Category: Privacy Class Actions

By Gerald L. Maatman, Jr., Tyler Z. Zmick, and George J. Schaller

Duane Morris Takeaways: In Kashkeesh v. Microsoft Corp., No. 1:21-CV-03229, 2023 U.S. Dist. LEXIS 109559 (N.D. Ill. Jun. 26, 2023), Judge Manish Shah of the U.S. District Court for the Northern District of Illinois granted Microsoft’s motion to compel arbitration regarding the claims of two Uber rideshare drivers asserting a class action under the Illinois Biometric Information Privacy Act. The Court held that Microsoft could enforce the rideshare contracts as a third-party beneficiary and that Microsoft did not expressly waive its right to arbitrate.

For employers seeking  to compel arbitration, especially in lawsuits involving third-party beneficiary situations, this decision is instructive in terms of how courts determine waiver of the right to arbitrate and third-party beneficiaries in agreements with arbitration clauses, particularly where the agreement provides a description of a class to which a party belongs and does not identify the beneficiary by name.

Case Background

Plaintiffs Emad Kashkeesh and Michael Kormorksi (collectively “Plaintiffs”) were drivers for the ridesharing and food delivery company Uber. Id. at 2. In addition to providing other identifying information for Uber as part of their work, Plaintiffs were required to take pictures of their faces through Ubers “Real Time ID Check” software. Id.  Uber’s software utilized Microsoft’s Face Application Programming Interface to identify drivers. Id. After Uber drivers, like Plaintiffs, submitted their photographs to Uber’s software program, Microsoft’s software extracted facial biometrics to create geometric templates, and compared these templates with information corresponding to the employees, for identification. Id at 2-3.

Plaintiffs claimed that they never agreed that Microsoft could capture, store, or disseminate their facial biometrics, were never told that Microsoft was gathering their information, and Microsoft never published a policy about the company’s retention and deletion of biometric information. Id. at 3.  However, Plaintiffs contracted with Uber to work as rideshare drivers and signed the Company’s 2020 Platform Access Agreement (“Uber Agreement”). Id.  Within the Uber Agreement, an arbitration clause required Plaintiffs to arbitrate any dispute between Plaintiffs and Uber, and “any other entity [other than Uber] .. arising out of or related to our application for use of an account to use [Uber’s] Platform and Driver App as a driver.” Id.

In May 2021, Plaintiffs filed a lawsuit alleging Microsoft violated the Illinois Biometric Privacy Act. Id.  Microsoft removed the case on June 16, 2021, and filed its own motion to dismiss for lack of personal jurisdiction. Id. Plaintiffs filed a motion to remand two of their claims. Id. Microsoft opposed Plaintiffs motion, but Plaintiffs’ motion was granted, and some of Plaintiffs’ claims remained in federal court with limited jurisdictional discovery conducted. Id.  Subsequently, Microsoft’s motion to dismiss was denied on December 13, 2022. Id. at 3-4. On that same day, Uber informed Microsoft for the first time that Plaintiffs agreed to the 2020 Uber Agreement. Id. at *4.  In answering Plaintiffs’ complaint, Microsoft asserted that Plaintiffs claims had to be arbitrated. In February 2023, Microsoft filed its motion to compel arbitration. Id.

The Court’s Decision

The Court granted Microsoft’s motion to compel arbitration. In doing so, the Court provided standards on compelling arbitration such that Microsoft was required to show “(1) an agreement to arbitrate, (2) a dispute within the scope of the arbitration agreement, and (3) a refusal by the opposing party to proceed to arbitration.” Id. at 1. Declaring that there was no dispute that the arbitration agreements are valid and enforceable, the Court turned to the following issues: (i) whether Microsoft (a non-signatory) can enforce the contracts as a third-party beneficiary, and (ii) whether Microsoft waived its right to compel arbitration. Id.

On the third party beneficiary status, the Court noted the strong presumption against “conferring contractual benefits on non-contracting third parties.” It reasoned that this presumption could be defeated if “the contract strongly suggest[s] that it applies to third parties – so strongly as to be practically an express declaration.” Id. at 5. Further, the Court opined that “to create a third-party beneficiary, the contract must have been made for the direct benefit of the third party, an intention which ‘must be shown by express provision in the contract identifying the third party beneficiary by name or by description of a class to which the party belongs.’” Id. Additionally, the third party bears the burden of showing the parties to the contract intended to confer a direct benefit. Id.

The Court determined that Microsoft was identifiable as a third party beneficiary “by description of a class to which the party belongs,” because Microsoft was “an entity,” and engaged in a dispute with Plaintiffs “arising out of or related to Plaintiffs use of an account to use [Uber’s] Platform and Driver App as a driver.” Id. The Court disagreed with Plaintiffs’ argument that this “entity” class was not defined specifically enough. Id. at *6. The Court also rejected Plaintiffs’ contention that the Uber Agreement limited any arbitration claims to Uber, its agents, and employees because the agreement included an address for Uber where plaintiffs could demand arbitration in writing. Id. The Court held “the agreement in this case also expressly identifies third parties for whom no contact information was provided, so including contact information for an entity is not a conclusive sign of the parties intent to confer third-party beneficiary status.” Id. at 7.  Therefore, the description of the class at issue showed the agreement applied to third parties, including Microsoft, and the parties intended to confer a direct benefit on Microsoft, so Microsoft could enforce the Uber Agreement. Id.

As to waiver, the Court reasoned the right to arbitrate a dispute can be expressly or implicitly waived. Id. However, based on the circumstance here, the Court ruled that there was no evidence that Microsoft expressly gave up its right to arbitrate with these Plaintiffs. Id. Instead, the Court analyzed whether Microsoft implicitly waived its right to arbitrate by considering the totality of the circumstances and whether Microsoft acted inconsistently with arbitration. Id. at 8.  The Court considered Microsoft’s diligence in seeking arbitration and whether Microsoft participated in litigation, substantially delayed its request for arbitration, participated in discovery, and whether Plaintiffs were prejudiced by the delay in seeking arbitration. Id.

Microsoft argued that “a party can only be found to have given up its right to arbitrate if it had actual knowledge of that right. Id. at 9. The Court disagreed based on the notion that a party could implicitly waive or forfeit the right to arbitrate by failing to adequately investigate the possibility of arbitration. Id.  Indeed, the Court stated “a reckless indifference to a right to arbitrate and the use of judicial dispute resolution instead is a strong sign that a party wasted time, and should not be allowed to invoke the right that it could have asserted sooner.” Id. at 9. Looking to the chronology of the case, the Court reasoned that Microsoft demonstrated a lengthy delay in waiting to mention arbitration until January 2023 when its initial removal of the case to federal court occurred in June 2021. Id..

 

The Court also did not find Microsoft’s arguments persuasive that it could not have done more to figure out whether Plaintiffs agreed to arbitrate. Id. at 10.  In part, the Court looked to the sophistication of both Microsoft and Uber, as well as, the diligence in communications between the two companies. Id.  The Court determined that “Microsoft’s lack of diligence, removal, and (limited) participation in litigation [were] all inconsistent with arbitration.” Id. at 11.  Additionally, the ruling on Microsoft’s motion to dismiss made factual findings that may be relevant to Microsoft’s defenses and Microsoft’s delay in seeking arbitration had led to some “limited prejudice to [P]laintiffs.” Id.  Even still, the Court recognized “while invoking judicial process presumptively waives a right to arbitration, that presumption can be rebutted in abnormal cases” and it considered this case to be “one of them.” Id.

In sum, the Court noted that Microsoft could have been more diligent in identifying its right to arbitrate this dispute and Microsoft’s participation in litigation was not merit-based, so while the case was “a close call,” the Court held that “the context here does not demonstrate an untimely assertion of a right amounting to forfeiture.” Id. at 14. Therefore, the Court granted Microsoft’s motion to compel arbitration.

Implications For Employers

Employers that are confronted with litigation involving arbitration claims and beneficiary classifications should take note that the Court in Kashkeesh relied heavily on the description conferring benefits to Microsoft and that Microsoft’s actions demonstrating it waived its right to arbitrate was a “close call” for the Court. Further, from a practical standpoint, employers should carefully evaluate any entered agreements with other parties that contain arbitration clauses to ensure it is properly conferred a benefit to arbitrate.

 

 

 

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Zmick

Duane Morris Takeaways: As efforts to enact comprehensive privacy protection continue to stall on the federal level, states have stepped up to create a patchwork quilt of protections for those doing business with consumers within their borders.  Tennessee recently became the eighth state – following Indiana, California, Colorado, Connecticut, Iowa, Utah, and Virginia – to enact comprehensive privacy legislation.  At least 15 other states have introduced similar bills during the current legislative session, and Montana’s comprehensive consumer privacy statute awaits the signature of its Governor.  Companies doing business in Tennessee or with Tennessee consumers should take heed of the new law and review their policies and processes for compliance.

Tennessee Legislation

After receiving overwhelming support from both houses of the General Assembly, on May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act into law.  With this law, Tennessee became the eighth state to institute comprehensive consumer privacy legislation.  The law is set to take effect on July 1, 2024.

The act applies to businesses that conduct business in Tennessee or produce products or services that are targeted to Tennessee residents and that: (1) control or possess the personal information of at least 175,000 consumers; or (2) control or process personal information of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal information.  The law contains exemptions for certain types of entities, such as governmental entities, certain financial institutions, non-profit organizations, and higher education institutions.  The law also exempts certain types of data, such as personal information regulated by the Family Educational Rights and Privacy Act, and protected health information under HIPAA.

Similar to other comprehensive state privacy laws, the Tennessee law grants Tennessee residents certain rights in their personal information.  It allows for consumers to confirm whether a company is processing their personal information, to access their personal information, to correct inaccuracies in their personal information, to delete their personal information, to obtain copies of their personal information, and to opt out of future sales or targeted advertising.

The law allows a consumer to invoke his or her rights (and the rights of his or her children) at any time by submitting a request to a controller of the personal information specifying the rights that the consumer wishes to invoke, and it requires the respondent to comply with an authenticated request without undue delay but, in all cases, within 45 days.

