Illinois Trial Court Grants Class Certification In BIPA Class Action

By Alex W. Karasik, Gerald L. Maatman, Jr. and Jennifer A. Riley

TakeawaysIn Palacios v. H&M Hennes & Mauritz, LP, Case No. 18-CH-16030 (Cir. Ct. Cook County, Ill. Mar. 16, 2023), a state trial court in Illinois granted Plaintiff’s motion for class certification in an Illinois Biometric Information Privacy Act (the “BIPA”) class action. Given the limited jurisprudence in BIPA class action certification rulings, this decision is an important read for corporate counsel, as the ruling likely will be used as a roadmap by the plaintiffs’ bar to support their efforts to certify such classes.

Case Background

Plaintiff alleged that Defendant required him and other employees to scan their fingerprints into a biometric time clock system to record the time they worked, and unlawfully collected, possessed, and transferred their biometric information without consent and without a proper retention and destruction schedule.  Plaintiff sought to certify a class of all hourly employees who enrolled in or used Defendant’s timekeeping system while working for Defendant between August 9, 2014, and October 15, 2019.

In terms of the four factors to certify the class – numerosity, adequacy of representation, commonality, and appropriateness – Defendant did not challenge the numerosity factor. However, Defendant challenged the motion for class certification regarding the other three factors.

The Court’s Decision

The Court granted Plaintiff’s motion for class certification. First, the Court held that the named Plaintiff was an adequate class representative. Defendant argued that, based on Plaintiff’s deposition testimony, he was, “uninformed and disinterested in the facts, the litigation, and his role as class representative.” The Court rejected this argument, holding that, “while [Plaintiff] may not understand legal jargon . . . he understands the basic facts . . . understands he is making a legal claim for violation privacy rights on behalf of a class of other employees [and] has been in regular communication with his counsel and participated in discovery.” Accordingly, the Court found that Plaintiff would adequately represent the putative class.

Second, the Court held that the commonality factor was met. Defendant contended that Plaintiff was at odds with the rest of the class since he alleged that he suffered emotional distress damages. The Court rejected this argument, holding that Plaintiff testified that he was harmed through a breach of his biometric information privacy rights and was pursuing the same claims on behalf of class members. Accordingly, the Court held that common questions predominated over questions affecting individual class members.

Finally, the Court explained that, “a class action must be an appropriate method for the fair and efficient adjudication of the controversy.” Id. (citations and quotations omitted). The Court opined that many individuals incurred relatively small liquidated damages and their likely recovery was probably too small to justify a separate action. However, collectively, the Court could adjudicate the putative class’s claims, as it noted, “This is what class actions were designed to achieve.”  Id.  Accordingly, the Court held that a class action was the appropriate method for the fair and efficient adjudication of the controversy.

Implications For Employers

While employers are likely still recovering from the sting of adverse Illinois Supreme Court BIPA class action rulings from early 2023, this decision marks another victory for the plaintiff’s bar. Defendants in BIPA class actions who are facing motions for class certification would be wise to avoid duplicating the arguments made here. In light of the shrinking number of potential BIPA defenses and skyrocketing damages, employers must begin exploring alternative defense strategies to combat these bet-the-company cases.

Illinois Court Dismisses BIPA Class Action Brought Against Seller Of Point-Of-Sale Technology For Lack Of Personal Jurisdiction

By Gerald L. Maatman, Jr., Tyler Z. Zmick, and Shaina Wolfe

Duane Morris Takeaways:  In White v. HungerRush LLC, No. 22-1206 (C.D. Ill. Mar. 28, 2023), the Court dismissed claims for violations of the Biometric Information Privacy Act (“BIPA”) brought against a company that sells point-of-sale technology for lack of personal jurisdiction.  White serves as a reminder to businesses that personal jurisdiction in Illinois may be lacking where their conduct has only a tenuous connection to Illinois and/or where they do not “collect” or “possess” biometric data.  This ruling – which is largely consistent with federal court decisions addressing the issue – is a rare win for companies facing BIPA class actions, and is a required read for companies facing privacy class action litigation.

Case Background

Plaintiff worked at a restaurant in Peoria, Illinois, which used a point-of-sale system sold by Defendant HungerRush LLC, a Texas-based company.  While working at the restaurant, Plaintiff enrolled her fingerprint onto the point-of sale system as a means of clocking in and out of work.  She later sued the Texas-based Company, claiming that it violated the BIPA in connection with its sale of the point-of sale system by (i) failing to develop a written policy made available to the public establishing a retention policy and guidelines for destroying biometric data, and (ii) collecting her biometric data without providing her with the requisite notice and obtaining her written consent.

In response to the complaint, the Company moved to dismiss on the basis that the Court lacked personal jurisdiction.  In support of its jurisdictional argument, the Company submitted an affidavit signed by its Chief Administrative Officer and General Counsel.

The Company’s affidavit explained that: (i) it is a Texas-based company; (ii) it does not manufacture finger-scan devices or software; (iii) Plaintiff’s employer purchased a point-of-sale system from it and separately purchased a finger-scan device from a third-party; (iv) the finger-scan device operates independently from its software; and (v) finger-scan data is not transmitted to its point-of-sale software – instead, the finger-scan device sends only an approval signal to its software.

Based on these facts, Defendant argued that its limited contact with Illinois (i.e., selling a point-of-sale system to Plaintiff’s Illinois-based employer) was insufficient to establish personal jurisdiction.

The District Court’s Decision

The Court granted the Company’s motion to dismiss under Rule 12(b)(2).

First, the Court noted that “[w]here, as here, the defendant submits ‘evidence opposing the district court’s exercise of personal jurisdiction, the plaintiff must similarly submit affirmative evidence supporting the court’s exercise of jurisdiction.’”  The Court explained that because Plaintiff failed to submit any evidence refuting the Company’s evidence, i.e. the sworn affidavit, the affidavit was considered “unrebutted.”

Second, the Court found that the Company’s unrebutted evidence demonstrated that it did not have sufficient minimum contacts with Illinois for this case and it was not reasonably foreseeable that Plaintiff’s claims related to the Company’s contacts with Illinois. Significantly, Plaintiff failed to submit any evidence refuting the affidavit’s sworn statements that Plaintiff’s Illinois-based employer initiated the transaction with the Company, that any contracts the Company makes with Illinois restaurants are made in Texas with Illinois restaurants reaching out to the Company, that the Company’s system has no cloud functions, or that the Company does not and has never manufactured a fingerprint scanner.

The Court held that because Plaintiff failed to offer evidence or adequate explanations refuting the Company’s sworn statements, she failed to meet her burden in establishing personal jurisdiction.

Implications For Employers

White serves as a reminder that companies must have sufficient contacts with the state in order for the courts to have personal jurisdiction over them.  In other words, companies with only limited contacts with Illinois will not be subject to personal jurisdiction in courts within Illinois.

White also illustrates the importance of submitting extrinsic materials (e.g., sworn affidavits) in support of showing lack of personal jurisdiction.  Significantly, once the defendant has submitted affidavits or other extrinsic evidence supporting lack of jurisdiction, the plaintiff must go beyond the pleadings and submit affirmative evidence supporting the exercise of jurisdiction.  Moreover, courts can dismiss BIPA class actions for lack of personal jurisdiction based on supporting affidavits – even where the affidavits speak in part to the merits of the case.  See Order & Op. at 8.

Illinois Supreme Court Holds Federal Labor Law Preempts BIPA Claims Asserted By Unionized Employees

By Alex W. Karasik, Tyler Z. Zmick, and Elizabeth C. Mincer

Duane Morris Takeaways:  In the Illinois Supreme Court’s latest ruling in the biometric privacy space, it decided in Walton v. Roosevelt University, 2023 IL 128338 (Ill. Mar. 23, 2023), that claims brought under the Biometric Information Privacy Act (“BIPA”) by bargaining unit employees are preempted by Section 301 of the Labor Management Relations Act (“LMRA”) where an employer invokes a broad management rights provision in a CBA.  This ruling – which is consistent with federal court decisions addressing the issue – is a rare win for defendants facing BIPA class actions.  Employers with unionized workforces may now be able to assert an LMRA preemption defense in seeking dismissal of BIPA claims based on decisions issued by Illinois’s highest state court and the U.S. Court of Appeals for the Seventh Circuit.

Case Background

Plaintiff alleged that when he started working at Roosevelt University in 2018, Roosevelt required him to enroll a scan of his hand geometry onto a biometric timekeeping device as a means of clocking in and out of work.  Plaintiff sued Roosevelt the following year, alleging that the university violated Sections 15(a), 15(b), and 15(d) of the BIPA in connection with Roosevelt’s use of the timekeeping system by (i) failing to develop a written policy made available to the public establishing a retention policy and guidelines for destroying biometric data, (ii) collecting his biometric data without providing him with the requisite notice and obtaining his written consent, and (iii) disclosing his biometric data without consent.

In response to the complaint, Roosevelt moved to dismiss on the basis that Plaintiff’s claims were preempted by Section 301 of the Labor Management Relations Act (“LMRA”).  Specifically, Roosevelt argued that Plaintiff had been a union member while employed by Roosevelt, and the collective bargaining agreement (“CBA”) between Roosevelt and Plaintiff’s union contained a management rights clause broad enough to cover the manner by which union employees clocked in and out of work.  As support, Roosevelt cited the U.S. Court of Appeals for the Seventh Circuit’s decision in Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019), which held that federal labor law preempts BIPA claims when the claims require interpretation or administration of a CBA.

The Cook County Circuit Court rejected Roosevelt’s LMRA preemption argument, finding Miller distinguishable and holding that BIPA claims are “not intertwined with or dependent substantially upon consideration” of terms of a CBA because a person’s rights under the BIPA “exist independently of both employment and any given CBA.”  Id. ¶ 6.  Because the issue presented a close call, however, the Circuit Court certified the following question for interlocutory appeal: “Does Section 301 of the [LMRA] preempt [BIPA] claims asserted by bargaining unit employees covered by a [CBA]?”

The Illinois Appellate Court answered the certified question “yes.”  In doing so, the court noted that the Seventh Circuit had recently come to the same conclusion in a case where “the relevant factual and legal circumstances . . . [were] indistinguishable.”  Id. ¶ 8 (citing Fernandez v. Kerry, Inc., 14 F.4th 644 (7th Cir. 2021)).  The appellate court determined that Fernandez reached the correct conclusion, as the BIPA “contemplates the role of a collective bargaining unit acting as an intermediary on issues concerning an employee’s biometric information.”  Id. ¶ 10 (noting that the BIPA prohibits private entities from collecting biometric information without obtaining consent from the subject or the subject’s legally authorized representative).

The Illinois Supreme Court’s Decision

The Illinois Supreme Court subsequently allowed Plaintiff’s petition for leave to appeal, after which it affirmed the appellate court’s decision.  The Supreme Court observed that the Seventh Circuit had twice held that federal law preempts BIPA claims asserted under similar circumstances, and it noted that when interpreting federal statutes, Illinois courts look to the decisions of the U.S. Supreme Court (“SCOTUS”) and federal circuit and district courts.  It further noted that the SCOTUS’s interpretation of federal law is binding, and that in the absence of SCOTUS precedent, the weight given to federal circuit and district court interpretations of federal law depends on factors such as uniformity of law and the soundness of the decisions.  See id. ¶¶ 23-24 (“[I]f lower federal courts are uniform in their interpretation of a federal statute, this court, in the interest of preserving unity, will give considerable weight to those courts’ interpretations of federal law and find them to be highly persuasive.”).

In comparing Plaintiff’s case to the Seventh Circuit decisions, the Supreme Court acknowledged that the relevant CBA provisions in Plaintiff’s case and in Fernandez both contained similarly broad management rights clauses.  See id. ¶ 31 (noting the CBA between Roosevelt and Plaintiff’s union stated that “[s]ubject to the provisions of this Agreement, the Employer shall have the exclusive right to direct the employees covered by this Agreement” and that “[a]mong the exclusive rights of management . . . are: the right to plan, direct, and control all operations performed in the building [and] to direct the working force”).

In sum, because the Supreme Court did not find Miller and Fernandez to be “without logic and reason,” id., it deferred to the uniform federal case law on the issue and held that when an employer invokes a CBA’s broad management rights clause in response to a BIPA claim brought by a bargaining unit employee, the plaintiff’s BIPA claims are preempted by the LMRA.

Implications For Employers

Like the Seventh Circuit’s decisions in Miller and Fernandez, Walton reflects a rare defendant-friendly development and provides a basis for certain employers to seek dismissal of BIPA claims on LMRA preemption grounds.  The defense applies only to a subset of employers, however, as it can be asserted only by (i) employers with unionized employees who (ii) have entered into a CBA with a union that contains a management rights clause broad enough to cover the manner by which employees clock in and out of work.  Furthermore, unionized employees are not prohibited from seeking redress for alleged BIPA violations – they are simply required to first pursue those claims through the grievance procedures in their CBAs rather than in state or federal court.

Moreover, the National Labor Relations Board (“NLRB”) – the agency that enforces the National Labor Relations Act (“NLRA”) – has indicated that it intends to reshape current law regarding employee privacy and management rights provisions. If such changes take effect, they could reshape how courts assess federal labor law preemption in future BIPA cases.

The Walton ruling highlights the importance of carefully negotiating and drafting CBA provisions, particularly with respect to management rights.  Employers in states with strict privacy laws (like the BIPA) should consider contract language that specifically provides management with the right to use and store certain biometric data and/or implement other new technologies.

Introducing The Duane Morris Privacy Class Action Review – 2023

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways: The last year saw a virtual explosion in privacy class action litigation. As a result, compliance with privacy laws in the myriad of ways that companies interact with employees, customers, and third parties is a corporate imperative. To that end, the class action team at Duane Morris is pleased to present the inaugural edition of the Privacy Class Action Review – 2023. This new publication analyzes the key privacy-related rulings and developments in 2022 and the significant legal decisions and trends impacting privacy class action litigation for 2023. We hope that companies and employers will benefit from this resource in their compliance with these evolving laws and standards.

Click here to download a copy of the Privacy Class Action Review – 2023 eBook.

Co-Editor of the Review Jerry Maatman provided insights on our new publication earlier this week to the Wall Street Journal in its article on privacy class action litigation, which can be found here: Biometric-Privacy Rulings in Illinois Expand Potential Liability for Tech Firms – WSJ

Duane Morris partners Jerry Maatman, Jennifer Riley, and Alex Karasik also recently recorded the first edition of “The Class Action Weekly Wire,” our new podcast series, in which contributors to our Duane Morris Class Action Review discuss the significant rulings and legislation in various areas of law. To add context to our new publication, last Friday’s edition discussed recent developments in privacy class action litigation. Click here to watch and listen to the podcast!

Illinois Supreme Court Holds Each Fingerprint Scan Is A Separate BIPA Violation – Thereby Creating The Potential For Increased Damages In Privacy Class Actions

By Gerald L. Maatman, Jr., Alex W. Karasik, Tyler Z. Zmick, and Jennifer A. Riley

Duane Morris Takeaways:  In the latest ruling in Illinois in the biometric privacy class action space, the Illinois Supreme Court decided today in Cothron v. White Castle, 2023 IL 128004 (Ill. Feb. 17, 2023), that a separate claim for damages accrues under the Biometric Information Privacy Act (“BIPA”) each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d).

This ruling could exponentially increase monetary damages in class actions brought under the BIPA, especially in the employment context, where employees scan in and out of work multiple times per day for several hundred days per year.

Case Background

Plaintiff alleged that after she started working at White Castle in 2004, the company required her to use a fingerprint-based system to access the workplace computer she used in her position as a manager.  Plaintiff sued White Castle several years later in 2018, alleging that the company violated Sections 15(b) and 15(d) of the BIPA in connection with the fingerprint-based system by (i) collecting her biometric data without providing her with the requisite notice and obtaining her written consent, and (ii) disclosing her biometric data without consent.

After removing the complaint to the U.S. District Court for the Northern District of Illinois, White Castle moved for judgment on the pleadings on the basis that Plaintiff’s claims were untimely.  Specifically, White Castle argued that Plaintiff’s BIPA claims accrued in 2008 (when her first fingerprint scan occurred after the BIPA took effect), yet she did not file her complaint until 2018.  The District Court rejected White Castle’s one-time-only theory of claim accrual, holding that the lawsuit was timely because each separate unauthorized fingerprint scan constituted an independent violation of the statute, meaning Plaintiff’s BIPA claims were timely because her last fingerprint scan occurred within five years of the filing of her complaint.  Because the issue presented a close call, however, the District Court permitted White Castle to file an interlocutory appeal with the Seventh Circuit regarding whether Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits a scan to a third party, respectively, or only upon the first scan and first transmission.

The U.S. Court of Appeals for the Seventh Circuit accepted the interlocutory appeal. Id. ¶ 9. After determining that Plaintiff had standing to bring her action in federal court under Article III of the U.S. Constitution, the Seventh Circuit addressed the parties’ respective arguments on the accrual of a claim under the Act.  Id.  Ultimately, the Seventh Circuit found the parties’ competing interpretations of claim accrual reasonable under Illinois law, and it agreed with Plaintiff that “the novelty and uncertainty of the claim-accrual question” warranted certification of the question to the Illinois Supreme Court.  Id. at 1165-66.  The Seventh Circuit “observed that the answer to the claim-accrual question would determine the outcome of the parties’ dispute, this court could potentially side with either party on the question, the question was likely to recur, and it involved a unique Illinois statute regularly applied by federal courts.”  Id..

The Illinois Supreme Court’s Decision

In a 4-3 split ruling, the Illinois Supreme Court held today that that a separate claim accrues under the BIPA each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d).  First, the Illinois Supreme Court analyzed the certified question with respect to Section 15(b), which provides that no private entity “may collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data unless it first provides notice and receives written consent.  740 ILCS 14/15(b).  Relying on the plain language of the statute and the fact that the actions of “collecting” and “capturing” biometric data can occur more than once, the Supreme Court agreed with Plaintiff’s interpretation – namely, that Section 15(b) “applies to every instance when a private entity collects biometric information without prior consent.”  Id. ¶¶ 19, 23.  As interpreted in the context of the facts of the case, the Supreme Court further observed that White Castle obtains an employee’s fingerprint, stores it in its database, and then compares the fingerprint taken during subsequent scans to verify the identity of the employee.  In the Supreme Court’s words, White Castle “fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.”  Id. ¶ 23.  Accordingly,  consistent with the District Court’s decision in Cothron and the Illinois Appellate Court’s conclusion in Watson, 2021 IL App (1st) 210279, ¶ 46, the Illinois Supreme Court held that an entity violates Section 15(b) the first time it collects biometric data without having provided the requisite notice and obtaining consent, in addition to “each subsequent scan or collection.”  Id. ¶ 24.

Next, closely tracking its analysis of Section 15(b), the Supreme Court similarly held that BIPA Section 15(d) – which prohibits the disclosure, redisclosure, or dissemination of biometric data without consent – “applies to every transmission to a third party.”  Id. ¶ 28. Like the verbs “collect” and “capture” in Section 15(b), the acts of disclosing and redisclosing biometric data occur upon the initial disclosure in addition to any subsequent disclosure or redisclosure of the data.  See id. ¶ 29 (“A fingerprint scan system requires a person to expose his or her fingerprint to the system so that the print may be compared with the stored copy, and this happens each time a person uses the system.”).

The majority opinion also rejected White Castle’s remaining “nontextual” arguments supporting its single-accrual interpretation.  White Castle argued that a BIPA claim accrued only upon the initial collection or disclosure of a person’s biometric data because an individual loses the right to control his or her biometric data as soon as the data is collected and/or disclosed.  In rejecting the argument, the Supreme Court again relied on the statute’s plain language, stating: “[n]o such limitation appears in the statute.  We cannot rewrite a statute to create new elements or limitations not included by the legislature.”  Id. ¶ 39.

Next, the Supreme Court turned to White Castle’s argument that in light of the BIPA’s liquidated damages provision, interpreting the statute to mean an entity violates Sections 15(b) and 15(d) every time it collects or discloses biometric data means “a party may recover for “each violation,” allowing multiple or repeated accruals of claims by one individual could potentially result in punitive and “astronomical” damage awards that would constitute “annihilative liability” not contemplated by the legislature and possibly be unconstitutional.”  Id. ¶ 41.  For example, White Castle estimated that if Plaintiff was successful and allowed to bring her claims on behalf of as many as 9,500 current and former White Castle employees, classwide damages in her action may exceed $17 billion.  Once again, the Supreme Court rejected White Castle’s argument because the statutory language is clear and supports plaintiff’s position.  See id. ¶ 40 (“As the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, “ ‘even though the consequences may be harsh, unjust, absurd or unwise.’ ” (Emphasis omitted.) Cothron, 477 F. Supp. 3d at 734 (quoting Peterson v. Wallach, 198 Ill. 2d 439, 447 (2002)).”).

Importantly, however, the Supreme Court acknowledged that trial courts could exercise their discretion to reduce the amount of statutory damages that plaintiffs can recover. Id. ¶ 42.  In closing, the Supreme Court reiterated the position that White Castle’s “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” and it “suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”  Id. ¶ 43.  Accordingly, the Illinois Supreme Court concluded that the plain language of section 15(b) and 15(d) shows that a claim accrues under the BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent.

The Dissent

Notably, three Illinois Supreme Court Justices, inclusive Chief Justice Theis, joined the Dissenting Opinion.  Of note, the Dissent opined that two significant consequences militate against the majority’s construction.  Id. ¶ 60.  First, under the majority’s rule, plaintiffs would be incentivized to delay bringing their claims as long as possible, since “If every scan is a separate, actionable violation, qualifying for an award of liquidated damages, then it is in a plaintiff’s interest to delay bringing suit as long as possible to keep racking up damages.”  Id.  Second, the Dissent noted that, “the majority’s construction of the Act could easily lead to annihilative liability for businesses.”  Id. at ¶ 61.

In sum, the Dissent commented that, “Imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.  Id. ¶ 63.  To this point, the Dissent opined that, “nothing in the Act indicating that the legislature intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier. The legislature’s intent was to ensure the safe use of biometric information, not to discourage its use altogether.”

Implications For Employers

Following the Illinois Supreme Court’s similar pro-plaintiff ruling in Tims v. Black Horse Carriers, 2023 IL 127801 (Ill. Feb. 2, 2023), which applied a five-year statute of limitations to the BIPA instead of a one-year statute of limitations, the well is beginning to dry for businesses in terms of potential BIPA class action defenses. While employers can still explore novel exemptions, such as information captured from a patient in a health care setting, most companies caught in the crosshairs of BIPA class actions will be facing monumental amounts of potential damages.

Businesses confronted with BIPA class actions may need to explore alternative potential defenses, such as the constitutionality of the overbearing damages thresholds.  Companies will also likely push for legislative changes.  Nonetheless, given the bleak outlook of the law as it stands, it is imperative for businesses to immediately ensure they are compliant with the BIPA.

Dior Dismissed From Illinois BIPA Class Action Lawsuit Challenging Virtual Try-On Technology

By Kelly A. Bonner, Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley

Duane Morris TakeawaysIn a significant win for fashion and beauty retailers in the privacy class action space, in Warmack-Stillwell v. Christian Dior Inc., No. 1:22-CV-04633, 2023 U.S. Dist. LEXIS 22926 (N.D. Ill. Feb. 10, 2023), an Illinois federal court held that an exemption to the Illinois Biometric Information Privacy Act (“BIPA”) for data captured from a patient in a health care setting barred proposed class action claims alleging that luxury giant Christian Dior Inc.’s (“Dior”) virtual try-on tool (“VTOT”) violated the BIPA.

Businesses in Illinois, particularly online fashion and beauty retailers, can use this ruling to attack BIPA claims involving VTOT technology.

Case Background

As discussed in our previous publications, lawsuits involving BIPA claims and eyewear have been dismissed under one of BIPA’s statutory exemptions, which in relevant part excludes from its definitions of biometric identifiers and biometric information: (1) information captured from a patient in a health care setting; or (2) information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996, including prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses.

Plaintiff alleged that Dior maintained a VTOT feature on its website that collected users’ facial geometry data without first obtaining written consent or informing users of the purpose and length of time that their data was being collected in violation of Section 15(b) of BIPA. Plaintiff also alleged that Dior failed to provide a publicly available data retention and destruction schedule, as required by Section 15(a) of BIPA.

Dior moved to dismiss Plaintiff’s complaint on the basis that the BIPA’s health care exemption applied to non-prescription sunglasses, such as the ones sold by Dior and which the plaintiff alleged that she tried on with the VTOT technology, and thus precluded Plaintiff’s claims.

Plaintiff countered that the sunglasses were fashion accessories; Dior’s website was not a health care setting; and Dior’s consumers were not patients. Plaintiff also sought to distinguish prior decisions applying the BIPA’s health care exemption as focusing on the VTOT technology being used for prescription glasses, akin to optometrist fittings, and not in connection with the purchase of luxury sunglasses.  Id. at *8.

The Court’s Decision

The Court granted Dior’s motion to dismiss under Rule 12(b)(6).  First, the Court explained that Plaintiff qualified as a “patient in a health care setting” under the dictionary definition of the term “patient,” and that Dior’s VTOT feature “facilitates the provision of a medical device that protects vision.” Id. at *8.  Similarly, the Court held that use of the VTOT technology constituted “health care,” which the dictionary defined as “efforts made to maintain or restore physical, mental, or emotional well-being especially by trained and licensed professionals.”  Id. at *9.

In addition, the Court reasoned that the relevant test was “not a user’s subjective understanding, but rather an objective application of the text of the exemption.” Id. at *8-9.  The Court opined that the outcome of the analysis should not change if a consumer uses the VTOT in search of primarily stylish sunglasses rather than protective ones.

Plaintiff attempted to distinguish Dior’s website from a “health care setting” by arguing that “[a]n artist prepping a canvas is not providing a health care service if they use a scalpel instead of an Xacto knife.”  Id. at *9.  As to that point, the Court concluded that the VTOT feature facilitated the purchase of sunglasses to wear on one’s face and protect one’s eyes, thus performing the product’s intended medical function rather than an unconventional purpose.

Similarly, the Court rejected Plaintiff’s attempts to analogize her case to BIPA suits against blood plasma centers, in which courts rejected application of the health care exemption.  Even if the cases applied the same definitions of “health care” and “patient,” the Court concluded that the removal of plasma for commercial purposes is not “health care because the purpose — at least from the plasma donors’ perspectives — was not to ‘maintain or restore physical, mental or emotional well-being’; it was to get paid.”  Id. at *11.

Finally, the Court notably denied Dior’s motion to dismiss under Rule 12(b)(1), rejecting Dior’s argument that Plaintiff failed to allege an injury-in-fact sufficient for Article III standing. The Court concluded that Plaintiff sufficiently alleged an injury-in-fact under Section 15(a) “because “unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data.”   Id. at *11.

Accordingly, the Court granted Dior’s motion to dismiss on Rule 12(b)(6) grounds, but rejected Dior’s Article III standing argument and denied its motion based on Rule 12(b)(1).

Implications for Retailers

The Court’s decision in Warmack is a solid victory for fashion and apparel retailers, and indicates that courts are willing to expand the BIPA’s healthcare exemption to more retail-oriented environments, and adopt a plain reading of the statue rather than seeking to discern legislative intent. This ruling could have significant implications for personal care products retailers, especially those who utilize VTOT features to assess skin complaints such as aging, hyperpigmentation, and recommend treatments, and whether those defenses will draw regulatory scrutiny for purposed “drug” claims.

In the meantime, retailers should stay abreast of biometric data privacy laws in Illinois and beyond, and ensure that their privacy policies stay current with evolving nationwide legislation.

Trend # 6 – Privacy Class Actions Became An Intense Focus Of The Plaintiffs’ Class Action Bar

By Gerald L. Maatman, Jr. and Jennifer Riley

Duane Morris Takeaway: Privacy litigation – in a multitude of forms and theories – revealed itself as the hottest area of growth in terms of activity by the plaintiffs’ class action bar in 2022. The new year started off with a huge privacy ruling from the Illinois Supreme Court in Tims, et al. v. Black Horse Carriers, Case No. 127801 (Ill. Feb. 2, 2023), in which it held that a five-year statute of limitations applies to BIPA claims.

The Illinois Biometric Privacy Act Continued To Drive Lawsuits

In 2022, the plaintiffs’ class action bar continued to focus on businesses and vendors utilizing biometric technology and filed numerous class action lawsuits based on the Illinois Biometric Information Privacy Act, 740 ILCS 14/15 (BIPA).

Enacted in 2008, the BIPA regulates the collection, use, and handling of biometric identifiers and information by private entities. Subject to limited exceptions, the BIPA generally prohibits the collection or use of an individual’s biometric identifiers and biometric information without notice, written consent, and a publicly-available retention and destruction schedule.

Although Texas and Washington have implemented similar biometric protections, the BIPA provides for a private cause of action with aggressive statutory penalties allowing for $1,000 per violation and $5,000 per intentional or reckless violation. Because of this damages provision, the plaintiffs’ bar files almost all BIPA lawsuits as class actions. Plaintiffs have focused more than one-third of BIPA cases on fingerprinting and have focused roughly a quarter on facial recognition surveillance.

The most noteworthy BIPA case of the year was Rogers, et al. v. BNSF Railway Co., Case No. 19-CV-3083 (N.D. Ill.), the first federal jury trial in a case brought under the BIPA. After a week-long trial in the U.S. District Court for the Northern District of Illinois, a jury found that BNSF recklessly or intentionally violated the law 45,600 times and entered a verdict in favor of the class of 45,000 workers. The court thereafter awarded damages against BNSF of $228 million. BNSF subsequently filed a motion for a new trial arguing that none of the 45,000 class members suffered any actual harm and raising constitutional concerns about the BIPA. That motion remains pending for decision, and is almost sure to result in an appeal in 2023.

As BIPA class actions proliferate and businesses struggle to defeat such claims, the Illinois Supreme Court in early 2023 clarified the scope of the statute of limitations applicable to the BIPA in Tims, et al. v. Black Horse Carriers, Case No. 127801 (Ill. Feb. 2, 2023). The Illinois Supreme Court held that a five-year statute of limitations applies to claims under the BIPA. This ruling adds to the risks for employers and companies who do business in Illinois in terms of BIPA class action exposures. Given that the BIPA statute does not have an explicit statute of limitations, the Illinois Supreme Court’s ruling now provides clarity for litigants and attorneys in this space as to the scope of the putative classes in their lawsuits.

If employers have not already done so, now is time to make sure their timekeeping procedures and consent policies are legally compliant. The Tims ruling is apt to increase the plaintiff class action bar’s appetite for BIPA claims, so it is more important than ever for employers to make sure their procedures are legally sound

The Illinois Supreme Court is also due to issue its decision in Cothron v. White Castle System, Inc., No. 1280004 (Ill.), which will decide whether each fingerprint scan is its own discrete violation.  An adverse finding in Cothron could enhance BIPA class action exposures. In Cothron, et al. v. White Castle Systems, 2021 U.S. App. LEXIS 37593 (7th Cir. Dec. 20, 2021), the Seventh Circuit asked the Illinois Supreme Court to provide much-needed clarification on the accrual of BIPA violations, specifically whether certain BIPA claims accrue only once upon the initial collection or disclosure of biometric information or whether a claim accrues each time a company collects or discloses biometric information.

The Illinois Supreme Court likely will rule on these key BIPA matters in the early part of 2023 and the statute will continue to drive class action litigation. Its technical requirements, combined with stiff statutory penalties and fee-shifting, provide a recipe for attention from the plaintiff’s class action bar, and companies’ continued development and use of innovative technologies are apt to provide a veritable barrel of opportunity.

Class Action Suits Alleging Wiretapping Violations

A new wave of class action lawsuits filed in California, Florida, Massachusetts, and Pennsylvania targeted companies that use technologies to track user activity on their websites, based on the theory that such practices violate electronic interception provisions of various state laws when done without consent.

The plaintiffs’ bar grounded these claims in the electronic interception provisions of various state laws. Wiretap statutes like the California Invasion of Privacy Act, the Pennsylvania Wiretapping and Electronic Surveillance Act, and the Florida Security of Communications Act generally prohibit the unauthorized interception or disclosure of communications transmitted electronically.

The plaintiffs’ bar targeted technologies that track a user’s interactions with the website (e.g., clicking, scrolling, swiping, hovering and typing) and create a recording of those interactions and inputs – known as session replay software. They also attacked coding tools that create and store transcripts of conversations with users in a website’s chat feature. The plaintiffs in this new string of class actions allege that recording their interactions with a website and sending that recording to a third party for analysis without their consent is an illegal invasion of their privacy.

Recent decisions from the Ninth and Third Circuits fueled the swell of lawsuits alleging violations of these wiretap statutes. In May 2022, in Javier, et al. v. Assurance IQ, LLC, 2022 U.S. App. LEXIS 14951 (9th Cir. May 31, 2022), the Ninth Circuit held that the California Invasion of Privacy Act requires prior consent and explicitly rejected the argument that this wiretap statute allows a business to obtain consent to the use of session replay software after the recording already has begun. The Ninth Circuit, however, did not comment on what would amount to effective consent to the use of session reply software under the wiretap statute.

A few months later, the Third Circuit in Popa, et al. v. Harriet Carter Gifts, 2022 U.S. App. LEXIS 22707 (3d Cir. Aug. 16, 2022), ruled that an electronic interception violating the Pennsylvania Wiretapping and Electronic Surveillance Act occurred when the plaintiff visited a website to purchase a product and her interactions on that site were recorded and transmitted to a third-party marketing firm.

The Third Circuit concluded that the location of the interception was plaintiff’s browser, and it rejected the defendants’ argument that the wiretap statute did not apply because the third-party marketing firm’s servers – where the information was sent – were located in Virginia. If other circuits follow the Third Circuit’s approach, it could subject companies to liability under a state wiretap statute each time a user accesses its website from that state.

In each of the three lawsuits brought thus far in Pennsylvania, the class consisted of allegedly more than 5,000 individuals. This new wave of lawsuits alleging wiretap violations threatens to subject businesses to a substantial amount in penalties, including fines ranging from $1,000 to $50,000 per violation, depending on the state. If a violation occurs every time a user accesses a website in one of these states, the amount of penalties to which a company may be subject can balloon quickly.

More State Legislation Created And Expanded Data Privacy Rights

While Congress has refrained from addressing data privacy through federal legislation, many states have enacted their own laws, and 2022 saw significant state legislative activity regarding data privacy with five states preparing for new privacy laws to take effect in 2023, including California, Colorado, Connecticut, Utah, and Virginia.

On the heels of California’s enactment of the California Consumer Privacy Act (CCPA) in 2020, California businesses will need to comply with all requirements of the California Privacy Rights Act (CPRA) effective January 1, 2023. The CPRA expands the current CCPA private right of action by authorizing consumers to bring lawsuits arising from data breaches involving additional categories of personal information and is arguably the strictest data privacy law in the United States, which places California privacy law closer, in many respects, to Europe’s GDPR. With potential statutory damages ranging from $100 to $750 per consumer per incident, and breaches often involving hundreds of thousands or even millions of users, these types of claims will almost certainly lead to a sharp rise in class action litigation.

Virginia, Colorado, Connecticut, and Utah likewise enacted sweeping data privacy laws that will roll out in 2023. These laws are all similar in structure, but unlike California’s statute, which allows an individual to sue a company for alleged violations, enforcement will be left to the respective state attorneys general. Each of these laws provides for expanded consumer rights related to their data, including: (i) Right of access (i.e., allows for a consumer to access from a business/data controller the information or categories of information collected about a consumer); (ii) Right of deletion (i.e., right for a consumer to request deletion of personal information about the consumer under certain conditions; (iii) Right to opt-out (i.e., allows for a consumer to opt out of the sale of personal information about the consumer to third parties); (iv) Right of portability (allows for a consumer to request personal information about the consumer be disclosed in a common file format); and (v) Notice and transparency requirements (i.e., an obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs).

The approach each state attorney general takes regarding enforcement of these new laws will provide lessons for other states looking to regulate consumer privacy in the absence of a federal standard and almost certainly will be closely monitored by the plaintiffs’ bar, as it attempts to draw from favorable rulings and to anticipate which state will enact the next plaintiff-friendly data privacy laws. 28 U.S.C. §1292(b), Rule 23(f) does not require the district court to certify an issue for appeal. Moreover, Rule 23(f) does not include the potentially limiting requirements of Section 1292(b), under which the district court can certify an issue for appeal only where an order “involve[s] a controlling question of law as to which there is substantial ground for difference of opinion” and where “an immediate appeal from the order may materially advance the ultimate termination of the litigation.”

Finally, class action litigants can appeal final orders issued by the district court under 28 U.S.C. § 1291, which states that “courts of appeals (other than the United States Court of Appeals for the Federal Circuit) shall have jurisdiction of appeals from all final decisions of the district courts of the United States.”

Illinois Supreme Court Holds Five-Year Statute Of Limitations Applies To The BIPA

By Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley

Duane Morris Takeaways:  In one of the most highly anticipated class action rulings in years, in Tims, et al. v. Black Horse Carriers, Inc., Case No. 127801 (Ill. Feb. 2, 2023), the Illinois Supreme Court held that a five-year statute of limitations applies to claims under the Biometric Information Privacy Act, 740 ILCS 14/15 (“the BIPA”).  This ruling adds to the risks for employers and companies who do business in Illinois in terms of BIPA class action exposures.

Given that the BIPA statute does not have an explicit statute of limitations, the Illinois Supreme Court’s ruling now provides clarity for litigants and attorneys in this space as to the scope of the putative classes in their lawsuits.

Case Background

In March 2019, Plaintiff filed a class action complaint alleging that Defendant violated the BIPA through its timekeeping practices that involved the scanning and storing of employees’ fingerprints.  Plaintiff asserted claims under three sub-sections of the law, including: (1) section 15(a) of the BIPA, for failing to institute, maintain, and adhere to a retention schedule for biometric data; (2) section 15(b) of the BIPA, which states that no private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information without notice and consent; and (3) section 15(d) of the BIPA, which involves the unlawful disclosure or dissemination of biometric data without first obtaining consent.  Of note, section 15(c) of the BIPA prohibit the sale of a person’s biometric data for a profit, and section 15(e) of the BIPA imposes a duty of reasonable care in storing and protecting biometric data from disclosure.

On September 17, 2021, the Illinois Appellate Court held that hat a one-year limitations period pursuant to section 13-201 of the Illinois Code of Civil Procedure (the “Code”) governs actions under sections 15(c) and (d) of the BIPA, while a five-year statute of limitations pursuant to section 13-205 applies to sections 15(a), (b), and (e).  The Illinois Appellate Court explained that the BIPA imposes various duties that are separate and distinct from one another.  While each of the duties set forth under sections (a)-(e) “concern privacy,” the Appellate Court reasoned that a private entity could violate sections (a), (b), or (e) “without having to allege or prove that the defendant . . . published or disclosed any biometric data.” Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, at ¶ 31 (1st Dist. Sept. 17, 2021)However, the “publication or disclosure of biometric data is clearly an element of an action under” sections 15(c) and (d). Id. at ¶ 32.  Accordingly, the Illinois Appellate Court applied the state’s one-year statute of limitations for right of privacy claims for sections (c) and (d), and applied the five-year “catch all” statute of limitations for sections (a), (b), and (e).

The Illinois Supreme Court’s Decision

On February 2, 2023, the Illinois Supreme Court affirmed in part and reversed in part the Illinois Appellate Court’s decision.  First, the Illinois Supreme Court notably opined that it, “agree[d] with the parties that the [A]ppellate [C]ourt erred in applying two different statutes of limitations to the Act.”  Tims, 2023 IL 127801, at ¶ 16.  It explained that one of the purposes of a limitations period is to reduce uncertainty and create finality and predictability in the administration of justice.  Id. at ¶ 20 (citations omitted).  The Illinois Supreme Court thus held that, “applying two different limitations periods or timebar standards to different subsections of section 15 of the Act would create an unclear, inconvenient, inconsistent, and potentially unworkable regime as it pertains to the administration of justice for claims under the Act.”  Id. at ¶ 21.

Having decided that a singular uniform statute of limitations should apply, the Illinois Supreme Court next analyzed whether the statute of limitations should be five years or one year.  Analyzing the plain language of the BIPA statute, the Illinois Supreme Court held that all five subsections of section 15 of the Act prescribe rules to regulate the collection, retention, disclosure, and destruction of biometric identifiers and biometric information.  Id. at ¶ 29.  In regards to the Illinois Appellate Court’s holding that section 15(a), 15(b), and 15(e) of the Act contained no words that could be defined as involving “publication,” the Illinois Supreme Court held that the Illinois Appellate Court correctly found that subsections (a), (b), and (e) are subject to the five-year “catchall” limitations period codified in section 13-205 of the Code. Id. at ¶ 30.

Turning to subsections (c) and (d), the Illinois Supreme Court acknowledged that the one-year statute of limitations could be applied.  Id. at ¶ 32.   However, the Illinois Supreme Court held that, “when we consider not just the plain language of section 15 but also the intent of the legislature, the purposes to be achieved by the statute, and the fact that there is no limitations period in the Act, we find that it would be best to apply the five-year catchall limitations period codified in section 13-205.  Id. at ¶ 30.  The Illinois Supreme Court explained that this outcome would further its goal of ensuring certainty and predictability in the administration of limitations periods that apply to causes of actions under the BIPA.  Id. at ¶ 32.  In support of its conclusion, the Illinois Supreme Court held that Illinois courts have routinely applied this five-year catchall limitations period to other statutes lacking a specific limitations period, such as the BIPA.  Id. at ¶ 34.

Finally, the Illinois Supreme Court examined the Illinois General Assembly’s goals in enacting the BIPA statute.  The Illinois Supreme Court opined that in light of the extensive consideration the General Assembly gave to the fears of and risks to the public surrounding the disclosure of highly sensitive biometric information, “it would thwart legislative intent to (1) shorten the amount of time an aggrieved party would have to seek redress for a private entity’s noncompliance with the Act and (2) shorten the amount of time a private entity would be held liable for noncompliance with the Act.”  Id. at ¶ 39. The opinion also noted that defamation torts such as libel and slander are subject to a short limitations period because aggrieved individuals are expected to quickly become apprised of the injury and act quickly when their reputation has been publicly compromised, while it would be uncertain as to whether an individual would ever become aware of their biometric being improperly disclosed or misappropriated.  Id.

The Illinois Supreme Court concluded its opinion by holding that the five-year limitations period contained in section 13-205 of the Code controls claims under the BIPA.  Therefore, the Illinois Supreme Court affirmed in part and reversed in part the judgment of the Appellate Court, and remanded the cause to the Circuit Court for further proceedings.

Implications For Employers

This decision is unsurprising given the public policy behind the law and the growing importance of privacy.  The five-year statute of limitations serves to increase BIPA class action litigation exposure.

Companies can expect more BIPA-related rulings in the near term. The Illinois Supreme Court is due to issue its decision in Cothron v. White Castle System, Inc., No. 1280004 (Ill.), which will decide whether each fingerprint scan is its own discrete violation.  An adverse finding in Cothron could enhance BIPA class action exposures.

If employers have not already done so, now is time to make sure their timekeeping procedures and consent policies are legally compliant. The Tims ruling is apt to increase the plaintiff class action bar’s appetite for BIPA claims, so it is more important than ever for employers to make sure their procedures are legally sound.

Illinois Appellate Court Affirms Dismissal Of BIPA Class Action Lawsuit

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways:  In Barnett v. Apple Inc., Case No. 1-22-0187, 2022 Ill. App. LEXIS 556 (Ill. App. 1st Dist. Dec. 23, 2022), after a trial court dismissed a biometric privacy class action lawsuit involving the use of facial and fingerprint recognition features, the Illinois Appellate Court affirmed the dismissal order. In an important decision defining the parameters of liability under the Illinois Biometric Information Privacy Act (“BIPA”), the Illinois Appellate Court held that the users of the technology themselves were responsible for possessing, capturing, and collecting their biometric data

For businesses that are confronted with biometric privacy class action allegations in the context of recognition software, this monumental victory for Apple provides an excellent roadmap to attack such claims at the pleading stage.

Case Background

Plaintiffs alleged that Apple violated the Biometric Information Privacy Act, 740 ILCS 14/1 et seq., by offering users of its phones and computers the option of utilizing face and fingerprint recognition features without first instituting a written policy regarding the retention and destruction of the users’ biometric information; and without first obtaining the users’ written consent.  Id. at *1-2.  Plaintiffs claimed Apple was “in possession of,” “collected,” and “captured,” the users’ biometric information, since Apple designed, owned, and had the ability to remotely update the software.  Id. at *2.

On January 3, 2022, the trial court granted Apple’s motion to dismiss.  Id. at *9.  First, the trial court held that Plaintiffs failed to allege that their biometric information was sent to Apple’s servers or any third party server.  Rather, Plaintiffs expressly alleged that the information was stored locally on Plaintiffs’ own devices.  Second, the trial court held that Plaintiffs did not allege that Apple stored any of Plaintiffs’ biometric data in Apple databases.  Third, the trial court held that it was clear Plaintiffs voluntarily chose to use Face ID and Touch ID features, and could delete their biometric information from their devices if they chose.  On February 2, 2022, Plaintiffs filed a timely notice of appeal.  Id. at *11.

The Illinois Appellate Court’s Decision

The Illinois Appellate Court affirmed the trial court’s dismissal of Plaintiffs’ complaint.  Addressing the issue of “possession,” the Appellate Court explained that the term was not defined in the BIPA statute. Id. at *16.  Plaintiffs argued that Apple ‘possesse[d]” their information because Apple software collected and analyzed their information.  Id. at *17.  Rejecting Plaintiffs’ argument, the Appellate Court opined that based on the facts alleged by Plaintiffs, it seemed as though Apple designed these features with the express purpose of handing control to the user.  Id. at *17-18.  The Appellate Court also noted that these features were completely elective, explaining that the user must undertake a series of affirmative steps in order to use them.  Id.  Finally, the Appellate Court found that Plaintiffs’ arguments were not persuasive since Plaintiffs alleged that the information is stored on the users’ own individual devices, and that users may delete the information and disable the features at their convenience. Accordingly, the Appellate Court held that Plaintiffs failed to properly allege that Apple possessed their biometric information.

Turning to the issue of whether Apple collected and captured Plaintiffs’ biometric information, the Appellate Court explained that these terms were also not defined in the BIPA statute.  Id. at *20.  In support of their proposed definitions, Plaintiffs cited a BIPA class action in the employment context, where the employee plaintiff was required to use the biometric scanner or lose her  job.  Id. at *22-23 (citations omitted).  Rejecting Plaintiffs’ argument, the Court noted that the biometric features in this care were wholly optional, the information was stored exclusively on Plaintiffs’ devices, and Plaintiffs could delete the information at will.  Further, the Court noted that Plaintiffs specifically alleged that the information is stored only on their devices.  Accordingly, the Appellate Court held that Plaintiffs failed to properly allege that Apple captured and collected their biometric information.

In conclusion, the Appellate Court summarized its findings as follows:  “[P]laintiffs do not dispute that the user’s biometric information is stored on the user’s own device; that Apple does not collect or store this information on a separate server or device; that these features are completely optional; that the user is the sole entity deciding whether or not to use these features; that, to enable the features, the user employs his or her own device to capture and collect his or her own biometric information on that device; that, to utilize these features, the user must undertake a number of steps, which are all documented in photos in plaintiffs’ complaint; and that the user has the power to delete this biometric information from the device, at any time, without negatively impacting the device.”  Id. at *22-23.  Accordingly, the Appellate Court affirmed the trial court’s dismissal of Plaintiffs’ BIPA class action.

Implications For Employers

Facial recognition technology is rapidly becoming more prevalent in both the employment and consumer contexts.  This decision underscores the importance of carefully analyzing the allegations in biometric privacy class action pleadings.  In situations where users maintain control over their own biometric data, this may be a helpful decision to seek an early exit from the lawsuit.  Finally, Apple’s victory further provides some optimism for companies defending biometric privacy class actions, as the recent tide of key decisions has largely been adverse to defendants.

Federal Court In New York Rejects Louis Vuitton’s Motion To Dismiss BIPA Suit Over Virtual Try-On Tool

By Kelly Bonner, Gerald L. Maatman, Jr., and Gregory Tsonis

Duane Morris Takeaway – In another blow to retailers utilizing virtual try-on technology to enhance shopping experiences this holiday season, Judge Denise Cote for the U.S. District Court for the Southern District of New York recently denied in part Defendant Louis Vuitton North America, Inc.’s motion to dismiss proposed class action claims that its “Virtual Try-On” tool violated the Illinois Biometric Information Privacy Act (“BIPA”).  In Theriot v. Louis Vuitton North America, Inc., Case No. 1:22 Civ. 02944, the Court rejected Defendant’s extraterritoriality argument, as well as claims that a third party not named in the lawsuit operated the “Virtual Try-On” tool and collected users’ biometric data.  However, the Court dismissed Plaintiffs’ Section 15(a) claim that Defendant failed to develop and make publicly available a written policy for retaining and destroying biometric data on the grounds that Plaintiffs lacked Article III standing.  The Court’s ruling in Theriot illustrates the continued risk for retailers from biometric data privacy lawsuits invoking the BIPA.

Case Background

Louis Vuitton North America (“Defendant”), a subsidiary of French luxury conglomerate LVMH, operates a website that features a “Virtual Try-On” tool, which allows users to visualize themselves in a particular pair of eyeglasses.  Id. at 2.  When a user clicks on the words, “Try On”, the tool automatically activates the user’s computer or phone camera to depict a live image of that user “wearing” the selected glasses in real-time, or allows the user to upload a photograph of his or her face.  Id. at 2-3.  While the tool is featured on Defendant’s website, it is operated by an application created by a third-party company, which was not named in this case, and incorporates that company’s proprietary technology to collect and process a user’s facial geometry.  Id. at 3.

Plaintiffs, residents of Illinois, alleged that Defendant violated Section 15(b) of the BIPA by capturing users’ facial geometry without informing them how that data is collected, used, or retained.  Plaintiffs also alleged that Defendant lacked a publicly-available written policy establishing how long such data is retained and when it is destroyed, in alleged violation of Section 15(a) of the BIPA.  Plaintiffs filed a putative class action lawsuit against Defendant, alleging jurisdiction based on diversity and the Class Action Fairness Act, and seeking to represent a class of individuals that used the “Virtual Try-On” tool.  Defendant moved to dismiss Plaintiffs’ amended complaint.

The Court’s Ruling On Defendant’s Motion To Dismiss

Defendant sought to dismiss Plaintiffs’ BIPA claims on three grounds, two of which the Court rejected.

The Court dismissed Plaintiffs’ Section 15(a) claim on the grounds that Plaintiffs lacked Article III standing.  Id. at 8.  Relying on the Seventh Circuit’s decision in Bryant v. Compass Group, which remanded Section 15(a) claims to state court because the company’s statutory duty was to the public generally, the Court concluded that because the company’s duty was not to the specific individuals whose biometric information is collected, but to the public generally, Plaintiffs failed to allege any particularized, individual harm.  Id.  The Court reasoned that “Plaintiffs’ § 15(a) claim is expressly based on the ‘failure to develop and make publicly available a written policy for retention and destruction of biometric identifiers,’ rather than on the unlawful retention of data after the initial purpose for collecting the data had been satisfied …. As the court held in Bryant, because the duty to develop and disclose a retention policy is owed to the public generally, plaintiffs have failed to allege a particularized harm sufficient for Article III standing.”  Id.

Plaintiffs sought to analogize their case to another decision by the Seventh Circuit — Fox v. Dakkota Integrated Systems, LLC, in which the Seventh Circuit found that the plaintiff had standing to pursue her Section 15(a) claims where she alleged that the defendant not only failed to publish a retention policy, but unlawfully retained her biometric data, and such allegations were sufficient to allege an injury in fact for Article III standing.  Id. at 9.  But the Court rejected this comparison, noting that Plaintiffs’ amended complaint centered on Defendant’s alleged failure to develop and publish policies governing data collection and retention — not Defendant’s retention of the data.  Id.  The Court also rejected Plaintiffs’ alleged injury due to “the unknowing loss of control of …of biometric identifiers” and “violations of their privacy” as relevant to Plaintiffs’ Section 15(b) claim — not a Section 15(a) claim.  Id. at 9-10.

However, the Court rejected both of Defendant’s arguments to dismiss Plaintiffs’ Section 15(b) claims.

First, the Court rejected Defendant’s argument that Plaintiffs “pleaded themselves out of court” by alleging that Defendant’s “Virtual Try On” tool was powered by a third party not party to the litigation, and that that third party is the entity that collects users’ biometric identifiers.  Id.  at 12.  Instead, the Court concluded that Plaintiffs’ complaint sufficiently alleged that Defendant “collects detailed and sensitive biometric identifiers and information, including complete facial scans, of its users” and “takes active steps to collect users’ facial scans …. such as inviting users to take advantage of the Virtual Try-On tool.”  Id. at 12-13.

Second, the Court found no basis to dismiss Plaintiffs’ Section 15(b) claim on extraterritoriality grounds even though, as Defendant argued, the events giving rise to Plaintiffs’ claims did not occur “primarily and substantially” in Illinois.  Id. at 14.  Instead, the Court concluded that Plaintiffs were “Illinois residents who used the Virtual Try-On Tool while in Illinois, and that there was no indication from Plaintiffs’ complaint that any other events relevant to their claims occurred elsewhere.  Id.

Implications for Companies Using Biometric Equipment

The Court’s ruling in Theriot illustrates the continued risk for retailers from biometric data privacy lawsuits invoking the BIPA, and the resiliency of Section 15(b) claims despite efforts to dismiss at the pleading stage.

Notably, earlier lawsuits involving BIPA claims and eyewear have been dismissed under BIPA’s health care exemption, which exempts “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996,” including “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses.”  See Opinion and Order at 7, Svobova v. Frames for America, Inc., No. 21-CV-5509 (N.D. Ill. Sept. 8, 2022) (concluding that plaintiff was a “patient receiving a health care service in a health care setting). But the issue of whether courts will apply BIPA’s health care exemption to luxury sunglasses is currently pending in the U.S. District Court for the Northern District of Illinois in Warmack v. Christian Dior, Inc., Case No. 1:22-CV-04633, while its application with respect to so-called “cosmeceuticals” and other luxury skincare products raises significant FDA regulatory concerns.

In the meantime, companies should implement proper safeguards and consent processes for the collection and retention of biometric data — particularly with respect to Illinois consumers or states considering similar legislation — and consider how they notify users and obtain consent regarding biometric data.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress