Chances are, if you are a privacy professional, you have heard of Illinois’ Biometric Information Privacy Act (BIPA). Enacted in 2008, it took several years for BIPA litigation to get its footing, but today it has become a cottage industry much like class actions under the Telephone Consumer Protection Act (TCPA) or the Fair Credit Reporting Act (FCRA). And it is continuing to grow. In 2020, at least 54 court rulings referenced BIPA (more than double the count in 2019). Despite this steady clip of litigation in 2020, open questions remain about BIPA’s scope and reach. As a result, 2021 is shaping up to be a groundbreaking year for BIPA litigation.
Illinois was the first state to regulate the collection and storage of biometric data. Generally, BIPA requires any private entity in possession of biometric information to: (i) develop a written policy, (ii) inform the owner of the biometric information in writing about the purpose for collecting the information and the length of time it will be stored, (iii) obtain written consent for the collection and storage of the data, and (iv) refrain from selling, leasing, trading, or otherwise profiting from that biometric information.1 A critical component of BIPA is its almost unfettered private right of action, which allows “any person aggrieved by a violation of [the] Act” to sue for steep liquidated damages: $1,000 for each negligent violation, $5,000 for each intentional or reckless violation. Successful plaintiffs can also obtain attorneys’ fees and costs, and injunctive or other relief. Since its passage, this private right of action has enabled over 750 class actions to be filed—many of which settled for hefty sums, as can be seen in the chart below—across federal and state courts.
Recent BIPA Class Action Settlements
OTHER STATES’ BIOMETRICS EFFORTS
While other states have followed Illinois’ lead and enacted their own biometrics statutes, none have the same teeth as Illinois’ BIPA. Texas enacted the Capture or Use Biometric Identifier Act (CUBI) in 2009, but it does not contain a private right of action, empowering the Texas Attorney General to pursue violations instead.2 Washington’s biometrics statute, the Washington Biometric Privacy Act (WBPA), is even more watered down, as it does not require notice or consent in some circumstances and contains a broad security exception, exempting entities collecting biometric information for a “security purpose.”3 Like CUBI, the WBPA also does not contain a private right of action.
Effective July 9, 2021, New York City’s biometrics ordinance applies to “commercial establishments,—defined as food and drink establishments, places of entertainment, and retail stores—in New York City that collect, retain, convert, store, or share biometric identifier information from customers.4 According to the law, affected businesses must post clear, conspicuous notices near all customer entrances to their facilities. The ordinance gives aggrieved customers a private right of action, however, it is subject to a 30-day notice and cure period. Statutory damages range from $500 to $5,000 per violation, along with attorney’s fees.
Other states, such as Arkansas, California, New York, and Virginia have privacy statutes that regulate biometric information to varying degrees. Of these, only California’s (the California Consumer Privacy Act (CCPA)) includes a private right of action, but only in limited circumstances.5
Colorado has passed the Colorado Privacy Act (CPA), expected to be signed into law by the governor this month. The CPA’s definition of “sensitive data” includes biometric information used to uniquely identify a person, but like most state statutes, the CPA does not contain a private right of action.6
BIPA: THE GOLD STANDARD OF BIOMETRICS LITIGATION
Because Illinois was on the forefront of biometrics regulation, and because BIPA continues to contain the broadest private right of action, BIPA caselaw is considered the “gold standard” among biometrics litigation. BIPA litigation will continue to provide clarity—and make headlines—over the next year.
A Threshold Question: How Long is the Statute of Limitations?
BIPA does not specify a limitations period. Under Illinois law, where a statutory civil cause of action does not specify a limitations period, it will typically assume a “catchall” five-year limitations period.7 However, if another statute of limitations is “specifically applicable,” Illinois courts will apply that statute’s limitations period.8 To determine whether there is a more “specifically applicable” statute of limitations, Illinois courts analyze “the type of injury at issue, irrespective of the pleader’s designation of the nature of the action.”9
Applying this analysis, Illinois trial courts have consistently applied the catchall five-year statute of limitations to BIPA claims.10 Undeterred, hopeful defendants have argued for the application of one of two statutes of limitations that they claimed were more “specifically applicable” to BIPA, and which provide for shorter limitations periods.
First, some defendants have asserted that the statute of limitations for “[a]ctions in slander, libel, or for publications of matter violating the right to privacy,” which provides for a one-year limitations period, should apply to BIPA violations given that BIPA is, first and foremost, a privacy statute.11 In rejecting application of this statute of limitations, however, courts have found that “publication” is a necessary element of any claim governed by the statute, and in contrast to “publication” of information, BIPA violations generally involve “the deprivation of information.”12
The second statute of limitations posited by defendants as more “specifically applicable” is the statute providing for a two-year limitations period for personal injury actions “or for a statutory penalty.”13 Proponents of this limitations period pointed to BIPA’s provision of $1000 for negligent violations and $5,000 for intentional or reckless violations as a “statutory penalty.”14 By contrast, BIPA plaintiffs argued that BIPA is a remedial statute, not a penal statute, and pointed to the option for liquidated damages “or actual damages, whichever is greater”15 to demonstrate that BIPA does not mandate a statutory penalty, but rather “one part of the regulatory scheme, intended as a supplemental aid to enforcement rather than as a punitive measure.”16 In refusing to apply a two-year statute of limitations to BIPA, courts have concluded that BIPA’s provision for actual damages and the regulatory intent of its enactment show that it is a remedial statute not within the scope of the two-year statute of limitation for penal statutes.17
We may get clarity on this critical issue this year. The Illinois Appellate Court, First District, is poised to decide what limitations period applies to BIPA claims in Tims v. Black Horse Carriers, Inc., Case No. 1-20-0563 (1st Dist.). Indeed, several courts have stayed recent BIPA actions until the pending Tims decision is made.18 While a decision is expected this year, as the first appellate case to decide the statute of limitations for BIPA claims, Tims will most likely end up before the Illinois Supreme Court regardless of the outcome.
Moving the Goalposts: What is Required for Article III Standing?
A great deal of focus in BIPA cases has been whether plaintiffs have Article III standing in federal court to sue for violations of BIPA. To date, however, the body of law is far from settled and federal courts are still grappling with standing requirements for BIPA plaintiffs.
By way of background, the Illinois Supreme Court opened the floodgates of BIPA litigation in 2019 with its decision in Rosenbach v. Six Flags Entertainment Corp., which held that, in Illinois state court, a “violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”19 In other words, an individual is “aggrieved” within the meaning of the Act, and therefore has standing to sue, by a mere technical violation of BIPA, regardless of whether there is any additional injury. While Rosenbach expanded BIPA’s reach in 2019 and left little room for debate over standing in state court, the doctrine is far from settled in federal courts.
Multiple cases attempted to clarify the federal standing issue in 2020 but those cases have only further deepened existing federal circuit splits. These cases raised Article III standing issues in the context of two types of BIPA claims: (i) violation of Section 15(b) of BIPA, requiring private entities collecting biometric information to obtain informed written consent, and (ii) violation of Section 15(a) of BIPA, which requires a private entity in possession of biometric information to create a publicly available, written policy that contains a data retention schedule and guidelines for permanently destroying the biometric information.
As an initial matter, there has been no consistency among federal circuit courts on whether a plaintiff has standing to bring a Section 15(b) claim if no further injury is asserted. In 2020, the Seventh Circuit interpreted the collection of the biometric information itself as an actionable invasion of privacy that conveyed Article III standing upon the plaintiff in both Bryant v. Compass Group. USA, Inc.20 and Fox v. Dakkota Integrated Systems, LLC.21 These cases were consistent with the Ninth Circuit’s 2019 decision in Patel v. Facebook, Inc., holding that social media users had standing to bring a claim that a social media platform violated Section 15(b) by collecting and storing their face templates without obtaining informed consent. These cases, however, stand in sharp contrast to the Second Circuit’s 2017 holding in Santana v. Take-Two Interactive Software, Inc.—which is still good law—that there is no Article III standing in a case involving a bare, technical violation of BIPA.22
The Section 15(a) standing jurisprudence is even more convoluted. In 2017, the Second Circuit found that bare allegations of the failure to develop and publish a policy do not give rise to Article III standing.23 Just two years later, in 2019, the Ninth Circuit held that a plaintiff has Article III standing to bring claims based on the bare assertion that biometric information was collected or retained without the creation and publication of the required policy because the failure to develop and follow the policy was a violation of the plaintiff’s right to privacy.24 In 2020, the Seventh Circuit agreed with both. In Bryant, the Seventh Circuit held that the duty to disclose under 15(a) was “owed to the public generally, not to particular persons whose biometric information the entity collects.”25 Accordingly, the court reasoned, a mere technical violation of Section 15(a), without more, did not satisfy the requirements for Article III standing.26 Yet, just a few months later, in Fox v. Dakkota Integrated Systems, the Seventh Circuit held that, unlike in Bryant, plaintiff’s Section 15(a) claim satisfied Article III standing because rather than alleging a mere failure to publicly disclose a data-retention policy, plaintiff “accuses [defendant] of violating the full range of its Section 15(a) duties by failing to develop, publicly disclose, and comply with a data-retention schedule and guidelines. . . .”27 This broader allegation, while still devoid of allegations of additional injury, was sufficient to confer Article III standing.
Thus far, 2021 has not provided additional clarity. Indeed, the Seventh Circuit’s decision in Thornley v. Clearview AI, Inc.,28 provided more confusion, rather than edification. In Thornley, the plaintiffs alleged only a bare violation of BIPA under 15(c), which prohibits private entities in possession of biometric information from selling, leasing, trading, or otherwise profiting from an individual’s biometric information. In finding there was no Article III standing, the Seventh Circuit found that the complaint “described only a general, regulatory violation, not something that is particularized to [plaintiffs] and concrete,” and thus plaintiffs were able to “steer clear of federal court” by deliberately failing to satisfy Article III standing.29
Clearview AI has indicated it intends to appeal the Thornley decision to the Supreme Court, which could provide needed clarity. In the meantime, however, the Second, Seventh, and Ninth Circuits are split on whether bare procedural violations are sufficient to convey Article III standing. And, even more fundamentally, it remains difficult to reconcile the Seventh Circuit’s own recent decisions into a clear rule governing Article III standing in BIPA cases. As Justice David Hamilton of the U.S. Court of Appeals for the Seventh Circuit aptly noted in his concurrence in Thornley, “I confess that I have not yet been able to extract from these different lines of cases a consistently predictable rule or standard.”30
More Good News for BIPA Litigants: Duty to Defend Affirmed in Insurance Coverage Disputes
Given the flood of BIPA class actions, many defendants have turned to their insurers to cover their defense costs, prompting coverage disputes. Just last month, the Illinois Supreme Court, in a 6-1 decision, affirmed entry of summary judgment in favor of the plaintiff in a duty to defend an insurance coverage lawsuit.31 In the underlying lawsuit, Krishna, an L.A. Tan franchisee, was accused of violating BIPA by, among other things, collecting, using, storing, and disclosing customers’ fingerprints without obtaining written releases.32 The questions for the Court aimed to determine if the underlying allegations: (i) constituted a personal injury “arising out of … oral or written publication of material that violates a person’s right of privacy,” as required for coverage under the tanning salon’s insurance policy; and/or (ii) fell within the insurance policy’s so-called violation of statutes exclusion, which excluded coverage for violations of “[a]ny statute, ordinance or regulation … that prohibits or limits the sending, transmitting, communication or distribution of material or information.”
With respect to the first issue, the parties’ arguments centered on whether the “publication” element was met. The plaintiff alleged that the tanning salon violated BIPA by providing her fingerprint to a single third-party vendor.”33 Accordingly, the insurer argued that “publication” requires a communication to the public at large, rather than to just one outside vendor. The court rejected that argument, holding that “[c]ommon understandings and dictionary definitions of ‘publication’ clearly include both the broad sharing of information to multiple recipients … and a more limited sharing of information with a single third party.”34 Thus, the allegation that biometric information was shared with a single third party in violation of BIPA constituted a “personal injury.”
Proceeding to the second issue, the court relied on, among other things, the title of the section—Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Method of Sending Material or Information—and found the exclusion only applied to bar coverage for violations of statutes that regulate certain methods of communications.35 Accordingly, the court reasoned that the exception did not apply to BIPA, which “instead regulates ‘the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.’”36 West Bend therefore had a duty to defend Krishna in the underlying class action.
The Illinois Supreme Court’s decision affirming West Bend’s duty to defend clearly has significant ramifications for both insurers and policyholders. Future BIPA coverage disputes will likely focus on distinguishing the parties’ policy from the Krishna/West Bend policy.
Like most privacy statutes, for BIPA, compliance is key. If your organization collects biometric information—even if it is not located in Illinois—it would be prudent to contact a privacy attorney to determine and limit legal exposure.