The law imposes various requirements on persons and entities who “determine[] the purpose and means” of processing personal information.  For example, it requires such persons and entities to limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed; to establish, implement, and maintain reasonable data security practices; and, if the controller processes or sells personal information for targeted advertising, to clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.

The Tennessee law does not provide for a private right of action and vests exclusive enforcement authority in the Tennessee attorney general.  It allows a court to impose civil penalties of up to $7,500 per violation, and allows treble damages for willful or knowing violations.  The law requires that, prior to initiating an action, the attorney general must provide a 60-day notice period during which the recipient may cure the noticed violation to avoid an enforcement action. The law also creates an affirmative defense under certain circumstances for a company that creates, maintains, and complies with a written privacy policy that reasonably conforms to documented policies, standards, and procedures designed to safeguard consumer privacy.

Implications for Businesses

Covered persons and entities who do business in Tennessee or who target Tennessee consumers should start reviewing their policies and developing processes to comply with the Tennessee law.  Although the law is not set to take effect until July 1, 2024, the law adds another challenge to the already complex compliance landscape for companies seeking to operate on a nationwide basis.

By Gerald L. Maatman, Jr., Jennifer A. Riley, Alex W. Karasik, and Shaina Wolfe

Duane Morris Takeaways: The United States currently has no comprehensive data privacy law. Rather, a patchwork quilt of various privacy laws cover different types of data, such as information in credit reports (the Fair Credit Reporting Act), student records (Family Educational Rights and Privacy Act), and consumer financial products (Gramm-Leach-Bliley Act).  In an attempt to fill the void of federal legislation, Indiana recently joined six other states – California, Colorado, Connecticut, Iowa, Utah, and Virginia – in enacting a comprehensive privacy statute, the Indiana Consumer Data Protection Act (“ICDPA”). At least nineteen states have introduced similar privacy bills this legislative session. Montana and Tennessee have comprehensive consumer privacy statutes pending signature by their governors. Businesses in Indiana should start immediately reviewing their policies and implementing processes for complying with ICDPA to avoid enforcement litigation by the Indiana Attorney General.

Indiana Legislation

On May 1, 2023, Indiana Governor Holcomb signed Senate Bill 5, known as the ICDPA. This new law will take effect on January 1, 2026.

The ICDPA applies to companies that conduct business in Indiana or produce products or services that are targeted to residents of Indiana and during a calendar year: (1) control or process the personal data of 100,000 consumers (who are Indiana residents) or (2) control or process personal data of at least 25,000 consumers (who are Indiana residents) and more than 50% of gross revenue from the sale of personal data. Significantly, the ICDPA does not apply to data processed or maintained in the course of applying to or being employed by a business. Moreover, the ICDPA does not apply to government entities, non-profit organizations or higher education institutions.

The ICDPA provides consumers with rights to their personal data, including:

– opt-out rights related to the sale of personal data, targeted marketing and profiling (automated decision making that could have significant legal effects, such as those related to employment and benefits);
– access rights, including a right to confirm whether a company is processing any data at all;
– deletion rights;
– correction rights, limited to data the consumer previously provided;
– appeal rights; and
– data portability rights (summary of the personal data sent to the consumer must be in a portable and readily usable format).

“Personal data” is broadly defined as information that is “linked or reasonably linkable to an identified or identifiable individual.” Personal data does not include de-identified data, publicly available information, or data related to a group or category of customers that is not linked or reasonably linked to an individual customer. The ICDPA also provides consumers the right to opt-out of the collection and processing of their sensitive personal data. “Sensitive personal data” includes: (1) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a healthcare provider, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual; (3) personal data collected from a known child; and (4) precise geolocation data. Certain personal data that is covered by other statutes like the Fair Credit Reporting Act or Family Educational Rights and Privacy Act is exempt.

Once the ICDPA takes effect, companies must respond to a consumer personal data request within 45 days of receipt of the request. Companies may also seek a 45-day extension to respond. If a consumer appeals a company’s decision to deny the consumer’s request, the appeal response must be delivered within 60 days. If the appeal is denied, the company must provide the consumer with a method for contacting the state attorney general.

Importantly, the ICDPA does not provide individuals with a private right of action against businesses that violate the Indiana Law. Rather, the Indiana Attorney General will have exclusive enforcement authority. Prior to any enforcement action, the business will be allowed 30 days to cure the alleged violation. Only after the thirty days pass will the Indiana Attorney General be permitted to bring an enforcement action for the alleged violation. If the Indiana Attorney General decides to bring an enforcement action, the business may be fined up to $7,500 per violation.

Implications for Businesses

The ICDPA does not take effect until January 1, 2026. Covered businesses should start reviewing their policies and implementing processes for complying with the ICDPA to avoid enforcement by the Indiana Attorney General.

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Z. Zmick

Duane Morris Takeaways:  On May 1, 2023, the U.S. Court of Appeals for the Seventh Circuit issued one of only a handful of decisions that have been released regarding the Illinois Genetic Information Privacy Act (“GIPA”).  In Bridges v. Blackstone, Inc., No. 22-2486, 2023 WL 3165218 (7th Cir. May 1, 2023), the Seventh Circuit affirmed the District Court’s dismissal of Plaintiffs’ GIPA claims based on Plaintiffs’ failure to allege that Defendant “disclosed” or was “compelled to disclose” their statutorily-protected genetic information. Similar to its more well-known counterpart – the Illinois Biometric Information Privacy Act (“BIPA”) – liability under the GIPA could potentially result in “astronomical” damages awards and may represent an increasingly important Illinois law in the privacy space.

GIPA Background

Enacted in 1998, the GIPA was designed to prevent employers and insurers from using genetic testing data as a means to discriminate for employment or insurance underwriting purposes.

To further that goal, the statute places restrictions on the ability to release “genetic testing and information derived from genetic testing.”  Specifically, the GIPA provides that “genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30, by that individual.”  410 ILCS 513/15(a).  Section 30, in turn, states that subject to certain exceptions, “[n]o person may disclose or be compelled to disclose the identity of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test, except to . . . the subject of the test.”  410 ILCS 513/30(a).

Like the BIPA, the more widely-known privacy statute, the GIPA allows “[a]ny person aggrieved by a violation” of the statute to collect liquidated damages “for each violation” in the following amounts: (1) for negligent violations, $2,500 or actual damages, whichever is greater; or (2) for intentional or reckless violations, $15,000 or actual damages, whichever is greater.  410 ILCS 513/40.  Like the BIPA, prevailing GIPA plaintiffs can also recover reasonable attorneys’ fees and costs.

Case Background

In Bridges, the Plaintiffs sent their DNA samples (obtained through at-home test kits) to Ancestry.com, a genealogy company.  Years later, Defendant Blackstone, Inc. purchased Ancestry.com for $4.7 billion in an all-stock acquisition.  Plaintiffs subsequently filed a putative class action against Blackstone in July 2021, alleging that its acquisition of Ancestry.com resulted in a violation of the GIPA.

After removing the complaint to the U.S. District Court for the Southern District of Illinois, Blackstone moved to dismiss on the basis that Plaintiffs failed to sufficiently allege a claim for relief under the GIPA.

The District Court agreed, holding that Plaintiffs failed to state a GIPA claim because they did not adequately allege that Blackstone “compelled” Ancestry.com to disclose Plaintiffs’ genetic data under Section 30 of the GIPA.  The District Court agreed with Blackstone that “compel[ing]” the disclosure of genetic information necessarily requires something more than receipt or obtainment, yet Plaintiffs alleged only that Blackstone “may have been entitled to request or receive information from Ancestry in connection with the[] acquisition.”  Bridges v. Blackstone Grp., Inc., No. 21-CV-1091, 2022 WL 2643968, at *4 (S.D. Ill. July 8, 2022).

The Seventh Circuit’s Decision

The Seventh Circuit affirmed the District Court’s dismissal of Plaintiffs’ GIPA claim under Rule 12(b)(6).

Regarding the District Court’s reason for granting Blackstone’s motion to dismiss, the Seventh Circuit held that it need not answer the question “over whether GIPA liability can attach to a company like Blackstone that allegedly receives protected information, rather than discloses that information,” because Plaintiffs “have failed to state a claim regardless.”  Id. at *2.

The Seventh Circuit agreed with the District Court that it is not plausible to infer that “a run-of-the-mill corporate acquisition, without more alleged about that transaction, results in a compulsory disclosure within the meaning of Section 30.”  Bridges v. Blackstone Grp., Inc., No. 22-2486, Order at 4 (7th Cir. May 1, 2023) (“All we can say with certainty about Blackstone’s all-stock acquisition of Ancestry is that a change in ownership occurred – nothing more.”).

Implications for Employers

One of only a few cases to have interpreted the statute, the Bridges decision indicates that a company is not subject to liability under the GIPA based solely on its acquisition of another company that may be in possession of genetic data.

Nonetheless, Bridges serves as a reminder to Illinois employers that collect genetic information, medical histories, and/or conduct “health screenings” as part of their application processes about the importance of complying with the GIPA.

The GIPA’s statutory text mirrors the BIPA’s text in important (and potentially concerning) ways, including that (i) a plaintiff can likely sue under the GIPA regardless of whether an actual injury is alleged; and (ii) following the Illinois Supreme Court’s logic as applied to the BIPA in Cothron v. White Castle, 2023 IL 128004 (Ill. Feb. 17, 2023) (see here), statutory damages may accrue under the GIPA each separate time a company “disclose[s] or [is] compelled to disclose” genetic data protected by the GIPA.  Thus, it is possible that plaintiffs will file increased numbers of GIPA class actions in Illinois courts in the coming months and years.

By Alex W. Karasik, Tyler Z. Zmick, and Elizabeth C. Mincer

Duane Morris Takeaways:  In the Illinois Supreme Court’s latest ruling in the biometric privacy space, it decided in Walton v. Roosevelt University, 2023 IL 128338 (Ill. Mar. 23, 2023), that claims brought under the Biometric Information Privacy Act (“BIPA”) by bargaining unit employees are preempted by Section 301 of the Labor Management Relations Act (“LMRA”) where an employer invokes a broad management rights provision in a CBA.  This ruling – which is consistent with federal court decisions addressing the issue – is a rare win for defendants facing BIPA class actions.  Employers with unionized workforces may now be able to assert an LMRA preemption defense in seeking dismissal of BIPA claims based on decisions issued by Illinois’s highest state court and the U.S. Court of Appeals for the Seventh Circuit.

