruled from the bench, and basically rejected them, allowing the case to move forward to discovery. According to the Court, because the alleged data collection occurred in Illinois, this was a sufficient connection, at least for pleading purposes to Illinois, to allow the BIPA claims to go forward. Moreover, according to the Court, it was sufficient that the verification company enabled the gaming company to obtain the plaintiff’s alleged biometric identifiers in Illinois, even though the verification company, the defendant, did not obtain them in Illinois itself. So, this case will be proceeding, but it is important to emphasize that this was only a ruling on the plausibility of the plaintiff’s pleadings. The door is not closed to the defendant to show, after discovery is completed, that there is not a sufficient connection to Illinois to apply the statute. Once the case has all the facts in the case will be an important one to watch, since how that issue comes out may affect BIPA litigation risk to software companies outside Illinois that merely create APIs used by other full end-user software products.
One more issue in this case, of course, is the issue of verification versus identification. We see this one a lot – does software capture a sufficient “scan of face geometry” to be unique to an individual when just doing that verification, or matching function, as opposed to grabbing enough information to compare to a large database to do identification? Courts have come out both ways on this issue during the pleading stage, and it was not an argument raised in the pleading stage in this case. But this case is another one to watch in this developing area of the law as well.
Jennifer: Absolutely. We will have to see how this case progresses, and ultimately, whether the plaintiffs are successful in obtaining class certification on their claims. We will keep our listeners updated.
Justin: Agreed, and we’ll be on the lookout for any of the merits issues we’ve been discussing as well.
Jennifer: Thanks, Justin, for your insight and thanks so much to our listeners for joining us on the latest episode of the Class Action Weekly Wire. We will see you next week!
Justin: Thanks!