BIPA and Its Federal Problems

Written by Alexander Ogren

Chris Costes (CC BY 2.0)

It’s not fun to have your credit card or identity stolen. It takes time, money, and mental energy to right yourself. Now, instead of just using cards as the gatekeepers, many companies are using customers’ biometric information, such as fingerprints and facial geometry scans, to control access to private information. But unlike credit cards, you can’t just order a new one to secure your data. All victims of such thefts would need reconstructive surgery to protect themselves from future risk.

Recognizing this concern, Illinois passed the Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq., to incentivize companies to handle biometric data more securely. Specifically, the Act requires companies to publish and disclose a policy about how it collects, uses, and destroys the information. Other states have passed similar laws allowing regulatory control over companies possessing biometric data, but Illinois is the first to create a private right of action for consumers against companies storing such information. As you might expect when you combine gigantic companies storing data on huge numbers of people with $1,000 fines per violation, BIPA has led to massive class-action lawsuits.

Illinois courts have, unsurprisingly, taken a somewhat lenient view towards these claims. For example, Sekura v. L.A. Enterprises, Inc., No. 15-CH-16694, ultimately settled for $1.5 million. But corporate defendants who are able to transfer their cases into federal courts based on diversity jurisdiction have launched successful attacks against the claim.

One such defendant was Facebook, who has faced multiple lawsuits alleging that the facial geometry data used by its photo tagging suggestion feature violates the Act. The first defense that Facebook raised, in Gullen v. Facebook.com, Inc. (N.D. Ill. 2016), was personal jurisdiction, as Seventh Circuit precedent creates a high bar against websites, forcing plaintiffs to likely have to go to out of state to sue tech companies. One such class made the trip, as In re Facebook Biometric Information Privacy Litigation(N.D. Cal. 2016) shows. But the plaintiffs still face a daunting hurdle in the form of Article III standing, draped over the case last year on the basis of the Supreme Court’s opinion in Spokeo, Inc. v. Robins (2016) (holding that a “bare procedural violation” of a statute is insufficient to establish Article III standing; rather, the plaintiff must have suffered harm to a concrete interest). Facebook argued that simply not disclosing how it is collecting and storing the information is a bare procedural violation without any further concrete harm. Facebook is currently pending in district court, but defendants in other jurisdictions have already challenged BIPA claims under the new Spokeo standard.

First, in McCollough v. Smarte Carte, Inc. (N.D. Ill. 2016), plaintiffs sued a locker and luggage cart rental service that utilizes fingerprints to control access to the equipment. The court dismissed the claim, stating that the plaintiff must have known that the defendant was storing the information (since she used her thumbprint to get into her locker), and that there was no risk the information would be disclosed.

Following that decision, a court also declined to recognize standing in Vigil v. Take-Two Interactive Software, Inc. (S.D.N.Y. 2017). Here, plaintiffs sued over the storage of facial scans used to create digital avatars for the video game NBA 2K15. Utilizing a two-step, Second Circuit framework, the court held that the privacy concerns implicated by the statute were not at issue, as there was no risk that the information would be disclosed. Mere storage was consistent with how the plaintiffs expected the data to be used and could not confer standing.

But in Monroy v. Shutterfly, Inc. (N.D. Ill. 2017), a court held that where the plaintiff had never used Shutterfly, he did not consent to the storage of his facial geometry for tagging purposes. This distinguished the prior cases, holding that ignorance as to the fact that personal data is even being collected can create a concrete privacy injury.

Apart from standing, plaintiffs also must show that the activity is geographically covered by Illinois law. In Rivera v. Google Inc. (N.D. Ill. 2017), Google challenged whether the Act covered face templates used to find and group together photographs of people taken on Droid smartphones. Because these issues occur on the “cloud”—and don’t necessarily involve a specific location within Illinois—there is some dispute as to where the harm occurred, and imposing liability for photographs with tenuous connections to Illinois will make Google comply with the Act nationwide, potentially violating the Commerce Clause by interfering with other states’ rights to regulate the internet. Because Illinois uses a circumstantial, factor-based test to address the extraterritoriality, the court declined to decide these issues without factual discovery about the creation of the data and the location of consent, leaving these questions open for future resolution.

The list of defendants in Illinois courts illustrates the breadth of the Act: hotels, tanning salons, steel and manufacturing companies, Snapchat, food service providers, and bars have all been sued. Complicating matters, more states are considering similar laws, which companies are fighting vigorously. And while a congressional solution could address the Commerce Clause and consumer protection issues, Congress has not really looked into this issue since 2014. In light of the Equifax breach, however, there is some thought that Congress should do away with Social Security numbers altogether and replace them with biometric information, which would lead to an even greater need for regulation to protect consumers’ privacy interests. Recognizing this importance, states probably are not going to do away with their statutes. And given that companies gain significant value from this information, the collection, use, regulation, and subsequent litigation in this field probably are not going to go away either. Federal courts are thus going to have to resolve these issues or face kicking the can to state courts to play the major role in regulating some of the U.S. economy’s largest actors.