Case Background

Plaintiff alleged that when he started working at Roosevelt University in 2018, Roosevelt required him to enroll a scan of his hand geometry onto a biometric timekeeping device as a means of clocking in and out of work.  Plaintiff sued Roosevelt the following year, alleging that the university violated Sections 15(a), 15(b), and 15(d) of the BIPA in connection with Roosevelt’s use of the timekeeping system by (i) failing to develop a written policy made available to the public establishing a retention policy and guidelines for destroying biometric data, (ii) collecting his biometric data without providing him with the requisite notice and obtaining his written consent, and (iii) disclosing his biometric data without consent.

In response to the complaint, Roosevelt moved to dismiss on the basis that Plaintiff’s claims were preempted by Section 301 of the Labor Management Relations Act (“LMRA”).  Specifically, Roosevelt argued that Plaintiff had been a union member while employed by Roosevelt, and the collective bargaining agreement (“CBA”) between Roosevelt and Plaintiff’s union contained a management rights clause broad enough to cover the manner by which union employees clocked in and out of work.  As support, Roosevelt cited the U.S. Court of Appeals for the Seventh Circuit’s decision in Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019), which held that federal labor law preempts BIPA claims when the claims require interpretation or administration of a CBA.

The Cook County Circuit Court rejected Roosevelt’s LMRA preemption argument, finding Miller distinguishable and holding that BIPA claims are “not intertwined with or dependent substantially upon consideration” of terms of a CBA because a person’s rights under the BIPA “exist independently of both employment and any given CBA.”  Id. ¶ 6.  Because the issue presented a close call, however, the Circuit Court certified the following question for interlocutory appeal: “Does Section 301 of the [LMRA] preempt [BIPA] claims asserted by bargaining unit employees covered by a [CBA]?”

The Illinois Appellate Court answered the certified question “yes.”  In doing so, the court noted that the Seventh Circuit had recently come to the same conclusion in a case where “the relevant factual and legal circumstances . . . [were] indistinguishable.”  Id. ¶ 8 (citing Fernandez v. Kerry, Inc., 14 F.4th 644 (7th Cir. 2021)).  The appellate court determined that Fernandez reached the correct conclusion, as the BIPA “contemplates the role of a collective bargaining unit acting as an intermediary on issues concerning an employee’s biometric information.”  Id. ¶ 10 (noting that the BIPA prohibits private entities from collecting biometric information without obtaining consent from the subject or the subject’s legally authorized representative).

The Illinois Supreme Court’s Decision

The Illinois Supreme Court subsequently allowed Plaintiff’s petition for leave to appeal, after which it affirmed the appellate court’s decision.  The Supreme Court observed that the Seventh Circuit had twice held that federal law preempts BIPA claims asserted under similar circumstances, and it noted that when interpreting federal statutes, Illinois courts look to the decisions of the U.S. Supreme Court (“SCOTUS”) and federal circuit and district courts.  It further noted that the SCOTUS’s interpretation of federal law is binding, and that in the absence of SCOTUS precedent, the weight given to federal circuit and district court interpretations of federal law depends on factors such as uniformity of law and the soundness of the decisions.  See id. ¶¶ 23-24 (“[I]f lower federal courts are uniform in their interpretation of a federal statute, this court, in the interest of preserving unity, will give considerable weight to those courts’ interpretations of federal law and find them to be highly persuasive.”).

In comparing Plaintiff’s case to the Seventh Circuit decisions, the Supreme Court acknowledged that the relevant CBA provisions in Plaintiff’s case and in Fernandez both contained similarly broad management rights clauses.  See id. ¶ 31 (noting the CBA between Roosevelt and Plaintiff’s union stated that “[s]ubject to the provisions of this Agreement, the Employer shall have the exclusive right to direct the employees covered by this Agreement” and that “[a]mong the exclusive rights of management . . . are: the right to plan, direct, and control all operations performed in the building [and] to direct the working force”).

In sum, because the Supreme Court did not find Miller and Fernandez to be “without logic and reason,” id., it deferred to the uniform federal case law on the issue and held that when an employer invokes a CBA’s broad management rights clause in response to a BIPA claim brought by a bargaining unit employee, the plaintiff’s BIPA claims are preempted by the LMRA.

Implications For Employers

Like the Seventh Circuit’s decisions in Miller and Fernandez, Walton reflects a rare defendant-friendly development and provides a basis for certain employers to seek dismissal of BIPA claims on LMRA preemption grounds.  The defense applies only to a subset of employers, however, as it can be asserted only by (i) employers with unionized employees who (ii) have entered into a CBA with a union that contains a management rights clause broad enough to cover the manner by which employees clock in and out of work.  Furthermore, unionized employees are not prohibited from seeking redress for alleged BIPA violations – they are simply required to first pursue those claims through the grievance procedures in their CBAs rather than in state or federal court.

Moreover, the National Labor Relations Board (“NLRB”) – the agency that enforces the National Labor Relations Act (“NLRA”) – has indicated that it intends to reshape current law regarding employee privacy and management rights provisions. If such changes take effect, they could reshape how courts assess federal labor law preemption in future BIPA cases.

The Walton ruling highlights the importance of carefully negotiating and drafting CBA provisions, particularly with respect to management rights.  Employers in states with strict privacy laws (like the BIPA) should consider contract language that specifically provides management with the right to use and store certain biometric data and/or implement other new technologies.

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

Duane Morris Takeaways: The last year saw a virtual explosion in privacy class action litigation. As a result, compliance with privacy laws in the myriad of ways that companies interact with employees, customers, and third parties is a corporate imperative. To that end, the class action team at Duane Morris is pleased to present the inaugural edition of the Privacy Class Action Review – 2023. This new publication analyzes the key privacy-related rulings and developments in 2022 and the significant legal decisions and trends impacting privacy class action litigation for 2023. We hope that companies and employers will benefit from this resource in their compliance with these evolving laws and standards.

Click here to download a copy of the Privacy Class Action Review – 2023 eBook.

Co-Editor of the Review Jerry Maatman provided insights on our new publication earlier this week to the Wall Street Journal in its article on privacy class action litigation, which can be found here: Biometric-Privacy Rulings in Illinois Expand Potential Liability for Tech Firms – WSJ

Duane Morris partners Jerry Maatman, Jennifer Riley, and Alex Karasik also recently recorded the first edition of “The Class Action Weekly Wire,” our new podcast series, in which contributors to our Duane Morris Class Action Review discuss the significant rulings and legislation in various areas of law. To add context to our new publication, last Friday’s edition discussed recent developments in privacy class action litigation. Click here to watch and listen to the podcast!

By Gerald L. Maatman, Jr., Alex W. Karasik, Tyler Z. Zmick, and Jennifer A. Riley

Duane Morris Takeaways:  In the latest ruling in Illinois in the biometric privacy class action space, the Illinois Supreme Court decided today in Cothron v. White Castle, 2023 IL 128004 (Ill. Feb. 17, 2023), that a separate claim for damages accrues under the Biometric Information Privacy Act (“BIPA”) each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d).

This ruling could exponentially increase monetary damages in class actions brought under the BIPA, especially in the employment context, where employees scan in and out of work multiple times per day for several hundred days per year.

Case Background

Plaintiff alleged that after she started working at White Castle in 2004, the company required her to use a fingerprint-based system to access the workplace computer she used in her position as a manager.  Plaintiff sued White Castle several years later in 2018, alleging that the company violated Sections 15(b) and 15(d) of the BIPA in connection with the fingerprint-based system by (i) collecting her biometric data without providing her with the requisite notice and obtaining her written consent, and (ii) disclosing her biometric data without consent.

After removing the complaint to the U.S. District Court for the Northern District of Illinois, White Castle moved for judgment on the pleadings on the basis that Plaintiff’s claims were untimely.  Specifically, White Castle argued that Plaintiff’s BIPA claims accrued in 2008 (when her first fingerprint scan occurred after the BIPA took effect), yet she did not file her complaint until 2018.  The District Court rejected White Castle’s one-time-only theory of claim accrual, holding that the lawsuit was timely because each separate unauthorized fingerprint scan constituted an independent violation of the statute, meaning Plaintiff’s BIPA claims were timely because her last fingerprint scan occurred within five years of the filing of her complaint.  Because the issue presented a close call, however, the District Court permitted White Castle to file an interlocutory appeal with the Seventh Circuit regarding whether Section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits a scan to a third party, respectively, or only upon the first scan and first transmission.

The U.S. Court of Appeals for the Seventh Circuit accepted the interlocutory appeal. Id. ¶ 9. After determining that Plaintiff had standing to bring her action in federal court under Article III of the U.S. Constitution, the Seventh Circuit addressed the parties’ respective arguments on the accrual of a claim under the Act.  Id.  Ultimately, the Seventh Circuit found the parties’ competing interpretations of claim accrual reasonable under Illinois law, and it agreed with Plaintiff that “the novelty and uncertainty of the claim-accrual question” warranted certification of the question to the Illinois Supreme Court.  Id. at 1165-66.  The Seventh Circuit “observed that the answer to the claim-accrual question would determine the outcome of the parties’ dispute, this court could potentially side with either party on the question, the question was likely to recur, and it involved a unique Illinois statute regularly applied by federal courts.”  Id..

The Illinois Supreme Court’s Decision

In a 4-3 split ruling, the Illinois Supreme Court held today that that a separate claim accrues under the BIPA each time a private entity scans or transmits an individual’s biometric identifier or information, in violation of section 15(b) or 15(d).  First, the Illinois Supreme Court analyzed the certified question with respect to Section 15(b), which provides that no private entity “may collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data unless it first provides notice and receives written consent.  740 ILCS 14/15(b).  Relying on the plain language of the statute and the fact that the actions of “collecting” and “capturing” biometric data can occur more than once, the Supreme Court agreed with Plaintiff’s interpretation – namely, that Section 15(b) “applies to every instance when a private entity collects biometric information without prior consent.”  Id. ¶¶ 19, 23.  As interpreted in the context of the facts of the case, the Supreme Court further observed that White Castle obtains an employee’s fingerprint, stores it in its database, and then compares the fingerprint taken during subsequent scans to verify the identity of the employee.  In the Supreme Court’s words, White Castle “fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub.”  Id. ¶ 23.  Accordingly,  consistent with the District Court’s decision in Cothron and the Illinois Appellate Court’s conclusion in Watson, 2021 IL App (1st) 210279, ¶ 46, the Illinois Supreme Court held that an entity violates Section 15(b) the first time it collects biometric data without having provided the requisite notice and obtaining consent, in addition to “each subsequent scan or collection.”  Id. ¶ 24.

Next, closely tracking its analysis of Section 15(b), the Supreme Court similarly held that BIPA Section 15(d) – which prohibits the disclosure, redisclosure, or dissemination of biometric data without consent – “applies to every transmission to a third party.”  Id. ¶ 28. Like the verbs “collect” and “capture” in Section 15(b), the acts of disclosing and redisclosing biometric data occur upon the initial disclosure in addition to any subsequent disclosure or redisclosure of the data.  See id. ¶ 29 (“A fingerprint scan system requires a person to expose his or her fingerprint to the system so that the print may be compared with the stored copy, and this happens each time a person uses the system.”).

The majority opinion also rejected White Castle’s remaining “nontextual” arguments supporting its single-accrual interpretation.  White Castle argued that a BIPA claim accrued only upon the initial collection or disclosure of a person’s biometric data because an individual loses the right to control his or her biometric data as soon as the data is collected and/or disclosed.  In rejecting the argument, the Supreme Court again relied on the statute’s plain language, stating: “[n]o such limitation appears in the statute.  We cannot rewrite a statute to create new elements or limitations not included by the legislature.”  Id. ¶ 39.

Next, the Supreme Court turned to White Castle’s argument that in light of the BIPA’s liquidated damages provision, interpreting the statute to mean an entity violates Sections 15(b) and 15(d) every time it collects or discloses biometric data means “a party may recover for “each violation,” allowing multiple or repeated accruals of claims by one individual could potentially result in punitive and “astronomical” damage awards that would constitute “annihilative liability” not contemplated by the legislature and possibly be unconstitutional.”  Id. ¶ 41.  For example, White Castle estimated that if Plaintiff was successful and allowed to bring her claims on behalf of as many as 9,500 current and former White Castle employees, classwide damages in her action may exceed $17 billion.  Once again, the Supreme Court rejected White Castle’s argument because the statutory language is clear and supports plaintiff’s position.  See id. ¶ 40 (“As the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, “ ‘even though the consequences may be harsh, unjust, absurd or unwise.’ ” (Emphasis omitted.) Cothron, 477 F. Supp. 3d at 734 (quoting Peterson v. Wallach, 198 Ill. 2d 439, 447 (2002)).”).

Importantly, however, the Supreme Court acknowledged that trial courts could exercise their discretion to reduce the amount of statutory damages that plaintiffs can recover. Id. ¶ 42.  In closing, the Supreme Court reiterated the position that White Castle’s “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” and it “suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”  Id. ¶ 43.  Accordingly, the Illinois Supreme Court concluded that the plain language of section 15(b) and 15(d) shows that a claim accrues under the BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent.

The Dissent

Notably, three Illinois Supreme Court Justices, inclusive Chief Justice Theis, joined the Dissenting Opinion.  Of note, the Dissent opined that two significant consequences militate against the majority’s construction.  Id. ¶ 60.  First, under the majority’s rule, plaintiffs would be incentivized to delay bringing their claims as long as possible, since “If every scan is a separate, actionable violation, qualifying for an award of liquidated damages, then it is in a plaintiff’s interest to delay bringing suit as long as possible to keep racking up damages.”  Id.  Second, the Dissent noted that, “the majority’s construction of the Act could easily lead to annihilative liability for businesses.”  Id. at ¶ 61.

In sum, the Dissent commented that, “Imposing punitive, crippling liability on businesses could not have been a goal of the Act, nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.  Id. ¶ 63.  To this point, the Dissent opined that, “nothing in the Act indicating that the legislature intended to impose cumbersome requirements or punitive, crippling liability on corporations for multiple authentication scans of the same biometric identifier. The legislature’s intent was to ensure the safe use of biometric information, not to discourage its use altogether.”

Implications For Employers

Following the Illinois Supreme Court’s similar pro-plaintiff ruling in Tims v. Black Horse Carriers, 2023 IL 127801 (Ill. Feb. 2, 2023), which applied a five-year statute of limitations to the BIPA instead of a one-year statute of limitations, the well is beginning to dry for businesses in terms of potential BIPA class action defenses. While employers can still explore novel exemptions, such as information captured from a patient in a health care setting, most companies caught in the crosshairs of BIPA class actions will be facing monumental amounts of potential damages.

Businesses confronted with BIPA class actions may need to explore alternative potential defenses, such as the constitutionality of the overbearing damages thresholds.  Companies will also likely push for legislative changes.  Nonetheless, given the bleak outlook of the law as it stands, it is imperative for businesses to immediately ensure they are compliant with the BIPA.

By Kelly A. Bonner, Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley

Duane Morris Takeaways:  In a significant win for fashion and beauty retailers in the privacy class action space, in Warmack-Stillwell v. Christian Dior Inc., No. 1:22-CV-04633, 2023 U.S. Dist. LEXIS 22926 (N.D. Ill. Feb. 10, 2023), an Illinois federal court held that an exemption to the Illinois Biometric Information Privacy Act (“BIPA”) for data captured from a patient in a health care setting barred proposed class action claims alleging that luxury giant Christian Dior Inc.’s (“Dior”) virtual try-on tool (“VTOT”) violated the BIPA.

Businesses in Illinois, particularly online fashion and beauty retailers, can use this ruling to attack BIPA claims involving VTOT technology.

Case Background

As discussed in our previous publications, lawsuits involving BIPA claims and eyewear have been dismissed under one of BIPA’s statutory exemptions, which in relevant part excludes from its definitions of biometric identifiers and biometric information: (1) information captured from a patient in a health care setting; or (2) information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996, including prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses.

Plaintiff alleged that Dior maintained a VTOT feature on its website that collected users’ facial geometry data without first obtaining written consent or informing users of the purpose and length of time that their data was being collected in violation of Section 15(b) of BIPA. Plaintiff also alleged that Dior failed to provide a publicly available data retention and destruction schedule, as required by Section 15(a) of BIPA.

Dior moved to dismiss Plaintiff’s complaint on the basis that the BIPA’s health care exemption applied to non-prescription sunglasses, such as the ones sold by Dior and which the plaintiff alleged that she tried on with the VTOT technology, and thus precluded Plaintiff’s claims.

Plaintiff countered that the sunglasses were fashion accessories; Dior’s website was not a health care setting; and Dior’s consumers were not patients. Plaintiff also sought to distinguish prior decisions applying the BIPA’s health care exemption as focusing on the VTOT technology being used for prescription glasses, akin to optometrist fittings, and not in connection with the purchase of luxury sunglasses.  Id. at *8.

The Court’s Decision

The Court granted Dior’s motion to dismiss under Rule 12(b)(6).  First, the Court explained that Plaintiff qualified as a “patient in a health care setting” under the dictionary definition of the term “patient,” and that Dior’s VTOT feature “facilitates the provision of a medical device that protects vision.” Id. at *8.  Similarly, the Court held that use of the VTOT technology constituted “health care,” which the dictionary defined as “efforts made to maintain or restore physical, mental, or emotional well-being especially by trained and licensed professionals.”  Id. at *9.

In addition, the Court reasoned that the relevant test was “not a user’s subjective understanding, but rather an objective application of the text of the exemption.” Id. at *8-9.  The Court opined that the outcome of the analysis should not change if a consumer uses the VTOT in search of primarily stylish sunglasses rather than protective ones.

Plaintiff attempted to distinguish Dior’s website from a “health care setting” by arguing that “[a]n artist prepping a canvas is not providing a health care service if they use a scalpel instead of an Xacto knife.”  Id. at *9.  As to that point, the Court concluded that the VTOT feature facilitated the purchase of sunglasses to wear on one’s face and protect one’s eyes, thus performing the product’s intended medical function rather than an unconventional purpose.

Similarly, the Court rejected Plaintiff’s attempts to analogize her case to BIPA suits against blood plasma centers, in which courts rejected application of the health care exemption.  Even if the cases applied the same definitions of “health care” and “patient,” the Court concluded that the removal of plasma for commercial purposes is not “health care because the purpose — at least from the plasma donors’ perspectives — was not to ‘maintain or restore physical, mental or emotional well-being’; it was to get paid.”  Id. at *11.

Finally, the Court notably denied Dior’s motion to dismiss under Rule 12(b)(1), rejecting Dior’s argument that Plaintiff failed to allege an injury-in-fact sufficient for Article III standing. The Court concluded that Plaintiff sufficiently alleged an injury-in-fact under Section 15(a) “because “unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data.”   Id. at *11.

Accordingly, the Court granted Dior’s motion to dismiss on Rule 12(b)(6) grounds, but rejected Dior’s Article III standing argument and denied its motion based on Rule 12(b)(1).

Implications for Retailers

The Court’s decision in Warmack is a solid victory for fashion and apparel retailers, and indicates that courts are willing to expand the BIPA’s healthcare exemption to more retail-oriented environments, and adopt a plain reading of the statue rather than seeking to discern legislative intent. This ruling could have significant implications for personal care products retailers, especially those who utilize VTOT features to assess skin complaints such as aging, hyperpigmentation, and recommend treatments, and whether those defenses will draw regulatory scrutiny for purposed “drug” claims.

In the meantime, retailers should stay abreast of biometric data privacy laws in Illinois and beyond, and ensure that their privacy policies stay current with evolving nationwide legislation.