Alex W. Karasik – Page 4 – Class Action Defense

February 28, 2023March 7, 2023 by Gerald L. Maatman, Jr.

Introducing The Duane Morris Privacy Class Action Review – 2023

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways: The last year saw a virtual explosion in privacy class action litigation. As a result, compliance with privacy laws in the myriad of ways that companies interact with employees, customers, and third parties is a corporate imperative. To that end, the class action team at Duane Morris is pleased to present the inaugural edition of the Privacy Class Action Review – 2023. This new publication analyzes the key privacy-related rulings and developments in 2022 and the significant legal decisions and trends impacting privacy class action litigation for 2023. We hope that companies and employers will benefit from this resource in their compliance with these evolving laws and standards.

Click here to download a copy of the Privacy Class Action Review – 2023 eBook.

Co-Editor of the Review Jerry Maatman provided insights on our new publication earlier this week to the Wall Street Journal in its article on privacy class action litigation, which can be found here: Biometric-Privacy Rulings in Illinois Expand Potential Liability for Tech Firms – WSJ

Duane Morris partners Jerry Maatman, Jennifer Riley, and Alex Karasik also recently recorded the first edition of “The Class Action Weekly Wire,” our new podcast series, in which contributors to our Duane Morris Class Action Review discuss the significant rulings and legislation in various areas of law. To add context to our new publication, last Friday’s edition discussed recent developments in privacy class action litigation. Click here to watch and listen to the podcast!

February 24, 2023 by Gerald L. Maatman, Jr.

Introducing The Class Action Weekly Wire Podcast!

February 17, 2023February 17, 2023 by Gerald L. Maatman, Jr.

Illinois Supreme Court Holds Each Fingerprint Scan Is A Separate BIPA Violation – Thereby Creating The Potential For Increased Damages In Privacy Class Actions

By Gerald L. Maatman, Jr., Alex W. Karasik, Tyler Z. Zmick, and Jennifer A. Riley

Duane Morris Takeaways: In the latest ruling in Illinois in the biometric privacy class action space, the Illinois Supreme Court decided today in Cothron v. White Castle, 2023 IL 128004 (Ill. Feb. 17, 2023), that a separate claim for damages accrues under the Biometric Information Privacy Act (“BIPA”) each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d).

This ruling could exponentially increase monetary damages in class actions brought under the BIPA, especially in the employment context, where employees scan in and out of work multiple times per day for several hundred days per year.

Case Background

Plaintiff alleged that after she started working at White Castle in 2004, the company required her to use a fingerprint-based system to access the workplace computer she used in her position as a manager. Plaintiff sued White Castle several years later in 2018, alleging that the company violated Sections 15(b) and 15(d) of the BIPA in connection with the fingerprint-based system by (i) collecting her biometric data without providing her with the requisite notice and obtaining her written consent, and (ii) disclosing her biometric data without consent.

After removing the complaint to the U.S. District Court for the Northern District of Illinois, White Castle moved for judgment on the pleadings on the basis that Plaintiff’s claims were untimely. Specifically, White Castle argued that Plaintiff’s BIPA claims accrued in 2008 (when her first fingerprint scan occurred after the BIPA took effect), yet she did not file her complaint until 2018. The District Court rejected White Castle’s one-time-only theory of claim accrual, holding that the lawsuit was timely because each separate unauthorized fingerprint scan constituted an independent violation of the statute, meaning Plaintiff’s BIPA claims were timely because her last fingerprint scan occurred within five years of the filing of her complaint. Because the issue presented a close call, however, the District Court permitted White Castle to file an interlocutory appeal with the Seventh Circuit regarding whether Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits a scan to a third party, respectively, or only upon the first scan and first transmission.

The U.S. Court of Appeals for the Seventh Circuit accepted the interlocutory appeal. Id. ¶ 9. After determining that Plaintiff had standing to bring her action in federal court under Article III of the U.S. Constitution, the Seventh Circuit addressed the parties’ respective arguments on the accrual of a claim under the Act. Id. Ultimately, the Seventh Circuit found the parties’ competing interpretations of claim accrual reasonable under Illinois law, and it agreed with Plaintiff that “the novelty and uncertainty of the claim-accrual question” warranted certification of the question to the Illinois Supreme Court. Id. at 1165-66. The Seventh Circuit “observed that the answer to the claim-accrual question would determine the outcome of the parties’ dispute, this court could potentially side with either party on the question, the question was likely to recur, and it involved a unique Illinois statute regularly applied by federal courts.” Id..

The Illinois Supreme Court’s Decision

In a 4-3 split ruling, the Illinois Supreme Court held today that that a separate claim accrues under the BIPA each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d). First, the Illinois Supreme Court analyzed the certified question with respect to Section 15(b), which provides that no private entity “may collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data unless it first provides notice and receives written consent. 740 ILCS 14/15(b). Relying on the plain language of the statute and the fact that the actions of “collecting” and “capturing” biometric data can occur more than once, the Supreme Court agreed with Plaintiff’s interpretation – namely, that Section 15(b) “applies to every instance when a private entity collects biometric information without prior consent.” Id. ¶¶ 19, 23. As interpreted in the context of the facts of the case, the Supreme Court further observed that White Castle obtains an employee’s fingerprint, stores it in its database, and then compares the fingerprint taken during subsequent scans to verify the identity of the employee. In the Supreme Court’s words, White Castle “fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.” Id. ¶ 23. Accordingly, consistent with the District Court’s decision in Cothron and the Illinois Appellate Court’s conclusion in Watson, 2021 IL App (1st) 210279, ¶ 46, the Illinois Supreme Court held that an entity violates Section 15(b) the first time it collects biometric data without having provided the requisite notice and obtaining consent, in addition to “each subsequent scan or collection.” Id. ¶ 24.

Next, closely tracking its analysis of Section 15(b), the Supreme Court similarly held that BIPA Section 15(d) – which prohibits the disclosure, redisclosure, or dissemination of biometric data without consent – “applies to every transmission to a third party.” Id. ¶ 28. Like the verbs “collect” and “capture” in Section 15(b), the acts of disclosing and redisclosing biometric data occur upon the initial disclosure in addition to any subsequent disclosure or redisclosure of the data. See id. ¶ 29 (“A fingerprint scan system requires a person to expose his or her fingerprint to the system so that the print may be compared with the stored copy, and this happens each time a person uses the system.”).

The majority opinion also rejected White Castle’s remaining “nontextual” arguments supporting its single-accrual interpretation. White Castle argued that a BIPA claim accrued only upon the initial collection or disclosure of a person’s biometric data because an individual loses the right to control his or her biometric data as soon as the data is collected and/or disclosed. In rejecting the argument, the Supreme Court again relied on the statute’s plain language, stating: “[n]o such limitation appears in the statute. We cannot rewrite a statute to create new elements or limitations not included by the legislature.” Id. ¶ 39.

Next, the Supreme Court turned to White Castle’s argument that in light of the BIPA’s liquidated damages provision, interpreting the statute to mean an entity violates Sections 15(b) and 15(d) every time it collects or discloses biometric data means “a party may recover for “each violation,” allowing multiple or repeated accruals of claims by one individual could potentially result in punitive and “astronomical” damage awards that would constitute “annihilative liability” not contemplated by the legislature and possibly be unconstitutional.” Id. ¶ 41. For example, White Castle estimated that if Plaintiff was successful and allowed to bring her claims on behalf of as many as 9,500 current and former White Castle employees, classwide damages in her action may exceed $17 billion. Once again, the Supreme Court rejected White Castle’s argument because the statutory language is clear and supports plaintiff’s position. See id. ¶ 40 (“As the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, “ ‘even though the consequences may be harsh, unjust, absurd or unwise.’ ” (Emphasis omitted.) Cothron, 477 F. Supp. 3d at 734 (quoting Peterson v. Wallach, 198 Ill. 2d 439, 447 (2002)).”).

Importantly, however, the Supreme Court acknowledged that trial courts could exercise their discretion to reduce the amount of statutory damages that plaintiffs can recover. Id. ¶ 42. In closing, the Supreme Court reiterated the position that White Castle’s “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” and it “suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.” Id. ¶ 43. Accordingly, the Illinois Supreme Court concluded that the plain language of section 15(b) and 15(d) shows that a claim accrues under the BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent.

The Dissent

Notably, three Illinois Supreme Court Justices, inclusive Chief Justice Theis, joined the Dissenting Opinion. Of note, the Dissent opined that two significant consequences militate against the majority’s construction. Id. ¶ 60. First, under the majority’s rule, plaintiffs would be incentivized to delay bringing their claims as long as possible, since “If every scan is a separate, actionable violation, qualifying for an award of liquidated damages, then it is in a plaintiff’s interest to delay bringing suit as long as possible to keep racking up damages.” Id. Second, the Dissent noted that, “the majority’s construction of the Act could easily lead to annihilative liability for businesses.” Id. at ¶ 61.

In sum, the Dissent commented that, “Imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm. Id. ¶ 63. To this point, the Dissent opined that, “nothing in the Act indicating that the legislature intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier. The legislature’s intent was to ensure the safe use of biometric information, not to discourage its use altogether.”

Implications For Employers

Following the Illinois Supreme Court’s similar pro-plaintiff ruling in Tims v. Black Horse Carriers, 2023 IL 127801 (Ill. Feb. 2, 2023), which applied a five-year statute of limitations to the BIPA instead of a one-year statute of limitations, the well is beginning to dry for businesses in terms of potential BIPA class action defenses. While employers can still explore novel exemptions, such as information captured from a patient in a health care setting, most companies caught in the crosshairs of BIPA class actions will be facing monumental amounts of potential damages.

Businesses confronted with BIPA class actions may need to explore alternative potential defenses, such as the constitutionality of the overbearing damages thresholds. Companies will also likely push for legislative changes. Nonetheless, given the bleak outlook of the law as it stands, it is imperative for businesses to immediately ensure they are compliant with the BIPA.

February 14, 2023March 12, 2025 by Alex W. Karasik

Dior Dismissed From Illinois BIPA Class Action Lawsuit Challenging Virtual Try-On Technology

By Kelly A. Bonner, Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley

Duane Morris Takeaways: In a significant win for fashion and beauty retailers in the privacy class action space, in Warmack-Stillwell v. Christian Dior Inc., No. 1:22-CV-04633, 2023 U.S. Dist. LEXIS 22926 (N.D. Ill. Feb. 10, 2023), an Illinois federal court held that an exemption to the Illinois Biometric Information Privacy Act (“BIPA”) for data captured from a patient in a health care setting barred proposed class action claims alleging that luxury giant Christian Dior Inc.’s (“Dior”) virtual try-on tool (“VTOT”) violated the BIPA.

Businesses in Illinois, particularly online fashion and beauty retailers, can use this ruling to attack BIPA claims involving VTOT technology.

Case Background

As discussed in our previous publications, lawsuits involving BIPA claims and eyewear have been dismissed under one of BIPA’s statutory exemptions, which in relevant part excludes from its definitions of biometric identifiers and biometric information: (1) information captured from a patient in a health care setting; or (2) information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996, including prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses.

Plaintiff alleged that Dior maintained a VTOT feature on its website that collected users’ facial geometry data without first obtaining written consent or informing users of the purpose and length of time that their data was being collected in violation of Section 15(b) of BIPA. Plaintiff also alleged that Dior failed to provide a publicly available data retention and destruction schedule, as required by Section 15(a) of BIPA.

Dior moved to dismiss Plaintiff’s complaint on the basis that the BIPA’s health care exemption applied to non-prescription sunglasses, such as the ones sold by Dior and which the plaintiff alleged that she tried on with the VTOT technology, and thus precluded Plaintiff’s claims.

Plaintiff countered that the sunglasses were fashion accessories; Dior’s website was not a health care setting; and Dior’s consumers were not patients. Plaintiff also sought to distinguish prior decisions applying the BIPA’s health care exemption as focusing on the VTOT technology being used for prescription glasses, akin to optometrist fittings, and not in connection with the purchase of luxury sunglasses. Id. at *8.

The Court’s Decision

The Court granted Dior’s motion to dismiss under Rule 12(b)(6). First, the Court explained that Plaintiff qualified as a “patient in a health care setting” under the dictionary definition of the term “patient,” and that Dior’s VTOT feature “facilitates the provision of a medical device that protects vision.” Id. at *8. Similarly, the Court held that use of the VTOT technology constituted “health care,” which the dictionary defined as “efforts made to maintain or restore physical, mental, or emotional well-being especially by trained and licensed professionals.” Id. at *9.

In addition, the Court reasoned that the relevant test was “not a user’s subjective understanding, but rather an objective application of the text of the exemption.” Id. at *8-9. The Court opined that the outcome of the analysis should not change if a consumer uses the VTOT in search of primarily stylish sunglasses rather than protective ones.

Plaintiff attempted to distinguish Dior’s website from a “health care setting” by arguing that “[a]n artist prepping a canvas is not providing a health care service if they use a scalpel instead of an Xacto knife.” Id. at *9. As to that point, the Court concluded that the VTOT feature facilitated the purchase of sunglasses to wear on one’s face and protect one’s eyes, thus performing the product’s intended medical function rather than an unconventional purpose.

Similarly, the Court rejected Plaintiff’s attempts to analogize her case to BIPA suits against blood plasma centers, in which courts rejected application of the health care exemption. Even if the cases applied the same definitions of “health care” and “patient,” the Court concluded that the removal of plasma for commercial purposes is not “health care because the purpose — at least from the plasma donors’ perspectives — was not to ‘maintain or restore physical, mental or emotional well-being’; it was to get paid.” Id. at *11.

Finally, the Court notably denied Dior’s motion to dismiss under Rule 12(b)(1), rejecting Dior’s argument that Plaintiff failed to allege an injury-in-fact sufficient for Article III standing. The Court concluded that Plaintiff sufficiently alleged an injury-in-fact under Section 15(a) “because “unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data.” Id. at *11.

Accordingly, the Court granted Dior’s motion to dismiss on Rule 12(b)(6) grounds, but rejected Dior’s Article III standing argument and denied its motion based on Rule 12(b)(1).

Implications for Retailers

The Court’s decision in Warmack is a solid victory for fashion and apparel retailers, and indicates that courts are willing to expand the BIPA’s healthcare exemption to more retail-oriented environments, and adopt a plain reading of the statue rather than seeking to discern legislative intent. This ruling could have significant implications for personal care products retailers, especially those who utilize VTOT features to assess skin complaints such as aging, hyperpigmentation, and recommend treatments, and whether those defenses will draw regulatory scrutiny for purposed “drug” claims.

In the meantime, retailers should stay abreast of biometric data privacy laws in Illinois and beyond, and ensure that their privacy policies stay current with evolving nationwide legislation.

February 2, 2023 by Alex W. Karasik

Illinois Supreme Court Holds Five-Year Statute Of Limitations Applies To The BIPA

By Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley

Duane Morris Takeaways: In one of the most highly anticipated class action rulings in years, in Tims, et al. v. Black Horse Carriers, Inc., Case No. 127801 (Ill. Feb. 2, 2023), the Illinois Supreme Court held that a five-year statute of limitations applies to claims under the Biometric Information Privacy Act, 740 ILCS 14/15 (“the BIPA”). This ruling adds to the risks for employers and companies who do business in Illinois in terms of BIPA class action exposures.

Given that the BIPA statute does not have an explicit statute of limitations, the Illinois Supreme Court’s ruling now provides clarity for litigants and attorneys in this space as to the scope of the putative classes in their lawsuits.

Case Background

In March 2019, Plaintiff filed a class action complaint alleging that Defendant violated the BIPA through its timekeeping practices that involved the scanning and storing of employees’ fingerprints. Plaintiff asserted claims under three sub-sections of the law, including: (1) section 15(a) of the BIPA, for failing to institute, maintain, and adhere to a retention schedule for biometric data; (2) section 15(b) of the BIPA, which states that no private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information without notice and consent; and (3) section 15(d) of the BIPA, which involves the unlawful disclosure or dissemination of biometric data without first obtaining consent. Of note, section 15(c) of the BIPA prohibit the sale of a person’s biometric data for a profit, and section 15(e) of the BIPA imposes a duty of reasonable care in storing and protecting biometric data from disclosure.

On September 17, 2021, the Illinois Appellate Court held that hat a one-year limitations period pursuant to section 13-201 of the Illinois Code of Civil Procedure (the “Code”) governs actions under sections 15(c) and (d) of the BIPA, while a five-year statute of limitations pursuant to section 13-205 applies to sections 15(a), (b), and (e). The Illinois Appellate Court explained that the BIPA imposes various duties that are separate and distinct from one another. While each of the duties set forth under sections (a)-(e) “concern privacy,” the Appellate Court reasoned that a private entity could violate sections (a), (b), or (e) “without having to allege or prove that the defendant . . . published or disclosed any biometric data.” Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, at ¶ 31 (1st Dist. Sept. 17, 2021). However, the “publication or disclosure of biometric data is clearly an element of an action under” sections 15(c) and (d). Id. at ¶ 32. Accordingly, the Illinois Appellate Court applied the state’s one-year statute of limitations for right of privacy claims for sections (c) and (d), and applied the five-year “catch all” statute of limitations for sections (a), (b), and (e).

The Illinois Supreme Court’s Decision

On February 2, 2023, the Illinois Supreme Court affirmed in part and reversed in part the Illinois Appellate Court’s decision. First, the Illinois Supreme Court notably opined that it, “agree[d] with the parties that the [A]ppellate [C]ourt erred in applying two different statutes of limitations to the Act.” Tims, 2023 IL 127801, at ¶ 16. It explained that one of the purposes of a limitations period is to reduce uncertainty and create finality and predictability in the administration of justice. Id. at ¶ 20 (citations omitted). The Illinois Supreme Court thus held that, “applying two different limitations periods or timebar standards to different subsections of section 15 of the Act would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.” Id. at ¶ 21.

Having decided that a singular uniform statute of limitations should apply, the Illinois Supreme Court next analyzed whether the statute of limitations should be five years or one year. Analyzing the plain language of the BIPA statute, the Illinois Supreme Court held that all five subsections of section 15 of the Act prescribe rules to regulate the collection, retention, disclosure, and destruction of biometric identifiers and biometric information. Id. at ¶ 29. In regards to the Illinois Appellate Court’s holding that section 15(a), 15(b), and 15(e) of the Act contained no words that could be defined as involving “publication,” the Illinois Supreme Court held that the Illinois Appellate Court correctly found that subsections (a), (b), and (e) are subject to the five-year “catchall” limitations period codified in section 13-205 of the Code. Id. at ¶ 30.

Turning to subsections (c) and (d), the Illinois Supreme Court acknowledged that the one-year statute of limitations could be applied. Id. at ¶ 32. However, the Illinois Supreme Court held that, “when we consider not just the plain language of section 15 but also the intent of the legislature, the purposes to be achieved by the statute, and the fact that there is no limitations period in the Act, we find that it would be best to apply the five-year catchall limitations period codified in section 13-205. Id. at ¶ 30. The Illinois Supreme Court explained that this outcome would further its goal of ensuring certainty and predictability in the administration of limitations periods that apply to causes of actions under the BIPA. Id. at ¶ 32. In support of its conclusion, the Illinois Supreme Court held that Illinois courts have routinely applied this five-year catchall limitations period to other statutes lacking a specific limitations period, such as the BIPA. Id. at ¶ 34.

Finally, the Illinois Supreme Court examined the Illinois General Assembly’s goals in enacting the BIPA statute. The Illinois Supreme Court opined that in light of the extensive consideration the General Assembly gave to the fears of and risks to the public surrounding the disclosure of highly sensitive biometric information, “it would thwart legislative intent to (1) shorten the amount of time an aggrieved party would have to seek redress for a private entity’s noncompliance with the Act and (2) shorten the amount of time a private entity would be held liable for noncompliance with the Act.” Id. at ¶ 39. The opinion also noted that defamation torts such as libel and slander are subject to a short limitations period because aggrieved individuals are expected to quickly become apprised of the injury and act quickly when their reputation has been publicly compromised, while it would be uncertain as to whether an individual would ever become aware of their biometric being improperly disclosed or misappropriated. Id.

The Illinois Supreme Court concluded its opinion by holding that the five-year limitations period contained in section 13-205 of the Code controls claims under the BIPA. Therefore, the Illinois Supreme Court affirmed in part and reversed in part the judgment of the Appellate Court, and remanded the cause to the Circuit Court for further proceedings.

Implications For Employers

This decision is unsurprising given the public policy behind the law and the growing importance of privacy. The five-year statute of limitations serves to increase BIPA class action litigation exposure.

Companies can expect more BIPA-related rulings in the near term. The Illinois Supreme Court is due to issue its decision in Cothron v. White Castle System, Inc., No. 1280004 (Ill.), which will decide whether each fingerprint scan is its own discrete violation. An adverse finding in Cothron could enhance BIPA class action exposures.

If employers have not already done so, now is time to make sure their timekeeping procedures and consent policies are legally compliant. The Tims ruling is apt to increase the plaintiff class action bar’s appetite for BIPA claims, so it is more important than ever for employers to make sure their procedures are legally sound.

January 13, 2023January 13, 2023 by Gerald L. Maatman, Jr.

Key Takeaways From The EEOC’s Draft Strategic Enforcement Plan For 2023-2027

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways: On January 10, 2023, the EEOC published a draft of its proposed Strategic Enforcement Plan (“SEP”) for Fiscal Years 2023-2027. While the draft SEP was only released for public comment and is not yet final, a reading of the tea leaves suggests that a handful of subjects will be squarely on the EEOC’s radar for the next four years, including: (1) discrimination stemming from the use of artificial intelligence in hiring; (2) preventing and remedying systemic harassment; (3) equal pay obligations; and (4) various categories relating to emerging areas where protections are needed, protecting vulnerable workers, and providing access to justice.

The EEOC’s Strategic Priorities

Artificial Intelligence

While the EEOC’s focus on eliminating barriers in recruitment and hiring is not a new phenomenon, employers’ increasing use of artificial intelligence in hiring has added a new wrinkle in this space. The SEP specifically notes that the EEOC will focus “on the use of automated systems, including artificial intelligence or machine learning, to target job advertisements, recruit applicants, or make or assist in hiring decisions where such systems intentionally exclude or adversely impact protected group.” Id. at 9. The Commission adds that it will monitor screening tools or requirements that disproportionately impact workers based on their protected status, including those facilitated by artificial intelligence or other automated systems, pre-employment tests, and background checks. Finally, the EEOC notes that it will keep an eye on restrictive application processes or systems, including online systems that are difficult for individuals with disabilities or other protected groups to access.

Employers who utilize artificial intelligence in the hiring process should take heed. The EEOC listed this category first in terms of subject matter priorities. Given the Commission’s implied skepticism in regards to the impact of automated hiring software, now is the time for employers to vet their systems and make sure they are legally compliant.

Systemic Harassment

Preventing and remedying systemic discrimination has long been a cornerstone priority for the EEOC. The EEOC Commissioners appointed by different presidential administrations have taken varying approaches to tackling discrimination on a systemic level, but regardless, the EEOC always has its eyes open for instances where there is widespread discriminatory practices at a company. The SEP makes clear that “[h]arassment remains a serious workplace problem,” noting that over 34% of the charges of employment discrimination the EEOC received between FY 2017 and FY 2021 included an allegation of harassment. Id. at 14. The SEP labels this a potential systemic issue, noting that a claim by an individual or small group may fall within this priority if it is related to a widespread pattern or practice of harassment. The EEOC indicates it will combat this problem by focusing on strong enforcement with appropriate monetary relief and targeted equitable relief to prevent future harassment.

While isolated incidents of harassment at largescale organizations may seem inevitable, the SEP’s declaration of this priority suggests employers need to pay closer attention to claims of harassment. If the EEOC senses that harassment is part of the fabric of an organization’s culture, such a situation could be ripe for a systemic discrimination claim. Accordingly, employers should take each individual claim of harassment seriously, and should consistently work to eradicate such behavior from the workplace.

Equal Pay

The SEP makes clear that equal pay, and gender pay differences in particular, will continue to be a focus for the EEOC. The SEP notes that “[b]ecause many workers do not know how their pay compares to their coworkers’ and, therefore, are less likely to discover and report pay discrimination, the Commission will continue to use directed investigations and Commissioner Charges, as appropriate, to facilitate enforcement.” Id. at *13. Transparency appears to be a key component of this strategic priority, as the EEOC opines that pay secrecy policies, retaliating against workers for asking about pay or sharing their pay with coworkers, reliance on past salary history to set pay, and requiring applicants to specify their desired or expected salary at the application stage will all be areas of concern.

Pay audits should be a consistent practice for employers. If they are not, the EEOC’s inclusion of this priority in its SEP suggests that the Commission will aggressively investigate such claims and ask employers to produce data. Employers can best avoid the time and cost-draining exercises of producing pay data by proactively examining their compensation practices up front.

Additional Priorities

The remaining three subject matter priorities include: (1) addressing emerging and developing issues; (2) protecting vulnerable workers; and (3) providing access to justice. In regards to emerging issues, the SEP seeks to address discrimination that is influenced by local, national and global events, such as pandemic-related discrimination and incidents of targeting various racial and religious groups. The SEP also seeks enhanced protections for vulnerable workers, such as migrant workers, disabled people, older workers, teenaged workers, and LGBTQ+ individuals. Finally, the SEP seeks to focus on policies and practices that limit substantive rights, discourage or prohibit individuals from exercising their rights under employment discrimination statutes, or impede the EEOC’s investigative or enforcement efforts. For example, this priority includes practices that deter or prohibit filing charges with the EEOC or cooperating freely in EEOC investigations or litigation.

In sum, these additional priorities are geared towards flexibly adopting to the evolving needs of the workforce, to make sure all individuals have uninhibited access to justice.

Implications For Employers

The EEOC’s SEP is an important publication for employers since it previews areas where companies may be targeted for investigations. While the 2023-2027 SEP is currently in draft form, we do not anticipate that there will be any significant overhaul, particularly in regards to the strategic priorities that are analyzed in this blog post. Accordingly, prudent employers should be mindful of these strategic priorities, and get a head-start on compliance if they have not already done so.

January 9, 2023 by Gerald L. Maatman, Jr.

Illinois Appellate Court Affirms Dismissal Of BIPA Class Action Lawsuit

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways: In Barnett v. Apple Inc., Case No. 1-22-0187, 2022 Ill. App. LEXIS 556 (Ill. App. 1st Dist. Dec. 23, 2022), after a trial court dismissed a biometric privacy class action lawsuit involving the use of facial and fingerprint recognition features, the Illinois Appellate Court affirmed the dismissal order. In an important decision defining the parameters of liability under the Illinois Biometric Information Privacy Act (“BIPA”), the Illinois Appellate Court held that the users of the technology themselves were responsible for possessing, capturing, and collecting their biometric data

For businesses that are confronted with biometric privacy class action allegations in the context of recognition software, this monumental victory for Apple provides an excellent roadmap to attack such claims at the pleading stage.

Case Background

Plaintiffs alleged that Apple violated the Biometric Information Privacy Act, 740 ILCS 14/1 et seq., by offering users of its phones and computers the option of utilizing face and fingerprint recognition features without first instituting a written policy regarding the retention and destruction of the users’ biometric information; and without first obtaining the users’ written consent. Id. at *1-2. Plaintiffs claimed Apple was “in possession of,” “collected,” and “captured,” the users’ biometric information, since Apple designed, owned, and had the ability to remotely update the software. Id. at *2.

On January 3, 2022, the trial court granted Apple’s motion to dismiss. Id. at *9. First, the trial court held that Plaintiffs failed to allege that their biometric information was sent to Apple’s servers or any third party server. Rather, Plaintiffs expressly alleged that the information was stored locally on Plaintiffs’ own devices. Second, the trial court held that Plaintiffs did not allege that Apple stored any of Plaintiffs’ biometric data in Apple databases. Third, the trial court held that it was clear Plaintiffs voluntarily chose to use Face ID and Touch ID features, and could delete their biometric information from their devices if they chose. On February 2, 2022, Plaintiffs filed a timely notice of appeal. Id. at *11.

The Illinois Appellate Court’s Decision

The Illinois Appellate Court affirmed the trial court’s dismissal of Plaintiffs’ complaint. Addressing the issue of “possession,” the Appellate Court explained that the term was not defined in the BIPA statute. Id. at *16. Plaintiffs argued that Apple ‘possesse[d]” their information because Apple software collected and analyzed their information. Id. at *17. Rejecting Plaintiffs’ argument, the Appellate Court opined that based on the facts alleged by Plaintiffs, it seemed as though Apple designed these features with the express purpose of handing control to the user. Id. at *17-18. The Appellate Court also noted that these features were completely elective, explaining that the user must undertake a series of affirmative steps in order to use them. Id. Finally, the Appellate Court found that Plaintiffs’ arguments were not persuasive since Plaintiffs alleged that the information is stored on the users’ own individual devices, and that users may delete the information and disable the features at their convenience. Accordingly, the Appellate Court held that Plaintiffs failed to properly allege that Apple possessed their biometric information.

Turning to the issue of whether Apple collected and captured Plaintiffs’ biometric information, the Appellate Court explained that these terms were also not defined in the BIPA statute. Id. at *20. In support of their proposed definitions, Plaintiffs cited a BIPA class action in the employment context, where the employee plaintiff was required to use the biometric scanner or lose her job. Id. at *22-23 (citations omitted). Rejecting Plaintiffs’ argument, the Court noted that the biometric features in this care were wholly optional, the information was stored exclusively on Plaintiffs’ devices, and Plaintiffs could delete the information at will. Further, the Court noted that Plaintiffs specifically alleged that the information is stored only on their devices. Accordingly, the Appellate Court held that Plaintiffs failed to properly allege that Apple captured and collected their biometric information.

In conclusion, the Appellate Court summarized its findings as follows: “[P]laintiffs do not dispute that the user’s biometric information is stored on the user’s own device; that Apple does not collect or store this information on a separate server or device; that these features are completely optional; that the user is the sole entity deciding whether or not to use these features; that, to enable the features, the user employs his or her own device to capture and collect his or her own biometric information on that device; that, to utilize these features, the user must undertake a number of steps, which are all documented in photos in plaintiffs’ complaint; and that the user has the power to delete this biometric information from the device, at any time, without negatively impacting the device.” Id. at *22-23. Accordingly, the Appellate Court affirmed the trial court’s dismissal of Plaintiffs’ BIPA class action.

Implications For Employers

Facial recognition technology is rapidly becoming more prevalent in both the employment and consumer contexts. This decision underscores the importance of carefully analyzing the allegations in biometric privacy class action pleadings. In situations where users maintain control over their own biometric data, this may be a helpful decision to seek an early exit from the lawsuit. Finally, Apple’s victory further provides some optimism for companies defending biometric privacy class actions, as the recent tide of key decisions has largely been adverse to defendants.

November 14, 2022 by Gerald L. Maatman, Jr.

New Trial Sought Following $228 Million Judgment In Landmark BIPA Class Action

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Synopsis: In Rogers v. BNSF Railway Co., Case No. 19-CV-03083 (N.D. Ill.), the first federal court jury trial in a case brought under the novel Illinois Biometric Information Privacy Act (“BIPA”), the plaintiffs secured a verdict in favor of the class of 45,000 workers against Defendant BNSF. After a week-long trial in the U.S. District Court for the Northern District of Illinois in Chicago, the jury found that BNSF recklessly or intentionally violated the law 45,600 times. The Court thereafter entered against BNSF for $228 million. Post-trial motions are now before the Court, which raise significant issues for all companies that use biometric equipment.

On November 9, 2022, Defendant BNSF Railway Co. filed a motion for a new trial under Rule 59(a) or to reduce the damages award under Rule 59(e). It argues that none of the 45,000 class members suffered any actual harm. It also raised constitutional concerns about the BIPA.

This latest development suggests that BNSF is pulling out all the stops to challenge the precedent-setting $228 million judgment. The outcome of this motion and future appeals will profoundly shape the privacy class action landscape.

Case Background

As we blogged about here, Plaintiff filed a class action lawsuit alleging that BNSF unlawfully required truck drivers entering the Company’s facilities to provide their biometric information through a fingerprint scanner. He claimed that BNSF collected the drivers’ fingerprints without first obtaining informed written consent or providing a written policy that complied with the BIPA and therefore violated sections 15(a) and (b) of the BIPA. BNSF argued that it did not operate the biometric equipment and instead sought to shift blame to a third-party vendor who operated the biometric equipment that collected drivers’ fingerprints.

The case proceeded before a jury in federal court in Chicago. The proceeding was closely watched, as it represented the very first time any class action had gone to a full trial with claims under the BIPA. The trial lasted five days. However, the jurors deliberated for just over an hour. Following the jury’s finding of liability, the Court entered a judgment against BNSF in the amount of $5,000 per violation, for a total amount of $228 million.

BNSF’s Motion For A New Trial Or Amended Judgment

BNSF renewed its motion for judgement as a matter of law pursuant to Federal Rule of Civil Procedure Rule 50(b), following the Court’s denial of BNSF’s Rule 50(a) motion at trial. In the alternative, BNSF moved for a new trial under Rule 59(a), or to reduce the damages award under Rule 59(e).

First, BNSF argues that there was insufficient evidence for the jury to find that BNSF violated the BIPA. Id. at *3. In support of that argument, BNSF cited testimony from its former Director of Technology Services that BNSF did not collect or obtain biometrics from truck drivers in Illinois, that the biometric data was stored on another entity’s server, and that BNSF did not maintain a copy of any of that data. Id. at *4.

Second, BNSF argues that it is entitled to judgment as a matter of law or a new trial, or at least a significant reduction in damages, because there was insufficient evidence for a rational jury to conclude that BNSF violated the BIPA recklessly or intentionally 45,600 times — which is the basis for the $228 million damages award. Id. at *5-6. BNSF claims that there was no evidence that BNSF even learned about the BIPA until April 2019. Therefore, BNSF argued, no rational jury could have inferred from this evidence that BNSF consciously disregarded or intentionally violated the rights of Plaintiff and the class members at any point, much less for the full class period starting in April 2014.

Third, BNSF argued that the Court’s award of $228 million in damages where Plaintiff admits he and the members of the class have suffered no actual harm violates the Due Process Clause and Excessive Fines Clause of the U.S. Constitution. BNSF points out that, “It is undisputed that neither Plaintiff nor any member of the class has suffered any actual harm from any alleged violation of BIPA. Given that the agreed value of the class’s injury is zero dollars, any award would be disproportional to such nonexistent harm.” Id. at *8-9.

Accordingly, BNSF seeks relief that the Court should enter judgment as a matter of law against Plaintiff and in favor of BNSF; or in the alternative, the Court should grant BNSF a new trial, or substantially reduce the damages award against BNSF.

The ball is now in Plaintiff’s court to respond to the motion. Further proceedings will then await the parties after full briefing of the post-trial motion.

Implications For Employers

BNSF’s filing of this motion indicates that the Company will not be going down (to the tune of $228 million) without a fight. The ultimate outcome of this motion, and any potential Seventh Circuit appeals, will be carefully scrutinized by both the plaintiff class action bar and businesses throughout Illinois and beyond.

Employers not only should continue to monitor this groundbreaking privacy class action lawsuit, but also ensure their strategic compliance plans are sufficient in regards to biometric privacy laws.

November 7, 2022 by Gerald L. Maatman, Jr.

Illinois Federal Court Holds Private University Is Exempt From BIPA Regulations

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaway: In an important ruling for higher education entities, Judge Robert Gettleman of the U.S. District Court for the Northern District of Illinois recently dismissed a student’s proposed class action alleging that Defendant’s remote test-proctoring software violated the Illinois Biometric Information Privacy Act (“BIPA”). The Court determined that Defendant DePaul University qualified as a financial institution exempt from the statute. Powell v. DePaul University, No. 21-C-3001, 2022 U.S. Dist. LEXIS 201296 (N.D. Ill. Nov. 4, 2022). Employers in the higher education space who are confronted with biometric privacy class actions can tuck this ruling away for potential use at the pleading stage.

Case Background

Plaintiff alleged that Defendant’s use of the Respondus Monitor, an online remote proctoring tool, violated the BIPA by capturing, using, and storing students’ facial recognition and other biometric identifiers and biometric information. Plaintiff specifically asserted that Defendant did not “disclose or obtain written consent before collecting, capturing, storing, or disseminating user’s biometric data, and failed to disclose what it does with that biometric data after collection, in violation of BIPA’s retention and destruction requirements. Id. at *2.

Defendant moved to dismiss the action pursuant to Rule 12(b)(6) for failure to state a claim. It argued that the BIPA’s express terms specify that it does not apply to financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”). Id. Defendant contended that since it was a participant in the U.S. Department of Education’s Federal Student Aid Program, it is considered a financial institution subject to Title V of the GLBA. Defendant contended that both the Federal Trade Commission (“FTC”) and the Department of Education (“DOE”) have recognized that universities are considered financial institutions under the GLBA. Defendant also asserted that Title V rulemaking authority lies with the Consumer Financial Protection Bureau (“CFPB”), which adopted and republished the privacy rules originally promulgated by the FTC. The FTC rules state that any institution “significantly engaged in financial activities” is a financial institution. Id. at *5.

Plaintiff argued that Defendant was not a financial institution, but rather was in the business of higher education. Thus, Plaintiff contended that Defendant was not subject to Title V, and therefore subject to the BIPA.

The Court’s Decision

The Court granted Defendant’s motion to dismiss. First, the Court noted that at least five other district courts have ruled on the same issue and rejected Plaintiff’s argument, and have determined that the BIPA’s section 25(c) exemption for financial institutions applies to institutions of higher education. Id.

In support of its conclusion, the Court found that the guidance provided by the CFPB included examples demonstrating the word “significantly” means something less than “primary.” Id. at *8. Accordingly, the Court rejected Plaintiff’s argument that the exemption should not apply was because Defendant was not primarily in the financial business. Id.

The Court further explained that the DOE provided issued public guidance in 2020 reiterating that the GLBA required financial institutions to have information privacy protections, and that the FTC “has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA.” Id. at *4-5.

Additionally, the Court opined that the FTC’s rule, made in 2000 when it had enforcement and rulemaking authority under the GLBA, also considered universities to be financial institutions if they “appear to be significantly engaged in lending funds to consumers.” Id. at *6. The Court reasoned that the consistent interpretation of the statute by multiple entities was particularly persuasive in finding that the claims should be dismissed. For these reasons, the Court granted Defendant’s motion to dismiss Plaintiff’s claims with prejudice.

Implications For Employers

In the BIPA class action landscape, federal and state courts in Illinois have rejected many potential affirmative defenses that employers have used to try and stave off these massive cases. However, even though the exemption is somewhat narrow, higher education institutions now have a blueprint to attack BIPA class actions at the pleading stage. Finally, to the extent states beyond Illinois enact similar privacy statutes, this ruling may be of use to higher education institutions in those states that are confronted with class actions.

October 13, 2022October 17, 2022 by Class Action Defense

$228 Million Judgment Entered In First Ever BIPA Class Action Trial Before A Chicago Jury

By: Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Synopsis: In Rogers v. BNSF Railway Co., Case No. 19-CV-03083 (N.D. Ill.), the first federal court jury trial in a case brought under the novel Illinois Biometric Information Privacy Act (“BIPA”), the plaintiffs secured a verdict in favor of the class of 45,000 workers against Defendant BNSF. After a week-long trial in the U.S. District Court for the Northern District of Illinois in Chicago, the jury found that BNSF recklessly or intentionally violated the law 45,600 times, based on the defense expert’s estimated number of drivers who had their fingerprints collected. The Court thereafter entered a judgment against BNSF for $228 million.

This landmark verdict showcases the potentially devastating impact of the BIPA statute on unwary businesses across the state of Illinois that collect, use, or store biometric information.

Case Background

Plaintiff, a truck driver, filed a class action lawsuit alleging that BNSF unlawfully required drivers entering the Company’s facilities to provide their biometric information through a fingerprint scanner. He claimed that BNSF collected the drivers’ fingerprints without first obtaining informed written consent or providing a written policy that complied with the BIPA and therefore violated sections 15(a) and (b) of the BIPA. BNSF argued that it did not operate the biometric equipment and instead sought to shift blame to a third-party vendor who operated the biometric equipment that collected drivers’ fingerprints.

The trial lasted five days. However, the jurors deliberated for just over an hour. The jurors were asked to: (1) indicate on the verdict form whether they sided with Plaintiff, and (2) if so, indicate how many times BNSF violated the BIPA negligently or how many times the company violated the statute recklessly or intentionally.

The BIPA provides for damages of $1,000 for every negligent violation, and up to $5,000 in liquidated damages for every willful or reckless violation. At the conclusion of the trial, the jury found that BNSF recklessly or intentionally violated the law 45,600 times. Accordingly, the Court entered a judgment against BNSF in the amount of $5,000 per violation, for a total amount of $228 million.

Implications For Employers

This verdict undoubtedly will embolden the plaintiffs’ class action bar and equally serve as an eye opener for businesses in Illinois. In the short term, companies can expect an uptick in the number of BIPA class actions filed by the plaintiffs’ bar. While it is almost certain that the verdict will be challenged in post-trial motions and in an appeal, companies can expect that plaintiffs’ lawyers will increase their settlement demands in other BIPA class actions.

The BIPA vastly increases the importance of adopting a strategic compliance plan for businesses that operate in Illinois. It is more important than ever for companies to implement proper mechanisms and consent forms to comply with the BIPA.