The rapid adoption of biometric technology—designed to measure unique human biological characteristics, like fingerprints, voiceprints, and hand or face scans—has led to a surge of consumer class actions alleging violations of the Illinois Biometric Information Privacy Act. But there is some hope for defendants embroiled in BIPA litigation, as not all courts have agreed plaintiffs can satisfy standing absent any real-world harm.
In January, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp. opened the floodgates to this extremely-costly litigation by ruling plaintiffs can pursue BIPA claims even where no actual harm or damage occurred.
In August, building upon Rosenbach, the U.S. Court of Appeals for the Ninth Circuit in Patel v. Facebook, Inc. further expanded the ability to pursue BIPA claims for mere technical statutory violations by holding any BIPA violation amounts to a violation of plaintiffs’ substantive privacy rights; thus, it constitutes a cognizable, concrete injury-in-fact for Article III standing. The court also upheld the certification of a class of Illinois Facebook users, finding Facebook’s extraterritoriality and “runaway damages” arguments insufficient.
Patel is a noteworthy development for both data privacy and class action litigators. The Ninth Circuit’s opinion represents the first federal appellate decision to hold a mere technical BIPA violation injures an individual’s concrete right to privacy, and, thus, presents a concrete injury-in-fact for Article III standing.
Combined with Rosenbach, Patel will further incentivize plaintiffs seeking to recover statutory damages. Moreover, plaintiffs will likely point to the Patel court’s rejection of Facebook’s extraterritoriality and runaway damages arguments in seeking to certify large classes, further exposing companies to significant potential liability for any failures to comply with BIPA.
Hope Remains for Defendants
With that said, there is still some hope for defendants embroiled in BIPA litigation, as not all courts have agreed plaintiffs can satisfy Article III standing absent any real-world harm. For example, in 2017 the Second Circuit Court of Appeals held in Santana v. Take-Two Interactive that NBA 2K players lacked standing to pursue BIPA claims because they suffered no actual injury or harm by the video game’s collection and retention of their face scans.
And in late 2018, the U.S. District Court for the Northern District of Illinois in Rivera v. Google also dismissed a BIPA lawsuit against Google pertaining to the company’s photo app technology based on an absence of any concrete injury. Thus, the Take-Two and Rivera cases illustrate companies defending lawsuits alleging mere procedural or technical violations of the BIPA may still be able to challenge—if not defeat—these claims by demonstrating a lack of a concrete injury suffered by the plaintiff(s).
In addition, the Ninth Circuit’s ruling analogizing a BIPA violation to an invasion of privacy also provides robust support for the argument that a tight, one-year statute of limitations period should apply. BIPA does not itself provide a specific limitations period. Importantly, however, Illinois’s 735 ILCS 5/13-201—which pertains to actions for “slander, libel, or for the publication of matter violating the right of privacy”—has for a one-year statute of limitations.
Thus, a persuasive argument can be made that, based on the Patel decision, a one-year limitations period should be imposed for BIPA claims. Ultimately, a favorable resolution on this issue would greatly reduce the size of potential classes in BIPA suits and, in turn, provide an avenue for defendants to significantly limit their scope of BIPA liability in class actions.
Finally, Patel further underscores the importance of compliance with BIPA’s mandate to mitigate litigation risk for companies with any type of Illinois presence that deal with biometric data for commercial and/or employment purposes.
BIPA Compliance Tips
Any company that handles biometric data should consider implementing the following measures for BIPA compliance:
- establish a written policy regarding the company’s collection, use, and storage of biometric data, including retention schedules and guidelines for destroying data;
- provide individualized written notice before collecting, storing, or using any biometric data;
- obtain written consent before collecting, storing, or using any biometric data;
- utilize reasonable security measures to store, transmit, and protect all biometric data that is used by the company from unauthorized disclosure or access; and
- prohibit the disclosure, dissemination, and sale of all biometric data that is handled by the company.
Involving experienced counsel early on in this process can pay significant dividends by avoiding litigation or limiting exposure in the event a putative BIPA class action is filed.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Jeffrey N. Rosenthal is a partner at Blank Rome LLP in Philadelphia. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law.
David J. Oberly is an associate at Blank Rome LLP in Cincinnati and is a member of the firm’s Cybersecurity & Data Privacy group.