The Class Action Weekly Wire – Episode Seventeen: The Illinois BIPA: Fingerprints, Facial Recognition, And The Future Of Privacy Litigation

 

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partners Jennifer Riley and Alex Karasik with their analysis of privacy class action trends and rulings from 2022, and predictions for what 2023 may bring for Corporate America given key developments in the BIPA class action litigation landscape so far this year. We hope you enjoy the episode.

Episode Transcript

Jennifer Riley: Welcome listeners, thank you for joining us for the latest edition of the Class Action Weekly Wire. We’re here this week to talk about privacy class actions and I’m joined by my colleague Alex Karasik. Alex can you tell our listeners how this area of privacy class actions has evolved over the last few years?

Alex Karasik: Thanks, Jen. Well, the BIPA statute was relatively dormant since it became law in 2008, and since then the number of BIPA class actions has exploded. In addition, if other states start enacting similar statutes regarding biometric privacy we think there will be a similar uptick in class actions for those states throughout the country, so this is definitely an emerging area of law.

Jennifer: The plaintiffs’ class action bar has sought to capitalize in this area on ambiguous statutory provisions, plus slow to develop compliance programs, coupled with stiff statutory penalties and fee shifting, to really leverage some sizable settlements in this area.

Alex: And adding to this minefield, lots of states are considering similar copycat statutes which can make it difficult for employers if you have operations in two different states that have two different laws, plus there’s been some grumblings of a potential federal statute – while none of those have come to fruition yet it’s something that they should definitely pay attention for.

Jennifer: Let’s turn to some of the key rulings in this area both this year and in 2022. Alex, what are some of the key rulings that come to mind?

Alex: In February 2023, the Illinois Supreme Court issued two long-awaited rulings that will undoubtedly shape the BIPA landscape. In Tims, et al. v. Black Horse Carriers, the Illinois Supreme Court held that a five-year statute of limitation applies to the BIPA. The statute itself doesn’t have an express limitations, so some advocates were arguing that a one-year or two-year statute of limitations should apply, but this ruling undoubtedly increases exposure for BIPA cases. In addition the Illinois Supreme Court held in Cothron, et al. v. White Castle that each individual scan is a violation of the BIPA – as opposed to being a per person basis – so once again, if multiple employees are scanning in and out of a factory or office each day, each scan being a violation will again substantially increase potential damages in this space.

Jennifer: Thanks, Alex – what kind of impact do you think these rulings are apt to have on future privacy class action litigation?

Alex: That’s an excellent question, Jen. I think that these rulings are going to increase the plaintiffs’ bar appetite knowing that there’s substantial damages to be had in this space, but at the same time one has to wonder – if it’s a per scan, each violation – plus a five-year statute of limitation – with damages now creeping into the millions and billions of dollars, is it even going to be feasible for plaintiffs to recover on a per scan basis? So that’s something to keep in mind, as I doubt plaintiffs’ counsel will want to litigate these cases in bankruptcy court against businesses. It’ll also be interesting to see the different defenses that an employer or company might offer when defending one of these cases in terms of the constitutionality of such damages, so it remains to be seen how these new goal posts that have been set by the Illinois Supreme Court in February of 2023 will impact both how these cases are tried and resolved, but there’s definitely going to be some big changes on the forefront.

Jennifer: Wow, no wonder this area has really exploded over the past year. Are there any other impactful or interesting rulings that come to mind from 2022-2023?

Alex: Absolutely, Jen. The first BIPA jury trial occurred in 2022 in the fall, and that left a huge impression in this space. In that case, Rogers, et al. v.  BNSF Railway, approximately 45,000 truckers sued a railway company in terms of BIPA violations. There the jury found there were approximately 45,600 discrete violations of the BIPA, and at that point, after entering judgment, the damages were $228 million dollars – that’s a lot of money, and the jury there didn’t sympathize with the employer’s arguments, and awarded the full willful damages available under the statute. So I think that for businesses and employers that are thinking about trying one of these cases in front of a jury pool in Chicago or potentially beyond – there’s a lot of risk there.

Jennifer: Thanks, Alex – that is some serious money awarded by the jury in that case. We’ll be sure to keep our listeners up to date on happenings in that matter. Are there any other important rulings that our listeners should know about?

Alex: Yeah, absolutely Jen, there are some cases that come to mind that are trying new novel approaches to the BIPA statute. First, in Wilks, et al. v. Brainshark, this case involved the facial recognition in recording of presentations. In the traditional BIPA context, especially in the early years when these class actions first started to get filed, it would predominantly involve allegations of thumbprint or fingerprint scanning, but I think you’re starting to see more in the facial recognition space. Jen, were there any rulings from 2022 that you found interesting?

Jennifer: Thanks, Alex – one that comes to mind immediately is a ruling called Kukovec, et al. v. The Estée Lauder Companies, Inc. That was an interesting ruling because it involved try-on technology. The plaintiffs brought suit against The Estée Lauder Companies alleging that their try-on tool collected or captured facial geometry, and that the defendants had failed to get users consent and failed to inform users regarding the collection and the retention of such data. The defendant in that case moved to dismiss on various grounds.

First, the defendant moved to dismiss on the ground that the court lacked personal jurisdiction – this is an interesting argument because the defendant said the tool was available to Illinois consumers, but more as a passive tool that was available and therefore there wasn’t this purposeful availment of the jurisdiction. The court disagreed and said that the try-on tool was part of the defendant’s marketing and sales strategy, and that the consumers actually had the option to use buttons, to add products to the cart, to send products as gifts through the website, so it was sufficient for personal jurisdiction – and the court noted that the defendant’s argument took an overly narrow view.

Secondly, the defendant argued that venue was improper because there was an arbitration agreement. This is interesting as well because the defendant claimed that the arbitration agreement was part of the terms of use for its web page, but the court disagreed and said that the plaintiff lacked constructive knowledge or there was a lack of evidence that the plaintiff had constructive knowledge of the arbitration agreement, and therefore a lack of evidence the plaintiff accepted those terms.

Third, the defendant sought to dismiss the complaint on the grounds that the plaintiff had alleged only conclusory statements and had failed to allege facts and support of allegations that biometric information was actually collected. The court disagreed and found the pleading sufficient to meet the pleading standards, and that the plaintiff had alleged enough to infer that the defendant had captured biometric information. However, the court ruled that since recklessness and intentionality requires a specific state of mind, that the plaintiff had failed to allege facts in support of those claims, and the court ran a dismissal of those.

Finally, the defendant contended that because the plaintiff had not used the websites of four other brands that also utilize the virtual try-on tool, that the plaintiff lacks standing to represent a class of consumers as to those websites. The court said that argument was premature because the plaintiff had not actually moved to certify a class yet. So that is an interesting ruling, and I think as the popularity of try on tools and technologies continues to grow, we’re going to see more lawsuits attacking similar products and similar technologies fueling or helping to fuel that growth in the biometric data privacy front.

Alex: Wow, that’s a great example Jen, and I can imagine that in the Renaissance Era of e-commerce, virtual try-on tools become more and more popular as people seek to purchase goods and retail products online and we’re going to see a lot more of those from the plaintiffs’ bar in the near future.

Jennifer: How about top settlements, Alex, was the plaintiffs’ bar able to capture big dollars for plaintiffs in privacy class actions over the past year?

Alex: Oh yeah – there’s been a lot of big money dollars in BIPA settlements! There’s a Google settlement for $100 million and a TikTok settlement for $92 million that lead the way, and in fact over the whole tenure of the BIPA statute there’s been over a billion dollars recovered under this law, so it’s absolutely worth a lot of money to employers and businesses – and I think these eye-popping numbers alone should be reason to convince companies of the potential financial risk of not complying with the BIPA.

Jennifer: Thanks, Alex. I think one of our key takeaways here is that it’s very important for companies and corporate counsel to implement policies and procedures that fully comply with the BIPA and other state and federal privacy regulations and statutes. Companies should implement proper safeguards, they should implement consent processes for the collection and retention of biometric data – particularly with respect to Illinois consumers – and in other states either with or considering similar legislation. Companies should also take heed of how they notify users and obtain their consent before collection of biometric information.

Alex: Thank you Jen for your time today, and thank you to our listeners for paying attention to our BIPA and privacy presentation. This is obviously a rapidly emerging area of law that absolutely will continue to evolve day by day in the near future.

Jennifer: Thank you Alex, thank you for joining us and thank you to our listeners for viewing another episode of the Class Action Weekly Wire – we’ll see you next week.

Alex: See you soon!

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress