Illinois Supreme Court Holds Each Fingerprint Scan Is A Separate BIPA Violation – Thereby Creating The Potential For Increased Damages In Privacy Class Actions

By Gerald L. Maatman, Jr., Alex W. Karasik, Tyler Z. Zmick, and Jennifer A. Riley

Duane Morris Takeaways:  In the latest ruling in Illinois in the biometric privacy class action space, the Illinois Supreme Court decided today in Cothron v. White Castle, 2023 IL 128004 (Ill. Feb. 17, 2023), that a separate claim for damages accrues under the Biometric Information Privacy Act (“BIPA”) each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d).

This ruling could exponentially increase monetary damages in class actions brought under the BIPA, especially in the employment context, where employees scan in and out of work multiple times per day for several hundred days per year.

Case Background

Plaintiff alleged that after she started working at White Castle in 2004, the company required her to use a fingerprint-based system to access the workplace computer she used in her position as a manager.  Plaintiff sued White Castle several years later in 2018, alleging that the company violated Sections 15(b) and 15(d) of the BIPA in connection with the fingerprint-based system by (i) collecting her biometric data without providing her with the requisite notice and obtaining her written consent, and (ii) disclosing her biometric data without consent.

After removing the complaint to the U.S. District Court for the Northern District of Illinois, White Castle moved for judgment on the pleadings on the basis that Plaintiff’s claims were untimely.  Specifically, White Castle argued that Plaintiff’s BIPA claims accrued in 2008 (when her first fingerprint scan occurred after the BIPA took effect), yet she did not file her complaint until 2018.  The District Court rejected White Castle’s one-time-only theory of claim accrual, holding that the lawsuit was timely because each separate unauthorized fingerprint scan constituted an independent violation of the statute, meaning Plaintiff’s BIPA claims were timely because her last fingerprint scan occurred within five years of the filing of her complaint.  Because the issue presented a close call, however, the District Court permitted White Castle to file an interlocutory appeal with the Seventh Circuit regarding whether Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits a scan to a third party, respectively, or only upon the first scan and first transmission.

The U.S. Court of Appeals for the Seventh Circuit accepted the interlocutory appeal. Id. ¶ 9. After determining that Plaintiff had standing to bring her action in federal court under Article III of the U.S. Constitution, the Seventh Circuit addressed the parties’ respective arguments on the accrual of a claim under the Act.  Id.  Ultimately, the Seventh Circuit found the parties’ competing interpretations of claim accrual reasonable under Illinois law, and it agreed with Plaintiff that “the novelty and uncertainty of the claim-accrual question” warranted certification of the question to the Illinois Supreme Court.  Id. at 1165-66.  The Seventh Circuit “observed that the answer to the claim-accrual question would determine the outcome of the parties’ dispute, this court could potentially side with either party on the question, the question was likely to recur, and it involved a unique Illinois statute regularly applied by federal courts.”  Id..

The Illinois Supreme Court’s Decision

In a 4-3 split ruling, the Illinois Supreme Court held today that that a separate claim accrues under the BIPA each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d).  First, the Illinois Supreme Court analyzed the certified question with respect to Section 15(b), which provides that no private entity “may collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data unless it first provides notice and receives written consent.  740 ILCS 14/15(b).  Relying on the plain language of the statute and the fact that the actions of “collecting” and “capturing” biometric data can occur more than once, the Supreme Court agreed with Plaintiff’s interpretation – namely, that Section 15(b) “applies to every instance when a private entity collects biometric information without prior consent.”  Id. ¶¶ 19, 23.  As interpreted in the context of the facts of the case, the Supreme Court further observed that White Castle obtains an employee’s fingerprint, stores it in its database, and then compares the fingerprint taken during subsequent scans to verify the identity of the employee.  In the Supreme Court’s words, White Castle “fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.”  Id. ¶ 23.  Accordingly,  consistent with the District Court’s decision in Cothron and the Illinois Appellate Court’s conclusion in Watson, 2021 IL App (1st) 210279, ¶ 46, the Illinois Supreme Court held that an entity violates Section 15(b) the first time it collects biometric data without having provided the requisite notice and obtaining consent, in addition to “each subsequent scan or collection.”  Id. ¶ 24.

Next, closely tracking its analysis of Section 15(b), the Supreme Court similarly held that BIPA Section 15(d) – which prohibits the disclosure, redisclosure, or dissemination of biometric data without consent – “applies to every transmission to a third party.”  Id. ¶ 28. Like the verbs “collect” and “capture” in Section 15(b), the acts of disclosing and redisclosing biometric data occur upon the initial disclosure in addition to any subsequent disclosure or redisclosure of the data.  See id. ¶ 29 (“A fingerprint scan system requires a person to expose his or her fingerprint to the system so that the print may be compared with the stored copy, and this happens each time a person uses the system.”).

The majority opinion also rejected White Castle’s remaining “nontextual” arguments supporting its single-accrual interpretation.  White Castle argued that a BIPA claim accrued only upon the initial collection or disclosure of a person’s biometric data because an individual loses the right to control his or her biometric data as soon as the data is collected and/or disclosed.  In rejecting the argument, the Supreme Court again relied on the statute’s plain language, stating: “[n]o such limitation appears in the statute.  We cannot rewrite a statute to create new elements or limitations not included by the legislature.”  Id. ¶ 39.

Next, the Supreme Court turned to White Castle’s argument that in light of the BIPA’s liquidated damages provision, interpreting the statute to mean an entity violates Sections 15(b) and 15(d) every time it collects or discloses biometric data means “a party may recover for “each violation,” allowing multiple or repeated accruals of claims by one individual could potentially result in punitive and “astronomical” damage awards that would constitute “annihilative liability” not contemplated by the legislature and possibly be unconstitutional.”  Id. ¶ 41.  For example, White Castle estimated that if Plaintiff was successful and allowed to bring her claims on behalf of as many as 9,500 current and former White Castle employees, classwide damages in her action may exceed $17 billion.  Once again, the Supreme Court rejected White Castle’s argument because the statutory language is clear and supports plaintiff’s position.  See id. ¶ 40 (“As the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, “ ‘even though the consequences may be harsh, unjust, absurd or unwise.’ ” (Emphasis omitted.) Cothron, 477 F. Supp. 3d at 734 (quoting Peterson v. Wallach, 198 Ill. 2d 439, 447 (2002)).”).

Importantly, however, the Supreme Court acknowledged that trial courts could exercise their discretion to reduce the amount of statutory damages that plaintiffs can recover. Id. ¶ 42.  In closing, the Supreme Court reiterated the position that White Castle’s “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” and it “suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”  Id. ¶ 43.  Accordingly, the Illinois Supreme Court concluded that the plain language of section 15(b) and 15(d) shows that a claim accrues under the BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent.

The Dissent

Notably, three Illinois Supreme Court Justices, inclusive Chief Justice Theis, joined the Dissenting Opinion.  Of note, the Dissent opined that two significant consequences militate against the majority’s construction.  Id. ¶ 60.  First, under the majority’s rule, plaintiffs would be incentivized to delay bringing their claims as long as possible, since “If every scan is a separate, actionable violation, qualifying for an award of liquidated damages, then it is in a plaintiff’s interest to delay bringing suit as long as possible to keep racking up damages.”  Id.  Second, the Dissent noted that, “the majority’s construction of the Act could easily lead to annihilative liability for businesses.”  Id. at ¶ 61.

In sum, the Dissent commented that, “Imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.  Id. ¶ 63.  To this point, the Dissent opined that, “nothing in the Act indicating that the legislature intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier. The legislature’s intent was to ensure the safe use of biometric information, not to discourage its use altogether.”

Implications For Employers

Following the Illinois Supreme Court’s similar pro-plaintiff ruling in Tims v. Black Horse Carriers, 2023 IL 127801 (Ill. Feb. 2, 2023), which applied a five-year statute of limitations to the BIPA instead of a one-year statute of limitations, the well is beginning to dry for businesses in terms of potential BIPA class action defenses. While employers can still explore novel exemptions, such as information captured from a patient in a health care setting, most companies caught in the crosshairs of BIPA class actions will be facing monumental amounts of potential damages.

Businesses confronted with BIPA class actions may need to explore alternative potential defenses, such as the constitutionality of the overbearing damages thresholds.  Companies will also likely push for legislative changes.  Nonetheless, given the bleak outlook of the law as it stands, it is imperative for businesses to immediately ensure they are compliant with the BIPA.

DMCAR Trend # 8 – Courts Continued To Grapple With Problems Of Standing And Uninjured Class Members

By Gerald L. Maatman, Jr. and Jennifer A. Riley  

Duane Morris Takeaway: During 2022, courts continued to grapple with the rules that govern the certification of classes that contain uninjured class members. Various cases climbed to the federal circuit level, with varying results, and the U.S. Supreme Court once again declined to take up the issue, making uninjured class members a continued topic of disagreement and debate for 2023.

By definition, individuals who did not suffer injury as the result of the defendant’s conduct cannot maintain claims, and courts do not have the power to award them relief. As the U.S. Supreme Court reiterated in its seminal 2020 decision in TransUnion, “Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not.” TransUnion LLC v. Ramirez, et al., 141 S.Ct. 2190, 2208 (quoting Tyson Foods v. Bouaphakeo, et al., 577 U.S. 442, 466 (2016) (Roberts, C.J., concurring)). In this respect, the “plaintiffs must maintain their personal interest in the dispute at all stages of the litigation . . . And standing is not dispensed in gross; rather, plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek.” Id.

Courts, however, continue to grapple with the application of these concepts in the class certification context and, in particular, they disagree over whether to certify a class, a plaintiff must demonstrate that every putative class member has standing or, stated differently, must demonstrate that the class excludes those individuals who did not suffer harm. In TransUnion, the Supreme Court expressly left open the question of “whether every class member must demonstrate standing before a court certifies a class.” Id. at n.4. Such a requirement has significant consequences for the class action landscape and, as a result, multiple federal circuits considered the issue over the past year.

In Drazen, et al. v. Pinto, 41 F.4th 1354 (11th Cir. 2022), for example, the Eleventh Circuit vacated and remanded an order approving a class settlement after finding that some settlement class members did not experience an Article III injury. The plaintiffs filed suit alleging that the defendant violated the Telephone Consumer Protection Act by sending unwanted calls and text messages. Although the Eleventh Circuit previously held that a single unauthorized text message is not sufficient for an Article III injury, the district court approved the settlement on the basis that “only the named plaintiffs must have standing.” Id. at 1357. Although only about 7% of the settlement class members had received a single text, the Eleventh Circuit reversed. Applying TransUnion, it explained that, when plaintiffs seek certification, they must limit the class definition “to those individuals who have Article III standing.” Id. at 1361. Because the settlement class may have included individuals who received a single unwanted text message, the Eleventh Circuit held that approving the settlement would allow “individuals without standing [to] receiv[e] what is effectively damages in violation of TransUnion.” Id. at 1362. The Eleventh Circuit remanded to provide the parties an opportunity to revise the class definition.

In Hyland, et al. v. Navient Corp., 48 F.4th 110 (2d Cir. 2022), the Second Circuit confronted a similar issue in the context of a non-monetary settlement and reached the opposite result. The plaintiffs, a group of public servants with loans that the federal Public Service Loan Forgiveness program did not forgive, filed suit claiming that the defendant loan service companies misled them regarding their eligibility for the program. Id. at 115. The parties reached a nationwide non-monetary settlement that preserved class members’ rights to file individual claims for money damages. Id. at 114. The district court approved the settlement, and a group of objectors appealed. On appeal, the objectors argued that because “[s]ome class members were no longer using the company to service their loans when the class was certified . . . the class as a whole. . . lacked standing to pursue injunctive relief.” Id. at 117. The Second Circuit rejected that argument. It held that “[s]tanding is satisfied so long as at least one named plaintiff can demonstrate the requisite injury.” Id. at 117-18. It reasoned that, because the plaintiffs alleged that they “continued to rely on [the company] for information about repaying their student loans,” they plausibly alleged that they “were likely to suffer future harm.” Id. at 118. The Second Circuit concluded that these allegations were “enough to confer standing on the entire class” and affirmed the district court’s order. Id. (citing Amado, et al. v. Andrews, 655 F.3d 89, 99 (2d Cir. 2011) (“In a class action, once standing is established for a named plaintiff, standing is established for the entire class.”)).

In Bowerman, et al. v. Field Asset Services, Inc., 39 F.4th 652 (9th Cir. 2022), the Ninth Circuit considered what happens when the plaintiffs cannot or are not able to define their class so as to exclude uninjured class members. The plaintiff filed suit on behalf of a putative class of workers alleging that the defendant misclassified them as independent contractors rather than employees and, as a result, improperly failed to pay them overtime and failed to reimburse their business expenses. Id. at 657. The district court granted class certification, and the Ninth Circuit reversed. The plaintiffs did not dispute that they lacked common proof that putative class members worked overtime hours or incurred reimbursable expenses, but argued that, under Ninth Circuit precedent, “the presence of individualized damages cannot, by itself, defeat class certification.” Id. at 661-62 (quoting Leyva, et al. v. Medline Industries Inc., 716 F.3d 510, 514 (9th Cir. 2013)). The Ninth Circuit disagreed. It distinguished between “the calculation of damages and the existence of damages in the first place.” Id. at 662.

Quoting its decision in Castillo, et al. v. Bank Of America, NA, 980 F.3d 723, 730 (9th Cir. 2020), the Ninth Circuit noted that “if the plaintiffs cannot prove that damages resulted from the defendant’s conduct, then the plaintiffs cannot establish predominance.” The Ninth Circuit concluded that the defendant’s liability to any class member for failing to pay overtime wages or to reimburse business expenses “would implicate highly individualized inquiries on whether that particular class member ever worked overtime or ever incurred any ‘necessary’ business expenses” and, under such circumstances, class certification is improper.

Further contributing to the divergence of case law precedents, in Olean Wholesale Grocery Cooperative, Inc., et al. v. Bumble Bee Foods, LLC, 31 F.4th 651 (9th Cir. 2022), in an en banc decision, the Ninth Circuit ruled 9 to 2 to uphold an order certifying a class that potentially included a significant number of uninjured class members. The plaintiffs brought suit against Starkist alleging that it engaged in a price-fixing scheme from 2011 to 2013 that led to their paying supra-competitive prices for tuna products. The district court granted class certification. After a panel vacated the order, the Ninth Circuit agreed to hear the case en banc and affirmed the ruling. Both parties presented expert testimony regarding antitrust impact, but their experts disagreed as to whether 28% of the class members could rely on the plaintiffs’ model to show injury attributable to the alleged conspiracy. Similar to Bowerman, the Ninth Circuit addressed the issue as one of predominance, noting that, when individualized questions relate to “the injury status of class members,” Rule 23(b)(3) requires that the court determine whether individualized inquiries about such matters predominate over common questions.” Id. at 668.

The Ninth Circuit rejected the argument that Rule 23 does not permit a district court to certify a class that potentially includes more than a de minimis number of uninjured class members, reasoning that Rule 23(b)(3) “requires only that the district court determine after rigorous analysis whether the common question predominates over any individual questions, including individualized questions about injury or entitlement to damages.” Id. at 669. The Ninth Circuit noted that, here, the defendants did not show that 28% of the class members were uninjured. Rather, the defendants disputed whether class members with no or limited transactions during the benchmark period could rely on the plaintiffs’ model. The district court was not required to resolve the dispute; rather, if the jury were persuaded by the critique, it could conclude that the plaintiffs had failed to prove antitrust impact on a class-wide basis, but “[i]n neither case would the litigation raise individualized questions regarding which members of the class had suffered an injury.” Id. at 681.

In August 2022, Starkist filed a petition with the U.S. Supreme Court asking it to strike down the decision and to elucidate the circumstances in which a court may or may not certify a class that includes a significant number of class members who were never injured by the alleged harm. On November 14, 2022, however, the U.S. Supreme Court turned down the request. Hence, the issue remains one that divides lower federal courts, thereby fueling uncertainty on an important class action issue.

If a defendant’s showing that one or more members of the defined class did not suffer a concrete harm can defeat class certification, such a defense is a potent tool for the defense.

As a result, while 2022 saw the further development of the defense, corporate defendants are likely to see continued litigation over this issue during the upcoming year.

Dior Dismissed From Illinois BIPA Class Action Lawsuit Challenging Virtual Try-On Technology

By Kelly A. Bonner, Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley

Duane Morris TakeawaysIn a significant win for fashion and beauty retailers in the privacy class action space, in Warmack-Stillwell v. Christian Dior Inc., No. 1:22-CV-04633, 2023 U.S. Dist. LEXIS 22926 (N.D. Ill. Feb. 10, 2023), an Illinois federal court held that an exemption to the Illinois Biometric Information Privacy Act (“BIPA”) for data captured from a patient in a health care setting barred proposed class action claims alleging that luxury giant Christian Dior Inc.’s (“Dior”) virtual try-on tool (“VTOT”) violated the BIPA.

Businesses in Illinois, particularly online fashion and beauty retailers, can use this ruling to attack BIPA claims involving VTOT technology.

Case Background

As discussed in our previous publications, lawsuits involving BIPA claims and eyewear have been dismissed under one of BIPA’s statutory exemptions, which in relevant part excludes from its definitions of biometric identifiers and biometric information: (1) information captured from a patient in a health care setting; or (2) information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996, including prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses.

Plaintiff alleged that Dior maintained a VTOT feature on its website that collected users’ facial geometry data without first obtaining written consent or informing users of the purpose and length of time that their data was being collected in violation of Section 15(b) of BIPA. Plaintiff also alleged that Dior failed to provide a publicly available data retention and destruction schedule, as required by Section 15(a) of BIPA.

Dior moved to dismiss Plaintiff’s complaint on the basis that the BIPA’s health care exemption applied to non-prescription sunglasses, such as the ones sold by Dior and which the plaintiff alleged that she tried on with the VTOT technology, and thus precluded Plaintiff’s claims.

Plaintiff countered that the sunglasses were fashion accessories; Dior’s website was not a health care setting; and Dior’s consumers were not patients. Plaintiff also sought to distinguish prior decisions applying the BIPA’s health care exemption as focusing on the VTOT technology being used for prescription glasses, akin to optometrist fittings, and not in connection with the purchase of luxury sunglasses.  Id. at *8.

The Court’s Decision

The Court granted Dior’s motion to dismiss under Rule 12(b)(6).  First, the Court explained that Plaintiff qualified as a “patient in a health care setting” under the dictionary definition of the term “patient,” and that Dior’s VTOT feature “facilitates the provision of a medical device that protects vision.” Id. at *8.  Similarly, the Court held that use of the VTOT technology constituted “health care,” which the dictionary defined as “efforts made to maintain or restore physical, mental, or emotional well-being especially by trained and licensed professionals.”  Id. at *9.

In addition, the Court reasoned that the relevant test was “not a user’s subjective understanding, but rather an objective application of the text of the exemption.” Id. at *8-9.  The Court opined that the outcome of the analysis should not change if a consumer uses the VTOT in search of primarily stylish sunglasses rather than protective ones.

Plaintiff attempted to distinguish Dior’s website from a “health care setting” by arguing that “[a]n artist prepping a canvas is not providing a health care service if they use a scalpel instead of an Xacto knife.”  Id. at *9.  As to that point, the Court concluded that the VTOT feature facilitated the purchase of sunglasses to wear on one’s face and protect one’s eyes, thus performing the product’s intended medical function rather than an unconventional purpose.

Similarly, the Court rejected Plaintiff’s attempts to analogize her case to BIPA suits against blood plasma centers, in which courts rejected application of the health care exemption.  Even if the cases applied the same definitions of “health care” and “patient,” the Court concluded that the removal of plasma for commercial purposes is not “health care because the purpose — at least from the plasma donors’ perspectives — was not to ‘maintain or restore physical, mental or emotional well-being’; it was to get paid.”  Id. at *11.

Finally, the Court notably denied Dior’s motion to dismiss under Rule 12(b)(1), rejecting Dior’s argument that Plaintiff failed to allege an injury-in-fact sufficient for Article III standing. The Court concluded that Plaintiff sufficiently alleged an injury-in-fact under Section 15(a) “because “unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data.”   Id. at *11.

Accordingly, the Court granted Dior’s motion to dismiss on Rule 12(b)(6) grounds, but rejected Dior’s Article III standing argument and denied its motion based on Rule 12(b)(1).

Implications for Retailers

The Court’s decision in Warmack is a solid victory for fashion and apparel retailers, and indicates that courts are willing to expand the BIPA’s healthcare exemption to more retail-oriented environments, and adopt a plain reading of the statue rather than seeking to discern legislative intent. This ruling could have significant implications for personal care products retailers, especially those who utilize VTOT features to assess skin complaints such as aging, hyperpigmentation, and recommend treatments, and whether those defenses will draw regulatory scrutiny for purposed “drug” claims.

In the meantime, retailers should stay abreast of biometric data privacy laws in Illinois and beyond, and ensure that their privacy policies stay current with evolving nationwide legislation.

Trend # 6 – Privacy Class Actions Became An Intense Focus Of The Plaintiffs’ Class Action Bar

By Gerald L. Maatman, Jr. and Jennifer Riley

Duane Morris Takeaway: Privacy litigation – in a multitude of forms and theories – revealed itself as the hottest area of growth in terms of activity by the plaintiffs’ class action bar in 2022. The new year started off with a huge privacy ruling from the Illinois Supreme Court in Tims, et al. v. Black Horse Carriers, Case No. 127801 (Ill. Feb. 2, 2023), in which it held that a five-year statute of limitations applies to BIPA claims.

The Illinois Biometric Privacy Act Continued To Drive Lawsuits

In 2022, the plaintiffs’ class action bar continued to focus on businesses and vendors utilizing biometric technology and filed numerous class action lawsuits based on the Illinois Biometric Information Privacy Act, 740 ILCS 14/15 (BIPA).

Enacted in 2008, the BIPA regulates the collection, use, and handling of biometric identifiers and information by private entities. Subject to limited exceptions, the BIPA generally prohibits the collection or use of an individual’s biometric identifiers and biometric information without notice, written consent, and a publicly-available retention and destruction schedule.

Although Texas and Washington have implemented similar biometric protections, the BIPA provides for a private cause of action with aggressive statutory penalties allowing for $1,000 per violation and $5,000 per intentional or reckless violation. Because of this damages provision, the plaintiffs’ bar files almost all BIPA lawsuits as class actions. Plaintiffs have focused more than one-third of BIPA cases on fingerprinting and have focused roughly a quarter on facial recognition surveillance.

The most noteworthy BIPA case of the year was Rogers, et al. v. BNSF Railway Co., Case No. 19-CV-3083 (N.D. Ill.), the first federal jury trial in a case brought under the BIPA. After a week-long trial in the U.S. District Court for the Northern District of Illinois, a jury found that BNSF recklessly or intentionally violated the law 45,600 times and entered a verdict in favor of the class of 45,000 workers. The court thereafter awarded damages against BNSF of $228 million. BNSF subsequently filed a motion for a new trial arguing that none of the 45,000 class members suffered any actual harm and raising constitutional concerns about the BIPA. That motion remains pending for decision, and is almost sure to result in an appeal in 2023.

As BIPA class actions proliferate and businesses struggle to defeat such claims, the Illinois Supreme Court in early 2023 clarified the scope of the statute of limitations applicable to the BIPA in Tims, et al. v. Black Horse Carriers, Case No. 127801 (Ill. Feb. 2, 2023). The Illinois Supreme Court held that a five-year statute of limitations applies to claims under the BIPA. This ruling adds to the risks for employers and companies who do business in Illinois in terms of BIPA class action exposures. Given that the BIPA statute does not have an explicit statute of limitations, the Illinois Supreme Court’s ruling now provides clarity for litigants and attorneys in this space as to the scope of the putative classes in their lawsuits.

If employers have not already done so, now is time to make sure their timekeeping procedures and consent policies are legally compliant. The Tims ruling is apt to increase the plaintiff class action bar’s appetite for BIPA claims, so it is more important than ever for employers to make sure their procedures are legally sound

The Illinois Supreme Court is also due to issue its decision in Cothron v. White Castle System, Inc., No. 1280004 (Ill.), which will decide whether each fingerprint scan is its own discrete violation.  An adverse finding in Cothron could enhance BIPA class action exposures. In Cothron, et al. v. White Castle Systems, 2021 U.S. App. LEXIS 37593 (7th Cir. Dec. 20, 2021), the Seventh Circuit asked the Illinois Supreme Court to provide much-needed clarification on the accrual of BIPA violations, specifically whether certain BIPA claims accrue only once upon the initial collection or disclosure of biometric information or whether a claim accrues each time a company collects or discloses biometric information.

The Illinois Supreme Court likely will rule on these key BIPA matters in the early part of 2023 and the statute will continue to drive class action litigation. Its technical requirements, combined with stiff statutory penalties and fee-shifting, provide a recipe for attention from the plaintiff’s class action bar, and companies’ continued development and use of innovative technologies are apt to provide a veritable barrel of opportunity.

Class Action Suits Alleging Wiretapping Violations

A new wave of class action lawsuits filed in California, Florida, Massachusetts, and Pennsylvania targeted companies that use technologies to track user activity on their websites, based on the theory that such practices violate electronic interception provisions of various state laws when done without consent.

The plaintiffs’ bar grounded these claims in the electronic interception provisions of various state laws. Wiretap statutes like the California Invasion of Privacy Act, the Pennsylvania Wiretapping and Electronic Surveillance Act, and the Florida Security of Communications Act generally prohibit the unauthorized interception or disclosure of communications transmitted electronically.

The plaintiffs’ bar targeted technologies that track a user’s interactions with the website (e.g., clicking, scrolling, swiping, hovering and typing) and create a recording of those interactions and inputs – known as session replay software. They also attacked coding tools that create and store transcripts of conversations with users in a website’s chat feature. The plaintiffs in this new string of class actions allege that recording their interactions with a website and sending that recording to a third party for analysis without their consent is an illegal invasion of their privacy.

Recent decisions from the Ninth and Third Circuits fueled the swell of lawsuits alleging violations of these wiretap statutes. In May 2022, in Javier, et al. v. Assurance IQ, LLC, 2022 U.S. App. LEXIS 14951 (9th Cir. May 31, 2022), the Ninth Circuit held that the California Invasion of Privacy Act requires prior consent and explicitly rejected the argument that this wiretap statute allows a business to obtain consent to the use of session replay software after the recording already has begun. The Ninth Circuit, however, did not comment on what would amount to effective consent to the use of session reply software under the wiretap statute.

A few months later, the Third Circuit in Popa, et al. v. Harriet Carter Gifts, 2022 U.S. App. LEXIS 22707 (3d Cir. Aug. 16, 2022), ruled that an electronic interception violating the Pennsylvania Wiretapping and Electronic Surveillance Act occurred when the plaintiff visited a website to purchase a product and her interactions on that site were recorded and transmitted to a third-party marketing firm.

The Third Circuit concluded that the location of the interception was plaintiff’s browser, and it rejected the defendants’ argument that the wiretap statute did not apply because the third-party marketing firm’s servers – where the information was sent – were located in Virginia. If other circuits follow the Third Circuit’s approach, it could subject companies to liability under a state wiretap statute each time a user accesses its website from that state.

In each of the three lawsuits brought thus far in Pennsylvania, the class consisted of allegedly more than 5,000 individuals. This new wave of lawsuits alleging wiretap violations threatens to subject businesses to a substantial amount in penalties, including fines ranging from $1,000 to $50,000 per violation, depending on the state. If a violation occurs every time a user accesses a website in one of these states, the amount of penalties to which a company may be subject can balloon quickly.

More State Legislation Created And Expanded Data Privacy Rights

While Congress has refrained from addressing data privacy through federal legislation, many states have enacted their own laws, and 2022 saw significant state legislative activity regarding data privacy with five states preparing for new privacy laws to take effect in 2023, including California, Colorado, Connecticut, Utah, and Virginia.

On the heels of California’s enactment of the California Consumer Privacy Act (CCPA) in 2020, California businesses will need to comply with all requirements of the California Privacy Rights Act (CPRA) effective January 1, 2023. The CPRA expands the current CCPA private right of action by authorizing consumers to bring lawsuits arising from data breaches involving additional categories of personal information and is arguably the strictest data privacy law in the United States, which places California privacy law closer, in many respects, to Europe’s GDPR. With potential statutory damages ranging from $100 to $750 per consumer per incident, and breaches often involving hundreds of thousands or even millions of users, these types of claims will almost certainly lead to a sharp rise in class action litigation.

Virginia, Colorado, Connecticut, and Utah likewise enacted sweeping data privacy laws that will roll out in 2023. These laws are all similar in structure, but unlike California’s statute, which allows an individual to sue a company for alleged violations, enforcement will be left to the respective state attorneys general. Each of these laws provides for expanded consumer rights related to their data, including: (i) Right of access (i.e., allows for a consumer to access from a business/data controller the information or categories of information collected about a consumer); (ii) Right of deletion (i.e., right for a consumer to request deletion of personal information about the consumer under certain conditions; (iii) Right to opt-out (i.e., allows for a consumer to opt out of the sale of personal information about the consumer to third parties); (iv) Right of portability (allows for a consumer to request personal information about the consumer be disclosed in a common file format); and (v) Notice and transparency requirements (i.e., an obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs).

The approach each state attorney general takes regarding enforcement of these new laws will provide lessons for other states looking to regulate consumer privacy in the absence of a federal standard and almost certainly will be closely monitored by the plaintiffs’ bar, as it attempts to draw from favorable rulings and to anticipate which state will enact the next plaintiff-friendly data privacy laws. 28 U.S.C. §1292(b), Rule 23(f) does not require the district court to certify an issue for appeal. Moreover, Rule 23(f) does not include the potentially limiting requirements of Section 1292(b), under which the district court can certify an issue for appeal only where an order “involve[s] a controlling question of law as to which there is substantial ground for difference of opinion” and where “an immediate appeal from the order may materially advance the ultimate termination of the litigation.”

Finally, class action litigants can appeal final orders issued by the district court under 28 U.S.C. § 1291, which states that “courts of appeals (other than the United States Court of Appeals for the Federal Circuit) shall have jurisdiction of appeals from all final decisions of the district courts of the United States.”

DMCAR Trend #5 – Government Enforcement In 2022 Took A Back Seat

By Gerald L. Maatman, Jr. and Jennifer Riley

Duane Morris Takeaway: Over the past year, the Biden Administration continued to roll out changes on several fronts as it aimed to expand the rights, remedies, and procedural avenues available to workers. During 2022, such efforts fueled litigation. With its decision in West Virginia v. Environmental Protection Agency, 142 S.Ct. 2587 (2022), the U.S. Supreme Court imposed another hurdle to agency rule-making. Meanwhile, government enforcement litigation activity took a back seat.

Over the past two years, the U.S. Department of Labor, in particular, has continued to roll out worker-friendly rules that could have a cascading impact on workplace class actions, including rules designed to wipe out the pro-business policies of the Trump Administration. Such efforts continued on multiple fronts in 2022, including with respect to rules regarding businesses’ utilization of independent contractors and their use of the tip credit.

As to the former, effective January 6, 2021, the DOL during the Trump Administration adopted an Independent Contractor Rule that addressed the circumstances under which a worker qualifies as an independent contractor. The Rule arguably made it easier for companies, including companies operating in the gig economy, to utilize independent contractors. Although the DOL under the Biden Administration withdrew the Rule in May 2021, in March 2022, a federal district court in Texas found the DOL’s withdrawal of the Rule unlawful. Although the DOL appealed the decision in May 2022, it later abandoned the appeal and, instead, on October 13, 2022, the DOL issued a proposed new rule on independent contractor status. It described the proposed framework as “more consistent with longstanding judicial precedent” and stated that the DOL “believes the new rule [will] preserve essential worker rights and provide consistency for regulated entities.” The rule is likely to fuel further litigation in 2023 and have a cascading impact on the workplace class action landscape as it impacts litigation and potential recoveries.

The DOL’s efforts to regulate use of the tip credit have met similar controversy. The FLSA, at 29 U.S.C. § 203(m), permits an employer to use the tips received by tipped workers to satisfy a portion of its minimum wage obligation. In 1988, however, the DOL added a rule (the 80/20 Rule) to its Field Operations Handbook that purported to require employers to pay employees at the full minimum wage rate for time spent performing non-tip-producing tasks that exceeded 20% of their workweek. Multiple courts attempted to apply this guidance so as to require employers to separate tasks performed by tipped workers into categories of tip-producing, non-tip-producing, and unrelated tasks, and the ensuring litigation over these issues has plagued the hospitality industry, in particular, over the past decade.

In November 2018, the DOL under the Trump Administration issued an opinion letter withdrawing the 80/20 Rule and, in February 2019, it amended the Field Operations Handbook to include a “reasonable time” standard, explaining that “an employer of an employee who has significant non-tip related duties which are inextricably intertwined with [his or her] tipped duties should not be forced to account for the time that employee spends doing those intertwined duties.” In December 2020, the DOL issued the Tip Regulations Final Rule. After twice delaying the effective date of the Final Rule, on October 23, 2021, the DOL under the Biden Administration withdrew and replaced the Final Rule. In doing so, the DOL resurrected the 80/20 Rule and purported to limit the tip credit to non-tip-producing work that directly supports tip-producing work and does not exceed “a continuous period” of 30 minutes. The new rule went into effect on December 28, 2021. In 2022, the Restaurant Law Center and Texas Restaurant Association filed suit seeking to invalidate the new final rule. On February 22, 2022, the U.S. District Court for the Western District of Texas denied their much-watched emergency motion seeking to enjoin nationwide enforcement of the new final rule but did not issue a ruling on the merits, and the appeal remains pending in the Fifth Circuit. The results are apt to fuel additional litigation in 2023.

The ultimate result is apt to elucidate the limits of agency rule-making authority and test the impact of the U.S. Supreme Court’s recent ruling in West Virginia v. Environmental Protection Agency, 142 S.Ct. 2587 (2022). In that case, the Supreme Court considered the validity of the Environmental Protection Agency’s new Affordable Clean Energy (ACE) Rule that was promulgated under Clean Air Act (CAA). It held that, under the major questions doctrine, the agency must point to “clear congressional authorization” for the authority it claims. The government failed to offer such authorization, instead pointing to a “vague statutory grant” that the Supreme Court found “not close to the sort of clear authorization required by our precedents.” Id. at 2614.

The changing tide of the Biden Administration’s policies has been slow to impact other areas. Whereas the DOL acted swiftly to reverse course on many fronts, over most of the past year, the EEOC continued to operate with a Trump-appointed majority of commissioners.

During 2022, however, the EEOC continued to operate with a Trump-appointed majority of commissioners.  Although President Biden quickly named two Democrats for the five-member Commission, Charlotte E. Burrows and Jocelyn Samuels, as Chair and Vice Chair, respectively, the commission retained a Republican-appointed majority until former chair Janet Dhillon’s resignation on November 18, 2022. Although such expiration opened the door to a Democratic-appointed majority, the Senate has not yet confirmed a replacement.

As the DOL continued efforts to work an about-face on the rule-making front, the EEOC’s year-over-year activity remained fairly steady. During fiscal year 2022, the EEOC filed 94 lawsuits. The EEOC’s year-over-year activity remained fairly steady.  During fiscal year 2022, the EEOC filed 94 lawsuits, including 92 merits lawsuits and two subpoena enforcement actions.  This number marked a significant decrease from the filings during fiscal year 2021, when the EEOC filed 124 lawsuits, including 116 merits lawsuits. This year’s filing data more closely resembles fiscal year 2020, when the EEOC filed 97 total lawsuits, including 93 merits lawsuits.

Notably, the EEOC’s California district offices in San Francisco and Los Angeles combined for 13 filings this past year, which is identical to the combined 13 cases they filed in fiscal year 2021.

According to the EEOC, it filed 13 systemic lawsuits this past year, the same number it filed during fiscal year 2021.  The EEOC reported that it has 29 pending systemic cases, which accounted for 16% of the EEOC’s docket in fiscal year 2021. This data has not yet been published for fiscal year 2022.

In contrast, by the end of FY 2018, the EEOC had 71 systemic cases on its active docket, two of which included over 1,000 victims, and systemic cases accounted for 23.5% of its active lawsuits in that year, likely reflecting a stalling in the ability of its Democratic-appointment members to push this aspect of the EEOC’s agenda.

Comparing its monetary recovery to previous years, the EEOC recovered $535.5 million in all types of cases in FY 2020, $486 million in FY 2019, and $505 million in FY 2018.

In sum, whereas companies continued to see pro-business rules promulgated by the Trump Administration withdrawn and overwritten in 2022, courts continued to impose hurdles to agency rulemaking, the success of which will continue to be seen in 2023. Enforcement activity remained steady as political appointments remain pending.

Employers are apt to see increased activity in 2023 as the EEOC in particular gains its full component of Biden appointees and can exercise its majority power to advance its agenda.

 

Illinois Supreme Court Holds Five-Year Statute Of Limitations Applies To The BIPA

By Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley

Duane Morris Takeaways:  In one of the most highly anticipated class action rulings in years, in Tims, et al. v. Black Horse Carriers, Inc., Case No. 127801 (Ill. Feb. 2, 2023), the Illinois Supreme Court held that a five-year statute of limitations applies to claims under the Biometric Information Privacy Act, 740 ILCS 14/15 (“the BIPA”).  This ruling adds to the risks for employers and companies who do business in Illinois in terms of BIPA class action exposures.

Given that the BIPA statute does not have an explicit statute of limitations, the Illinois Supreme Court’s ruling now provides clarity for litigants and attorneys in this space as to the scope of the putative classes in their lawsuits.

Case Background

In March 2019, Plaintiff filed a class action complaint alleging that Defendant violated the BIPA through its timekeeping practices that involved the scanning and storing of employees’ fingerprints.  Plaintiff asserted claims under three sub-sections of the law, including: (1) section 15(a) of the BIPA, for failing to institute, maintain, and adhere to a retention schedule for biometric data; (2) section 15(b) of the BIPA, which states that no private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information without notice and consent; and (3) section 15(d) of the BIPA, which involves the unlawful disclosure or dissemination of biometric data without first obtaining consent.  Of note, section 15(c) of the BIPA prohibit the sale of a person’s biometric data for a profit, and section 15(e) of the BIPA imposes a duty of reasonable care in storing and protecting biometric data from disclosure.

On September 17, 2021, the Illinois Appellate Court held that hat a one-year limitations period pursuant to section 13-201 of the Illinois Code of Civil Procedure (the “Code”) governs actions under sections 15(c) and (d) of the BIPA, while a five-year statute of limitations pursuant to section 13-205 applies to sections 15(a), (b), and (e).  The Illinois Appellate Court explained that the BIPA imposes various duties that are separate and distinct from one another.  While each of the duties set forth under sections (a)-(e) “concern privacy,” the Appellate Court reasoned that a private entity could violate sections (a), (b), or (e) “without having to allege or prove that the defendant . . . published or disclosed any biometric data.” Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, at ¶ 31 (1st Dist. Sept. 17, 2021)However, the “publication or disclosure of biometric data is clearly an element of an action under” sections 15(c) and (d). Id. at ¶ 32.  Accordingly, the Illinois Appellate Court applied the state’s one-year statute of limitations for right of privacy claims for sections (c) and (d), and applied the five-year “catch all” statute of limitations for sections (a), (b), and (e).

The Illinois Supreme Court’s Decision

On February 2, 2023, the Illinois Supreme Court affirmed in part and reversed in part the Illinois Appellate Court’s decision.  First, the Illinois Supreme Court notably opined that it, “agree[d] with the parties that the [A]ppellate [C]ourt erred in applying two different statutes of limitations to the Act.”  Tims, 2023 IL 127801, at ¶ 16.  It explained that one of the purposes of a limitations period is to reduce uncertainty and create finality and predictability in the administration of justice.  Id. at ¶ 20 (citations omitted).  The Illinois Supreme Court thus held that, “applying two different limitations periods or timebar standards to different subsections of section 15 of the Act would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.”  Id. at ¶ 21.

Having decided that a singular uniform statute of limitations should apply, the Illinois Supreme Court next analyzed whether the statute of limitations should be five years or one year.  Analyzing the plain language of the BIPA statute, the Illinois Supreme Court held that all five subsections of section 15 of the Act prescribe rules to regulate the collection, retention, disclosure, and destruction of biometric identifiers and biometric information.  Id. at ¶ 29.  In regards to the Illinois Appellate Court’s holding that section 15(a), 15(b), and 15(e) of the Act contained no words that could be defined as involving “publication,” the Illinois Supreme Court held that the Illinois Appellate Court correctly found that subsections (a), (b), and (e) are subject to the five-year “catchall” limitations period codified in section 13-205 of the Code. Id. at ¶ 30.

Turning to subsections (c) and (d), the Illinois Supreme Court acknowledged that the one-year statute of limitations could be applied.  Id. at ¶ 32.   However, the Illinois Supreme Court held that, “when we consider not just the plain language of section 15 but also the intent of the legislature, the purposes to be achieved by the statute, and the fact that there is no limitations period in the Act, we find that it would be best to apply the five-year catchall limitations period codified in section 13-205.  Id. at ¶ 30.  The Illinois Supreme Court explained that this outcome would further its goal of ensuring certainty and predictability in the administration of limitations periods that apply to causes of actions under the BIPA.  Id. at ¶ 32.  In support of its conclusion, the Illinois Supreme Court held that Illinois courts have routinely applied this five-year catchall limitations period to other statutes lacking a specific limitations period, such as the BIPA.  Id. at ¶ 34.

Finally, the Illinois Supreme Court examined the Illinois General Assembly’s goals in enacting the BIPA statute.  The Illinois Supreme Court opined that in light of the extensive consideration the General Assembly gave to the fears of and risks to the public surrounding the disclosure of highly sensitive biometric information, “it would thwart legislative intent to (1) shorten the amount of time an aggrieved party would have to seek redress for a private entity’s noncompliance with the Act and (2) shorten the amount of time a private entity would be held liable for noncompliance with the Act.”  Id. at ¶ 39. The opinion also noted that defamation torts such as libel and slander are subject to a short limitations period because aggrieved individuals are expected to quickly become apprised of the injury and act quickly when their reputation has been publicly compromised, while it would be uncertain as to whether an individual would ever become aware of their biometric being improperly disclosed or misappropriated.  Id.

The Illinois Supreme Court concluded its opinion by holding that the five-year limitations period contained in section 13-205 of the Code controls claims under the BIPA.  Therefore, the Illinois Supreme Court affirmed in part and reversed in part the judgment of the Appellate Court, and remanded the cause to the Circuit Court for further proceedings.

Implications For Employers

This decision is unsurprising given the public policy behind the law and the growing importance of privacy.  The five-year statute of limitations serves to increase BIPA class action litigation exposure.

Companies can expect more BIPA-related rulings in the near term. The Illinois Supreme Court is due to issue its decision in Cothron v. White Castle System, Inc., No. 1280004 (Ill.), which will decide whether each fingerprint scan is its own discrete violation.  An adverse finding in Cothron could enhance BIPA class action exposures.

If employers have not already done so, now is time to make sure their timekeeping procedures and consent policies are legally compliant. The Tims ruling is apt to increase the plaintiff class action bar’s appetite for BIPA claims, so it is more important than ever for employers to make sure their procedures are legally sound.

DMCAR Trend #4 – The Likelihood Of Class Certification In 2022 Was As Strong As Ever

By Gerald L. Maatman, Jr. and Jennifer A. Riley

Duane Morris Takeaway: In 2022, the plaintiffs’ class action bar succeeded in certifying class actions at a high rate. Across all major types of class actions, courts issued rulings on 360 motions to grant or to deny class certification in 2022. Of these, plaintiffs succeeded in obtaining or maintaining certification in 268 rulings, an overall success rate of nearly 75%.

The number of motions that courts considered varied significantly by subject matter area, and the number of rulings they issued varied accordingly. The following summarizes the results in each of 10 key areas:

Securities Fraud – 96% granted / 4% denied
Data Breach – 50% granted / 50% denied
Employment Discrimination – 53% granted / 47% denied
ERISA – 78% granted / 22% denied
RICO – 45% granted / 55% denied
TCPA – 67% granted / 33% denied
WARN – 100% granted / 0% denied
FLSA (Conditional Certification) – 82% granted / 18% denied FLSA (Decertification) – 50% granted / 50% denied
Antitrust – 37% granted / 63% denied
Products Liability / Mass Torts – 69% granted / 31 % denied

The plaintiffs’ class action bar obtained the highest rates of success in securities fraud, ERISA, WARN, and FLSA actions. In cases alleging securities fraud, plaintiffs succeeded in obtaining orders certifying classes in 23 of the 24 rulings issued during 2022, a success rate of 96%. In ERISA litigation, plaintiffs succeeded in obtaining orders certifying class in 18 of 23 rulings issued during 2022, a success rate of 78%. In cases alleging WARN violations, plaintiffs managed to certify classes in 100% of the suits that resulted in decisions this year.

As to the FLSA, plaintiffs achieved a high rate of success on motions for conditional certification, and they also received a high number of rulings that dwarfs the number of other rulings by a substantial margin. In 2022, courts issued more certification rulings in FLSA collective actions than in any other type of case. The ease by which plaintiffs can obtain conditional certification surely contributes to the allure of that space to members of the plaintiffs’ bar. The plaintiffs’ bar has succeeded in gaining conditional certification in FLSA matters at a high rate year over year, contributing to the volume of filings in this area.

In 2022, courts considered more motions for certification in FLSA matters than in any other substantive area. Overall, courts issued 236 rulings. Of these, 219 addressed first-stage motions for conditional certification of collective actions under 29 U.S.C. § 216(b), and 18 addressed second-stage motions for decertification of collective actions. Due to the low burden at the conditional certification stage, plaintiffs historically have enjoyed a high rate of success on such motions. Rulings in 2022 was no exception. Of the 219 rulings that courts issued on motions for conditional certification, 180 rulings favored plaintiffs, for a success rate of 82%. Such rate is in line with and slightly higher than the historic rate of success that plaintiffs have achieved with respect to such motions.

At the decertification stage, courts generally have conducted a closer examination of the evidence and, as a result, defendants historically have enjoyed an equal if not higher rate of success on these second-stage motions as compared to plaintiffs. Again, 2022 was no exception. Of the 18 rulings that courts issued on motions for decertification of collective actions, 9 rulings favored defendants, for a success rate of 50%. Such rate again is in line with the historic rate of success that defendants have achieved at the decertification stage.

An analysis of these rulings, provided in Chapter 13, demonstrates that a disproportionate number of these rulings emanated from pro-plaintiff jurisdictions, including the judicial districts within the Second (33 decisions) and Ninth Circuits (19 decisions), which include California and New York, respectively. Similar to recent years, however, the number of rulings emanating from the Sixth Circuit (36 decisions) proved as high if not higher than the number of rulings in these traditional pro-plaintiff forums.

The following graph illustrates these variations:

These numbers no doubt flow from the different standards by which courts in different circuits evaluate motions for conditional certification and decertification and, in turn, the likelihood of plaintiffs’ success on such motions in these areas. Various factors discussed in this Review could impact these trends in 2023. If, for instance, the Sixth Circuit joins the Fifth Circuit in abandoning the two-step certification process, and thereby increases the time and expense of gaining a conditional certification order, it may lead to a reshuffling of the deck in terms of where plaintiffs seek to pursue cases.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress