News

Law360 | May 6, 2020 | Celeste Bolt

The Seventh Circuit significantly changed the landscape of biometric privacy litigation Tuesday when it held that federal courts can hear claims over whether defendants violated Illinois’ landmark biometric law by collecting such data without informed consent.

Its ruling answered a question that had loomed large over the booming crop of Illinois Biometric Information Privacy Act lawsuits — and come out differently than many federal district courts that have booted BIPA suits as alleging mere procedural violations without harm.

Attorneys from both the plaintiff and defense bars say they’re relieved to have an answer to a standing fight that forced them into what Chief Judge Diane Wood referred to as a “role reversal,” with companies accused of violating the law arguing federal standing existed when plaintiffs said otherwise.

The “bombshell” decision could even prompt input from the nation’s top court as the Seventh Circuit’s ruling deepens a circuit split on the issue, said John M. Fitzgerald, a Chicago-based partner at Tabet DiVitto & Rothstein LLC and author of a recently published book on BIPA.

A panel of the appellate court held Tuesday that former Compass Group USA Inc. employee Christine Bryant alleged more than a mere procedural violation when she claimed the company failed to disclose its intentions before collecting her biometric information through a vending machine at work.

Compass’ alleged failure to disclose deprived Bryant of substantive information that she was legally entitled to, and prevented her from giving Compass the type of informed consent BIPA requires, which is a concrete and particularized injury that establishes standing, the panel said.

That finding is in line with the Ninth Circuit’s similar ruling in Patel v. Facebook Inc, in which it found Facebook’s alleged BIPA violations constituted an injury-in-fact, but marks a departure from the Second Circuit’s conclusion in Santana v. Take-Two interactive Software Inc, in which the court held that plaintiffs lacked Article III standing without alleging private data could be disseminated or misused.

“If I was Ms. Bryant, I’d file a certiorari petition on this issue,” Fitzgerald told Law360. “It affects a very large number of lawsuits all across the country, and we hav ea clear circuit split of Article III standing.”

Much-Needed Clarity

The Bryant ruling makes BIPA standing requirements for federal court consistent with those for Illinois state court, and the Seventh Circuit’s reasoning is sound give that the BIPA law is somewhat unorthodox, said Todd Rowe, a partner at Tressler LLP.

“Fundamentally, because this statute is so unique, [that is] why we’re seeing this struggle,” Rowe said. “ultimately, I think the Seventh Circuit had to go there.”

Most privacy laws require some sort of breach, or real-world harm, and BIPA is unique to the extent you don’t need that breach, Rowe said.

The Illinois Supreme Court in 2019 determined that a mere violation of the state’s biometric privacy law is enough to confer standing without proof of actual harm in Rosenbach v. Six Flags.

“The failure to give notifications is the damages. The damages are almost built in,” he said. “State courts had it right from the start.”

Through the ruling may seem like more of a victory for defense attorneys who would prefer to litigate these cases in federal court, it also comes as a relief to plaintiffs’ attorneys like Lynch Carpenter LLP partner Katrina Carroll, who has feared the suits could go on for months in one forum only to have a judge decide it’s not the right court to hear the case.

“We’re thrilled we have clarity now and know where we can proceed with these cases,” she told Law360. “Federal court is the place to be, and we’re comfortable litigating there.”

Before the Seventh Circuit weighed in, plaintiffs were finding themselves in a “very precarious situation,” Caroll said.

“As [a plaintiff], I’m not going to stand up in front of a federal court and argue that I don’t have the standing to be there,” she said.

Fitzgerald agreed that it feels “counterintuitive” to describe Tuesday’s ruling as a win for the defense bar, even though they’re been in a position where they must argue their opponents’ claims have standing to stay in or move to federal court.

“it’s interesting that this victory for the defense bar occurs in the context of a court saying that violations fo BIPA do create injuries-in-fact that are sufficiently concrete to create Article III standing,” Fitzgerald said.

A ‘Strategic Option’ for Defense Attorneys

To Benesch Friedlander Coplan & Aronoff LLP defense attorney Mark Eisen, the Bryant decision was somewhat unexpected, given that district courts have by and large found similar claims lacked Article III standing and, based on prior Seventh Circuit authority, related to the collection of personal information.

“This decision did not really make an effort to separate those decisions from the district courts or the decision from the Second Circuit with any significant analysis, maybe because the Seventh Circuit views biometrics being treated somewhat differently,” Wisen said.

As a practical matter, plaintiffs in BIPA cases aren’t alleging something wrong was done, he said.

“They’re saying, ‘I knew what I was doing, but you should have given me certain information before I did that,” Eisen said. “To find that was enough under [Spokeo Inc. v. Robins], I think is fairly unexpected. But we’ll take it.”

The decision subjects BIPA cases— which are often brought on behalf of a putative class — to a more stringent analysis under Federal Rule of Civil Procedure 23, which governs class actions, and brings a strategic option to the table that many plaintiffs’ lawyers may have been looking to avoid, he said.

For example, the Seventh Circuit has taken a more defense-friendly view of union issues in the BIPA context, where some state authority hasn’t, Eisen said.

“It seems to be one of those relatively rare circumstances where the defense is certainly benefiting from the Seventh Circuit’s guidance on this, which has not always been defense-friendly,” he said.

Duty to Public Vs. Individuals

While the Seventh Circuit found Bryant’s proposed class claim under Section 15(b) of BIPA — which requires, among other things, a written release before biometric information is collected — shouldn’t have been sent back to state court, it found she lacked standing to pursue her claims under Section 15 (b) of the statute, which requires a publicly available data public retention schedule and guidelines for permanently destroying biometric information.

The court held Compass’ duty under that section of the statue is to the public generally, not the specific individuals whose biometric information it collects, and Bryant alleged no particularized harm for the violation of that aspect of BIPA, the panel said.

But it was a distinction Fitzgerald found surprising, given the purpose of the laws as a whole, he said.

“15(b) and 15(b) were generally intended to protect the same rights. It’s certainly a surprising element of the ruling,” he said.

Rowe, however, said it makes sense given that the opinion was largely driven by the need to get Bryant’s consent or the opportunity to consent.

Carroll agreed, saying the court concluded that if Bryant had all the relevant information, she might have chosen to buy snacks from Compass’ biometric vending machines.

“That to me is what swayed them… as opposed to the general injury to the public at large,” she said.

And while the distinction does raise the question of whether to pursue an alleged Section 15(a) violation separately in Illinois state court, where a crafty plaintiff could attempt to make a “removal proof” claim, it’s not something Carroll said she would explore.

“If there’s now a recognition that the injuries under 15(b) are concrete and particularized… and plaintiffs can seek redress for them, that’s what we’re more interested in,” she said.

Katrina Carroll was featured and recognized as authority in Law360’s article, “Breaking Down Illinois’ Biometric Privacy Litigation.” The text of the article is reprinted below.

Biometric privacy litigation was already steady in Illinois when the state high court established a low threshold for plaintiffs to bring suit, creating a boom of cases that puts both small businesses and deep-pocketed tech giants on the defensive without a clear out.

A steady drumbeat of cases hit the Illinois courts in recent years alleging violations of the Illinois Biometric Information Privacy Act, many targeting employers that required workers to scan fingerprints to clock in and out. But the BIPA landscape changed when the Illinois Supreme Court in 2019 addressed the threshold issue of who can be considered an “aggrieved person” able to sue under BIPA, concluding a violation of the statute’s requirements is enough without an allegation of a separate real-world harm.

That took the wind out of the sails of defense attorneys who hoped a lack of harm could be the key to winnowing BIPA cases. But it’s an argument that has gotten traction in federal court, where some judges have thrown out BIPA cases when plaintiffs don’t meet federal standing requirements despite the Rosenbach v. Six Flags decision.

BIPA cases continue to roll in, some advancing novel theories of liability, like one alleging IBM Corp. performed facial scanning on images uploaded to Flickr without notifying or getting consent from the subjects of those photos. Most litigation is in the early stages, and the defense bar says it hasn’t yet gotten to test major defenses like whether a company was negligent or whether the technology at issue actually captures biometric information.

Here, Law360 breaks down the landscape of BIPA litigation in Illinois today.

BIPA Targets Go Beyond Employers

Lawsuits alleging biometric privacy violations have largely arisen in the employment context, with companies facing claims over the fingerprint scanners they typically use in their businesses for time-keeping and security purposes, said Mary Smigielski, a partner and co-chair of Lewis Brisbois Bisgaard & Smith LLP’s BIPA practice group.

What Smigielski expects to see going forward is additional lawsuits against manufacturers of those devices, she said.

Amazon and Google were also hit with BIPA suits in Illinois state court last year over voice recordings made by their devices equipped with virtual assistants, Alexa and Google Assistant.
Facial recognition will be the “new frontier” in BIPA litigation, Lynch Carpenter LLP partner Katrina Carroll told Law360. Carroll said millions of people are uploading pictures to social media without expecting those images to be harvested by third parties and scanned for biometric data without their permission.

Carroll is one of the attorneys representing Chicago-area photographer Tim Janecyk, who alleges photographs he posted to Flickr appear in IBM’s “diversity in faces” dataset, which it made available to researchers in 2019. He claims the resulting unique face template was used by IBM to recognize his gender, age and race, and was disseminated to third parties, even though he never gave the company permission — written or otherwise – to use his biometric information.

Another lawsuit filed in February accuses a controversial facial recognition technology company of using of billions of facial data points “scraped” from images posted to platforms such as Facebook, Instagram and Twitter. Uploading a photograph to the database allows users to identify private citizens and gives them access to all the personal details Clearview AI has obtained, according to the lawsuit.

“The technology is more prevalent. We’re learning that so many more companies are using facial recognition,” Carroll said. “It’s scary. People’s privacy is being threatened on a daily basis. The potential for misuse is so great.”

Early BIPA Rulings Make Ending Cases Hard

So far, decisions in BIPA cases have not been particularly favorable to the defense, Smigielski said. Courts have largely rejected arguments for a shorter statute of limitations, constitutional arguments, and defenses raising the question of an exemption under Illinois’ workers’ compensation law, she said.

But in McDonald v. Symphony Bronzeville Park LLC, an Illinois state court judge in December granted the defendant’s bid to immediately appeal a ruling that the Illinois Workers Compensation Act doesn’t preempt a BIPA claim. That will be a case worth watching, because many of the workers filing these suits are complaining of some emotional distress and injuries, Nixon Peabody LLP partner John Ruskusky said.

Also unanswered is the question of whether a bare procedural violation is enough to keep a BIPA lawsuit in federal court. Judges have been split on the issue, which is teed up before the Seventh Circuit, with some finding plaintiffs don’t have federal standing without an allegation that private data could be disseminated.

In August, the Ninth Circuit rejected argument from Facebook that users who claim the company’s face scanning practices violate BIPA had failed to assert the type of concrete injury necessary to establish Article III standing. Facebook paid $550 million to compensate millions of Illinois users who claimed the company breached the law by using facial recognition without their consent to fuel its feature that suggests tags for photos.

The Ninth Circuit ruling dealt a blow to defendants that argue that BIPA’s requirements are merely procedural and don’t protect any substantive rights that would produce the concrete harm necessary for standing.

But the issue hasn’t been resolved, and there remains a disconnect between how state courts and federal courts are looking at these cases, Carroll said. She fears cases could be tied up in the wrong forum for years.

“We need to reconcile this standing issue so we can all move on with our lives,” Carroll said. “If we can only sue in state court, we need to know that.”

Meanwhile, Ruskusky said two of the major defenses have yet to be tested at all. One of those defenses is what it means under BIPA for a defendant to be negligent or reckless for damages purposes. The other involves getting into the specifics of what the technology at issue in these cases actually does — a lot of these devices don’t actually capture a fingerprint, but some other assortment of data, Ruskusky said.

“Does something less than a fingerprint count, and if so, what is biometric information?” Ruskusky said.

Smigielski agreed, saying discovery disputes will likely result in plaintiffs having to do more than use the words “biometric identifier” and set a more defined basis for why the technology falls under BIPA.

“Say you have the technology to protect the nuclear codes, versus something you buy off Amazon. One very well may not fall under the law, but they’re treated exactly the same,” she said. “Some machines the plaintiffs are alleging are face scanners, they take a picture. That is something excluded under BIPA. A photograph is excluded, a facial scan is included.”

No Signs of BIPA Fights Slowing Down

Right now, attorneys should be watching closely to see how the law continues to develop as defendants advance more arguments and courts move through motions to dismiss these cases, said Tom Ahlering, co-chair of Seyfarth Shaw LLP’s biometric compliance and litigation group.

“It’s kind of been a little bit of a slow start waiting for Rosenbach,” Ahlering said. “I think the tide will turn a little bit as defendants assert some more of these arguments.”

The litigation will evolve as technology does, so attorneys should keep up with the landscape and come up with creative solutions as these cases advance to discovery, Smigielski said.

Carroll, meanwhile, maintains that in the employment space, more companies are trying to comply with the law. She thinks claims over facial recognition software will be the more unfamiliar territory going forward.

Ahlering predicts BIPA might follow a similar track as the Telephone Consumer Protection Act as the case law becomes more voluminous.

“When the TCPA was first enacted, it was a straightforward law that seemed really simple and basic,” he said. “Years later, we know every little word and definition of the statute.”

And after Rosenbach, defendants “haven’t thrown in the towel,” Ahlering said.

“They’ll keep advancing new arguments and strategies,” he said.

Lynch Carpenter Partner, Katrina Carroll presented at the fifth annual E-Discovery Conference in Minneapolis, Minnesota this month. The conference, also known as the Complex Litigation E-Discovery Forum, is based on best practices for plaintiffs’ side complex litigation attorneys. The two-day seminar focused on depositions and e-Discovery.

Carroll’s topic, “The Interplay of Depositions & E-Discovery: Plaintiff Offensive Review Workflows and Tips” included several strategies when preparing class action plaintiffs for the litigation discovery process. She highlighted how crucial it is to 1). Establish open dialogue with each client, outlining the importance of transparency in communication and 2.) The discovery process could involve the investigation of a client’s online presence. Social media interactions can result in a waiver of attorney-client privilege. Those clients pursuing litigation must be careful when sharing information on social media and not discuss specific details of their case, otherwise, they forfeit their privilege. In this day in age when oversharing is the norm, attorneys must compel their clients to focus their energy on communicating with their attorneys and forgo the urge to disclose every detail of their case online.

Katrina Carroll has participated in numerous conventions and conferences such as the American Bar Association Annual National Institute on Class Actions in 2014, the Perrin’s Class Action Litigation Conference in 2015, Loyola University School of Law’s Consumer Law Review Academic Symposium in 2017 and the Class Action Mastery Program in 2018 to name just a few.
For more information on Katrina Carroll’s work or on the E-Discovery Forum please visit:
E-Discovery Conference Website (Opens in new window)