Seventh Circuit Affirms Dismissal Of “Bare Bones” Lawsuit Brought Under Illinois Genetic Information Privacy Act

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Z. Zmick

Duane Morris Takeaways:  On May 1, 2023, the U.S. Court of Appeals for the Seventh Circuit issued one of only a handful of decisions that have been released regarding the Illinois Genetic Information Privacy Act (“GIPA”).  In Bridges v. Blackstone, Inc., No. 22-2486, 2023 WL 3165218 (7th Cir. May 1, 2023), the Seventh Circuit affirmed the District Court’s dismissal of Plaintiffs’ GIPA claims based on Plaintiffs’ failure to allege that Defendant “disclosed” or was “compelled to disclose” their statutorily-protected genetic information. Similar to its more well-known counterpart – the Illinois Biometric Information Privacy Act (“BIPA”) – liability under the GIPA could potentially result in “astronomical” damages awards and may represent an increasingly important Illinois law in the privacy space.

GIPA Background

Enacted in 1998, the GIPA was designed to prevent employers and insurers from using genetic testing data as a means to discriminate for employment or insurance underwriting purposes.

To further that goal, the statute places restrictions on the ability to release “genetic testing and information derived from genetic testing.”  Specifically, the GIPA provides that “genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30, by that individual.”  410 ILCS 513/15(a).  Section 30, in turn, states that subject to certain exceptions, “[n]o person may disclose or be compelled to disclose the identity of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test, except to . . . the subject of the test.”  410 ILCS 513/30(a).

Like the BIPA, the more widely-known privacy statute, the GIPA allows “[a]ny person aggrieved by a violation” of the statute to collect liquidated damages “for each violation” in the following amounts: (1) for negligent violations, $2,500 or actual damages, whichever is greater; or (2) for intentional or reckless violations, $15,000 or actual damages, whichever is greater.  410 ILCS 513/40.  Like the BIPA, prevailing GIPA plaintiffs can also recover reasonable attorneys’ fees and costs.

Case Background

In Bridges, the Plaintiffs sent their DNA samples (obtained through at-home test kits) to Ancestry.com, a genealogy company.  Years later, Defendant Blackstone, Inc. purchased Ancestry.com for $4.7 billion in an all-stock acquisition.  Plaintiffs subsequently filed a putative class action against Blackstone in July 2021, alleging that its acquisition of Ancestry.com resulted in a violation of the GIPA.

After removing the complaint to the U.S. District Court for the Southern District of Illinois, Blackstone moved to dismiss on the basis that Plaintiffs failed to sufficiently allege a claim for relief under the GIPA.

The District Court agreed, holding that Plaintiffs failed to state a GIPA claim because they did not adequately allege that Blackstone “compelled” Ancestry.com to disclose Plaintiffs’ genetic data under Section 30 of the GIPA.  The District Court agreed with Blackstone that “compel[ing]” the disclosure of genetic information necessarily requires something more than receipt or obtainment, yet Plaintiffs alleged only that Blackstone “may have been entitled to request or receive information from Ancestry in connection with the[] acquisition.”  Bridges v. Blackstone Grp., Inc., No. 21-CV-1091, 2022 WL 2643968, at *4 (S.D. Ill. July 8, 2022).

The Seventh Circuit’s Decision

The Seventh Circuit affirmed the District Court’s dismissal of Plaintiffs’ GIPA claim under Rule 12(b)(6).

Regarding the District Court’s reason for granting Blackstone’s motion to dismiss, the Seventh Circuit held that it need not answer the question “over whether GIPA liability can attach to a company like Blackstone that allegedly receives protected information, rather than discloses that information,” because Plaintiffs “have failed to state a claim regardless.”  Id. at *2.

The Seventh Circuit agreed with the District Court that it is not plausible to infer that “a run-of-the-mill corporate acquisition, without more alleged about that transaction, results in a compulsory disclosure within the meaning of Section 30.”  Bridges v. Blackstone Grp., Inc., No. 22-2486, Order at 4 (7th Cir. May 1, 2023) (“All we can say with certainty about Blackstone’s all-stock acquisition of Ancestry is that a change in ownership occurred – nothing more.”).

Implications for Employers

One of only a few cases to have interpreted the statute, the Bridges decision indicates that a company is not subject to liability under the GIPA based solely on its acquisition of another company that may be in possession of genetic data.

Nonetheless, Bridges serves as a reminder to Illinois employers that collect genetic information, medical histories, and/or conduct “health screenings” as part of their application processes about the importance of complying with the GIPA.

The GIPA’s statutory text mirrors the BIPA’s text in important (and potentially concerning) ways, including that (i) a plaintiff can likely sue under the GIPA regardless of whether an actual injury is alleged; and (ii) following the Illinois Supreme Court’s logic as applied to the BIPA in Cothron v. White Castle, 2023 IL 128004 (Ill. Feb. 17, 2023) (see here), statutory damages may accrue under the GIPA each separate time a company “disclose[s] or [is] compelled to disclose” genetic data protected by the GIPA.  Thus, it is possible that plaintiffs will file increased numbers of GIPA class actions in Illinois courts in the coming months and years.

Illinois Court Dismisses BIPA Class Action Brought Against Seller Of Point-Of-Sale Technology For Lack Of Personal Jurisdiction

By Gerald L. Maatman, Jr., Tyler Z. Zmick, and Shaina Wolfe

Duane Morris Takeaways:  In White v. HungerRush LLC, No. 22-1206 (C.D. Ill. Mar. 28, 2023), the Court dismissed claims for violations of the Biometric Information Privacy Act (“BIPA”) brought against a company that sells point-of-sale technology for lack of personal jurisdiction.  White serves as a reminder to businesses that personal jurisdiction in Illinois may be lacking where their conduct has only a tenuous connection to Illinois and/or where they do not “collect” or “possess” biometric data.  This ruling – which is largely consistent with federal court decisions addressing the issue – is a rare win for companies facing BIPA class actions, and is a required read for companies facing privacy class action litigation.

Case Background

Plaintiff worked at a restaurant in Peoria, Illinois, which used a point-of-sale system sold by Defendant HungerRush LLC, a Texas-based company.  While working at the restaurant, Plaintiff enrolled her fingerprint onto the point-of sale system as a means of clocking in and out of work.  She later sued the Texas-based Company, claiming that it violated the BIPA in connection with its sale of the point-of sale system by (i) failing to develop a written policy made available to the public establishing a retention policy and guidelines for destroying biometric data, and (ii) collecting her biometric data without providing her with the requisite notice and obtaining her written consent.

In response to the complaint, the Company moved to dismiss on the basis that the Court lacked personal jurisdiction.  In support of its jurisdictional argument, the Company submitted an affidavit signed by its Chief Administrative Officer and General Counsel.

The Company’s affidavit explained that: (i) it is a Texas-based company; (ii) it does not manufacture finger-scan devices or software; (iii) Plaintiff’s employer purchased a point-of-sale system from it and separately purchased a finger-scan device from a third-party; (iv) the finger-scan device operates independently from its software; and (v) finger-scan data is not transmitted to its point-of-sale software – instead, the finger-scan device sends only an approval signal to its software.

Based on these facts, Defendant argued that its limited contact with Illinois (i.e., selling a point-of-sale system to Plaintiff’s Illinois-based employer) was insufficient to establish personal jurisdiction.

The District Court’s Decision

The Court granted the Company’s motion to dismiss under Rule 12(b)(2).

First, the Court noted that “[w]here, as here, the defendant submits ‘evidence opposing the district court’s exercise of personal jurisdiction, the plaintiff must similarly submit affirmative evidence supporting the court’s exercise of jurisdiction.’”  The Court explained that because Plaintiff failed to submit any evidence refuting the Company’s evidence, i.e. the sworn affidavit, the affidavit was considered “unrebutted.”

Second, the Court found that the Company’s unrebutted evidence demonstrated that it did not have sufficient minimum contacts with Illinois for this case and it was not reasonably foreseeable that Plaintiff’s claims related to the Company’s contacts with Illinois. Significantly, Plaintiff failed to submit any evidence refuting the affidavit’s sworn statements that Plaintiff’s Illinois-based employer initiated the transaction with the Company, that any contracts the Company makes with Illinois restaurants are made in Texas with Illinois restaurants reaching out to the Company, that the Company’s system has no cloud functions, or that the Company does not and has never manufactured a fingerprint scanner.

The Court held that because Plaintiff failed to offer evidence or adequate explanations refuting the Company’s sworn statements, she failed to meet her burden in establishing personal jurisdiction.

Implications For Employers

White serves as a reminder that companies must have sufficient contacts with the state in order for the courts to have personal jurisdiction over them.  In other words, companies with only limited contacts with Illinois will not be subject to personal jurisdiction in courts within Illinois.

White also illustrates the importance of submitting extrinsic materials (e.g., sworn affidavits) in support of showing lack of personal jurisdiction.  Significantly, once the defendant has submitted affidavits or other extrinsic evidence supporting lack of jurisdiction, the plaintiff must go beyond the pleadings and submit affirmative evidence supporting the exercise of jurisdiction.  Moreover, courts can dismiss BIPA class actions for lack of personal jurisdiction based on supporting affidavits – even where the affidavits speak in part to the merits of the case.  See Order & Op. at 8.

Illinois Supreme Court Holds Federal Labor Law Preempts BIPA Claims Asserted By Unionized Employees

By Alex W. Karasik, Tyler Z. Zmick, and Elizabeth C. Mincer

Duane Morris Takeaways:  In the Illinois Supreme Court’s latest ruling in the biometric privacy space, it decided in Walton v. Roosevelt University, 2023 IL 128338 (Ill. Mar. 23, 2023), that claims brought under the Biometric Information Privacy Act (“BIPA”) by bargaining unit employees are preempted by Section 301 of the Labor Management Relations Act (“LMRA”) where an employer invokes a broad management rights provision in a CBA.  This ruling – which is consistent with federal court decisions addressing the issue – is a rare win for defendants facing BIPA class actions.  Employers with unionized workforces may now be able to assert an LMRA preemption defense in seeking dismissal of BIPA claims based on decisions issued by Illinois’s highest state court and the U.S. Court of Appeals for the Seventh Circuit.

Case Background

Plaintiff alleged that when he started working at Roosevelt University in 2018, Roosevelt required him to enroll a scan of his hand geometry onto a biometric timekeeping device as a means of clocking in and out of work.  Plaintiff sued Roosevelt the following year, alleging that the university violated Sections 15(a), 15(b), and 15(d) of the BIPA in connection with Roosevelt’s use of the timekeeping system by (i) failing to develop a written policy made available to the public establishing a retention policy and guidelines for destroying biometric data, (ii) collecting his biometric data without providing him with the requisite notice and obtaining his written consent, and (iii) disclosing his biometric data without consent.

In response to the complaint, Roosevelt moved to dismiss on the basis that Plaintiff’s claims were preempted by Section 301 of the Labor Management Relations Act (“LMRA”).  Specifically, Roosevelt argued that Plaintiff had been a union member while employed by Roosevelt, and the collective bargaining agreement (“CBA”) between Roosevelt and Plaintiff’s union contained a management rights clause broad enough to cover the manner by which union employees clocked in and out of work.  As support, Roosevelt cited the U.S. Court of Appeals for the Seventh Circuit’s decision in Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019), which held that federal labor law preempts BIPA claims when the claims require interpretation or administration of a CBA.

The Cook County Circuit Court rejected Roosevelt’s LMRA preemption argument, finding Miller distinguishable and holding that BIPA claims are “not intertwined with or dependent substantially upon consideration” of terms of a CBA because a person’s rights under the BIPA “exist independently of both employment and any given CBA.”  Id. ¶ 6.  Because the issue presented a close call, however, the Circuit Court certified the following question for interlocutory appeal: “Does Section 301 of the [LMRA] preempt [BIPA] claims asserted by bargaining unit employees covered by a [CBA]?”

The Illinois Appellate Court answered the certified question “yes.”  In doing so, the court noted that the Seventh Circuit had recently come to the same conclusion in a case where “the relevant factual and legal circumstances . . . [were] indistinguishable.”  Id. ¶ 8 (citing Fernandez v. Kerry, Inc., 14 F.4th 644 (7th Cir. 2021)).  The appellate court determined that Fernandez reached the correct conclusion, as the BIPA “contemplates the role of a collective bargaining unit acting as an intermediary on issues concerning an employee’s biometric information.”  Id. ¶ 10 (noting that the BIPA prohibits private entities from collecting biometric information without obtaining consent from the subject or the subject’s legally authorized representative).

The Illinois Supreme Court’s Decision

The Illinois Supreme Court subsequently allowed Plaintiff’s petition for leave to appeal, after which it affirmed the appellate court’s decision.  The Supreme Court observed that the Seventh Circuit had twice held that federal law preempts BIPA claims asserted under similar circumstances, and it noted that when interpreting federal statutes, Illinois courts look to the decisions of the U.S. Supreme Court (“SCOTUS”) and federal circuit and district courts.  It further noted that the SCOTUS’s interpretation of federal law is binding, and that in the absence of SCOTUS precedent, the weight given to federal circuit and district court interpretations of federal law depends on factors such as uniformity of law and the soundness of the decisions.  See id. ¶¶ 23-24 (“[I]f lower federal courts are uniform in their interpretation of a federal statute, this court, in the interest of preserving unity, will give considerable weight to those courts’ interpretations of federal law and find them to be highly persuasive.”).

In comparing Plaintiff’s case to the Seventh Circuit decisions, the Supreme Court acknowledged that the relevant CBA provisions in Plaintiff’s case and in Fernandez both contained similarly broad management rights clauses.  See id. ¶ 31 (noting the CBA between Roosevelt and Plaintiff’s union stated that “[s]ubject to the provisions of this Agreement, the Employer shall have the exclusive right to direct the employees covered by this Agreement” and that “[a]mong the exclusive rights of management . . . are: the right to plan, direct, and control all operations performed in the building [and] to direct the working force”).

In sum, because the Supreme Court did not find Miller and Fernandez to be “without logic and reason,” id., it deferred to the uniform federal case law on the issue and held that when an employer invokes a CBA’s broad management rights clause in response to a BIPA claim brought by a bargaining unit employee, the plaintiff’s BIPA claims are preempted by the LMRA.

Implications For Employers

Like the Seventh Circuit’s decisions in Miller and Fernandez, Walton reflects a rare defendant-friendly development and provides a basis for certain employers to seek dismissal of BIPA claims on LMRA preemption grounds.  The defense applies only to a subset of employers, however, as it can be asserted only by (i) employers with unionized employees who (ii) have entered into a CBA with a union that contains a management rights clause broad enough to cover the manner by which employees clock in and out of work.  Furthermore, unionized employees are not prohibited from seeking redress for alleged BIPA violations – they are simply required to first pursue those claims through the grievance procedures in their CBAs rather than in state or federal court.

Moreover, the National Labor Relations Board (“NLRB”) – the agency that enforces the National Labor Relations Act (“NLRA”) – has indicated that it intends to reshape current law regarding employee privacy and management rights provisions. If such changes take effect, they could reshape how courts assess federal labor law preemption in future BIPA cases.

The Walton ruling highlights the importance of carefully negotiating and drafting CBA provisions, particularly with respect to management rights.  Employers in states with strict privacy laws (like the BIPA) should consider contract language that specifically provides management with the right to use and store certain biometric data and/or implement other new technologies.

Illinois Supreme Court Holds Each Fingerprint Scan Is A Separate BIPA Violation – Thereby Creating The Potential For Increased Damages In Privacy Class Actions

By Gerald L. Maatman, Jr., Alex W. Karasik, Tyler Z. Zmick, and Jennifer A. Riley

Duane Morris Takeaways:  In the latest ruling in Illinois in the biometric privacy class action space, the Illinois Supreme Court decided today in Cothron v. White Castle, 2023 IL 128004 (Ill. Feb. 17, 2023), that a separate claim for damages accrues under the Biometric Information Privacy Act (“BIPA”) each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d).

This ruling could exponentially increase monetary damages in class actions brought under the BIPA, especially in the employment context, where employees scan in and out of work multiple times per day for several hundred days per year.

Case Background

Plaintiff alleged that after she started working at White Castle in 2004, the company required her to use a fingerprint-based system to access the workplace computer she used in her position as a manager.  Plaintiff sued White Castle several years later in 2018, alleging that the company violated Sections 15(b) and 15(d) of the BIPA in connection with the fingerprint-based system by (i) collecting her biometric data without providing her with the requisite notice and obtaining her written consent, and (ii) disclosing her biometric data without consent.

After removing the complaint to the U.S. District Court for the Northern District of Illinois, White Castle moved for judgment on the pleadings on the basis that Plaintiff’s claims were untimely.  Specifically, White Castle argued that Plaintiff’s BIPA claims accrued in 2008 (when her first fingerprint scan occurred after the BIPA took effect), yet she did not file her complaint until 2018.  The District Court rejected White Castle’s one-time-only theory of claim accrual, holding that the lawsuit was timely because each separate unauthorized fingerprint scan constituted an independent violation of the statute, meaning Plaintiff’s BIPA claims were timely because her last fingerprint scan occurred within five years of the filing of her complaint.  Because the issue presented a close call, however, the District Court permitted White Castle to file an interlocutory appeal with the Seventh Circuit regarding whether Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits a scan to a third party, respectively, or only upon the first scan and first transmission.

The U.S. Court of Appeals for the Seventh Circuit accepted the interlocutory appeal. Id. ¶ 9. After determining that Plaintiff had standing to bring her action in federal court under Article III of the U.S. Constitution, the Seventh Circuit addressed the parties’ respective arguments on the accrual of a claim under the Act.  Id.  Ultimately, the Seventh Circuit found the parties’ competing interpretations of claim accrual reasonable under Illinois law, and it agreed with Plaintiff that “the novelty and uncertainty of the claim-accrual question” warranted certification of the question to the Illinois Supreme Court.  Id. at 1165-66.  The Seventh Circuit “observed that the answer to the claim-accrual question would determine the outcome of the parties’ dispute, this court could potentially side with either party on the question, the question was likely to recur, and it involved a unique Illinois statute regularly applied by federal courts.”  Id..

The Illinois Supreme Court’s Decision

In a 4-3 split ruling, the Illinois Supreme Court held today that that a separate claim accrues under the BIPA each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d).  First, the Illinois Supreme Court analyzed the certified question with respect to Section 15(b), which provides that no private entity “may collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data unless it first provides notice and receives written consent.  740 ILCS 14/15(b).  Relying on the plain language of the statute and the fact that the actions of “collecting” and “capturing” biometric data can occur more than once, the Supreme Court agreed with Plaintiff’s interpretation – namely, that Section 15(b) “applies to every instance when a private entity collects biometric information without prior consent.”  Id. ¶¶ 19, 23.  As interpreted in the context of the facts of the case, the Supreme Court further observed that White Castle obtains an employee’s fingerprint, stores it in its database, and then compares the fingerprint taken during subsequent scans to verify the identity of the employee.  In the Supreme Court’s words, White Castle “fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.”  Id. ¶ 23.  Accordingly,  consistent with the District Court’s decision in Cothron and the Illinois Appellate Court’s conclusion in Watson, 2021 IL App (1st) 210279, ¶ 46, the Illinois Supreme Court held that an entity violates Section 15(b) the first time it collects biometric data without having provided the requisite notice and obtaining consent, in addition to “each subsequent scan or collection.”  Id. ¶ 24.

Next, closely tracking its analysis of Section 15(b), the Supreme Court similarly held that BIPA Section 15(d) – which prohibits the disclosure, redisclosure, or dissemination of biometric data without consent – “applies to every transmission to a third party.”  Id. ¶ 28. Like the verbs “collect” and “capture” in Section 15(b), the acts of disclosing and redisclosing biometric data occur upon the initial disclosure in addition to any subsequent disclosure or redisclosure of the data.  See id. ¶ 29 (“A fingerprint scan system requires a person to expose his or her fingerprint to the system so that the print may be compared with the stored copy, and this happens each time a person uses the system.”).

The majority opinion also rejected White Castle’s remaining “nontextual” arguments supporting its single-accrual interpretation.  White Castle argued that a BIPA claim accrued only upon the initial collection or disclosure of a person’s biometric data because an individual loses the right to control his or her biometric data as soon as the data is collected and/or disclosed.  In rejecting the argument, the Supreme Court again relied on the statute’s plain language, stating: “[n]o such limitation appears in the statute.  We cannot rewrite a statute to create new elements or limitations not included by the legislature.”  Id. ¶ 39.

Next, the Supreme Court turned to White Castle’s argument that in light of the BIPA’s liquidated damages provision, interpreting the statute to mean an entity violates Sections 15(b) and 15(d) every time it collects or discloses biometric data means “a party may recover for “each violation,” allowing multiple or repeated accruals of claims by one individual could potentially result in punitive and “astronomical” damage awards that would constitute “annihilative liability” not contemplated by the legislature and possibly be unconstitutional.”  Id. ¶ 41.  For example, White Castle estimated that if Plaintiff was successful and allowed to bring her claims on behalf of as many as 9,500 current and former White Castle employees, classwide damages in her action may exceed $17 billion.  Once again, the Supreme Court rejected White Castle’s argument because the statutory language is clear and supports plaintiff’s position.  See id. ¶ 40 (“As the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, “ ‘even though the consequences may be harsh, unjust, absurd or unwise.’ ” (Emphasis omitted.) Cothron, 477 F. Supp. 3d at 734 (quoting Peterson v. Wallach, 198 Ill. 2d 439, 447 (2002)).”).

Importantly, however, the Supreme Court acknowledged that trial courts could exercise their discretion to reduce the amount of statutory damages that plaintiffs can recover. Id. ¶ 42.  In closing, the Supreme Court reiterated the position that White Castle’s “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” and it “suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”  Id. ¶ 43.  Accordingly, the Illinois Supreme Court concluded that the plain language of section 15(b) and 15(d) shows that a claim accrues under the BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent.

The Dissent

Notably, three Illinois Supreme Court Justices, inclusive Chief Justice Theis, joined the Dissenting Opinion.  Of note, the Dissent opined that two significant consequences militate against the majority’s construction.  Id. ¶ 60.  First, under the majority’s rule, plaintiffs would be incentivized to delay bringing their claims as long as possible, since “If every scan is a separate, actionable violation, qualifying for an award of liquidated damages, then it is in a plaintiff’s interest to delay bringing suit as long as possible to keep racking up damages.”  Id.  Second, the Dissent noted that, “the majority’s construction of the Act could easily lead to annihilative liability for businesses.”  Id. at ¶ 61.

In sum, the Dissent commented that, “Imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.  Id. ¶ 63.  To this point, the Dissent opined that, “nothing in the Act indicating that the legislature intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier. The legislature’s intent was to ensure the safe use of biometric information, not to discourage its use altogether.”

Implications For Employers

Following the Illinois Supreme Court’s similar pro-plaintiff ruling in Tims v. Black Horse Carriers, 2023 IL 127801 (Ill. Feb. 2, 2023), which applied a five-year statute of limitations to the BIPA instead of a one-year statute of limitations, the well is beginning to dry for businesses in terms of potential BIPA class action defenses. While employers can still explore novel exemptions, such as information captured from a patient in a health care setting, most companies caught in the crosshairs of BIPA class actions will be facing monumental amounts of potential damages.

Businesses confronted with BIPA class actions may need to explore alternative potential defenses, such as the constitutionality of the overbearing damages thresholds.  Companies will also likely push for legislative changes.  Nonetheless, given the bleak outlook of the law as it stands, it is imperative for businesses to immediately ensure they are compliant with the BIPA.

Illinois District Court Rejects “Trio” Of BIPA Defenses in Denying Motion to Dismiss

By: Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Z. Zmick

Duane Morris Takeaways: In Trio v. Turing Video, Inc., No. 21-CV-4409, 2022 WL 4466050 (N.D. Ill. Sept. 26, 2022), the Court issued yet another plaintiff-friendly decision under the Illinois Biometric Information Privacy Act (“BIPA”), putting businesses on notice that the statute can apply to technology used to screen individuals for purposes of preventing the spread of COVID-19.  The Court denied the three arguments raised in the Defendant’s motion to dismiss, and held that: (1) personal jurisdiction existed because the Defendant sent “biometric” devices to multiple Illinois-based customers; (2) the Plaintiff’s claims were not preempted by the Labor Management Relations Act; and (3) Plaintiff adequately alleged claims under BIPA. The ruling in Trio ought to be required reading for corporate counsel dealing with privacy class action litigation.

Background

Plaintiff alleged that Defendant Turing Video, Inc. sold “products integrated with artificial intelligence,” including the Turing Shield, a “kiosk that allows Turing’s customers to screen their employees for COVID-19.”  See Mem. Op. & Order at 2.  According to Plaintiff, the Turing Shield works by screening a user’s temperature through the device’s camera, thereby using its “artificial intelligence algorithm” to recognize the user based on his or her facial geometry, and detecting whether the user is wearing a protective mask.  Plaintiff also alleged that data collected through the Turing Shield was transmitted to third parties who host that data.

Plaintiff previously worked in Illinois for New Albertson’s, Inc. d/b/a Jewel-Osco, where she used the Turing Shield at the start of each workday as part of the store’s COVID-19 screening process.  Based on her use of the device, Plaintiff claimed that Turing violated the BIPA by: (i) failing to inform her that the Turing Shield would collect her biometric data, and (ii) disseminating her biometric data to third parties without her consent.

Turing moved to dismiss on three grounds, including: (1) that the Court lacked personal jurisdiction; (2) Plaintiff’s claims were preempted by the Labor Management Relations Act; and (3) Plaintiff failed to state a claim upon which relief could be granted.

The Court’s Decision

The Court denied Turing’s motion to dismiss on all three grounds.

Personal Jurisdiction

Turing argued that the Court lacked specific personal jurisdiction because Turing was a non-forum (i.e., California) resident that sold the devices used by Plaintiff to a non-party, Jewel-Osco (also a non-forum resident), and Jewel-Osco brought the devices into Illinois without Turing’s involvement.

The Court held that the evidence – which showed Turing had over 30 Illinois-based customers and had shipped Turing Shields into Illinois – established that Turing had the requisite minimum contacts with Illinois to establish personal jurisdiction.

Labor Management Relations Act Preemption

The Court next addressed Turing’s argument that Plaintiff’s claims were preempted by Section 301 of the Labor Management Relations Act (the “LMRA”), which establishes federal jurisdiction over “suits for violations of contracts between an employer and a labor organization representing employees in an industry affecting commerce.”  Courts typically interpret Section 301 as preempting state law claims that are “substantially dependent on analysis of a collective-bargaining agreement.”  Id. at 18.

Here, Plaintiff was represented by a union and subject to a collective bargaining agreement (“CBA”) while employed at Jewel-Osco.  Based on those facts, Turing claimed that resolving Plaintiff’s BIPA claims for alleged privacy invasions sustained through her work required the Court to interpret the CBA.  The Court disagreed. It held that Plaintiff’s claims were not preempted because the Court could resolve the claims without interpreting the CBA.

The Court recognized that the Seventh Circuit has held that federal law preempts BIPA claims brought by certain union-represented employees against their employers.  See Miller v. Southwest Airlines Co., 926 F.3d 898, 903 (7th Cir. 2019); Fernandez v. Kerry, Inc., 14 F.4th 644, 646-47 (7th Cir. 2021).  The Court distinguished those cases because Turing was not a party to the CBA, and “Turing’s obligations under BIPA stand wholly independent of whether Plaintiff’s union may have consented to Jewel-Osco . . . collecting and disseminating her biometric data.  In other words, resolution of the state law BIPA claims would not require this Court to interpret any [CBA], and instead depend upon the entirely unrelated question of whether Turing provided Plaintiff with the necessary disclosures and obtained from her the required written release before it collected and disseminated her biometric information.”  Mem. Op. & Order at 20-21.

Extraterritoriality & PREP Act Immunity

Finally, the Court rejected Turing’s arguments that: (i) Plaintiff failed to allege that Turing’s relevant conduct occurred in Illinois, and (ii) the Public Readiness and Emergency Preparedness Act (the “PREP Act”) immunized Turing from BIPA liability.  Regarding extraterritoriality, the Court held that Plaintiff sufficiently alleged that Turing’s conduct occurred “primarily and substantially” in Illinois, thereby satisfying the “extraterritoriality doctrine.”  Id. at 25. Regarding PREP Act immunity, the Court noted that the PREP Act provides immunity from liability relating to the “use of a covered countermeasure” upon the declaration of a public health emergency by the Secretary of the Department of Health and Human Services.  The Court held that PREP Act immunity did not apply because the Food and Drug Administration had not approved the Turing Shield, meaning the device did not satisfy the definition of a “covered countermeasure.” Id. at 28.

Conclusion

Trio can be added to the list of recent plaintiff-friendly BIPA decisions, as it reinforces the growing consensus that multiple private entities can be subject to liability under the statute for what may seem like a single “violation.”

The case also raises a potential hurdle to asserting jurisdictional defenses to BIPA claims based on its holding that personal jurisdiction can exist even where the defendant does not send into Illinois the specific device used to collect a plaintiff’s “biometric” data.  Other courts, however, appear more willing to dismiss BIPA claims on personal jurisdiction grounds.  See, e.g., Gutierrez v. Wemagine.AI LLP, Case No. 21-CV-5702, ECF No. 32, Mem. Op. & Order at 1 (N.D. Ill. Oct. 7, 2022) (available here) (dismissing BIPA case for lack of personal jurisdiction despite plaintiffs’ allegation that defendant’s app “derives substantial revenue from nearly 5,000 Illinois-based users”).

 

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress