The Illinois Biometric Information Privacy Act (“BIPA”) went into effect in 2008 and since then has been heavily litigated in state and federal court. There has been an emerging divide between state and federal courts regarding when a plaintiff has standing to pursue claims for alleged violations of BIPA—state courts have been quick to allow enforcement of the statute in the absence of any actual harm, while federal courts have been less keen on permitting cases to continue where the Plaintiff did not suffer a “concrete” harm.
Well clarity has just come at the federal level—and this is a very big deal for companies doing business in Illinois. The Seventh Circuit Court of Appeals held yesterday that BIPA Plaintiffs do have standing to recover damages in federal court after all—at least in certain cases. See Bryant v. Compass Grp. USA, Inc., 20-1443 (decided May 5, 2020). That means these cases—with their potential for large class action damages—can continue at the federal level.
First, some background for the uninitiated. BIPA was enacted for the specific purpose of addressing the heightened risk of identity theft associated with the processing of biometric data—think your face shape or your fingerprints (yeah, companies keep this stuff). Unlike other unique identifiers used for financial and other purposes—like a phone number or an address—when biological data is compromised—such as by a data breach— the hacker/thief has a permanent identifier for the affected individual. Accordingly, the Illinois legislature adopted specified safeguards intended to protect the privacy of personal biometric data, joining Texas and Washington which have also enacted laws addressing this issue.
Among other protections, Section 15(a) of BIPA requires publicly posting a general notice about the company’s biometric data retention periods whereas Section 15(b) of BIPA requires providing specific notice and obtaining consent from the particular person whose biometric information is collected. 740 Ill. Comp. Stat. 14/15(a), (b). BIPA also bans the sale or trade of personal biometric information for profit. Id. at 14/15(c). And importantly BIPA provides for a private right of action to “[a]ny person aggrieved by a violation” of the statute. Id. at 14/20 (emphasis added). The costs of noncompliance with these provisions are significant, with uncapped statutory damages in the amount of $1,000 per negligent violation of BIPA and $5,000 for each intentional or reckless violation. Id. at 14/20.
But what does it mean to be aggrieved?
Just last year the Illinois Supreme Court held in Rosenbach v. Six Flags Entm’t Corp. that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under [BIPA], in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” 129 N.E.3d 1197, 1207 (Ill. 2019). In other words, an alleged statutory violation under BIPA was sufficient for purposes of bringing a BIPA claim in Illinois state court, even in the absence of an “actual injury.” See id.
Obviously, however, this holding is in tension with the Supreme Court’s ruling in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) where the Supreme Court held that Article III standing “requires a concrete injury even in the context of a statutory violation,” and “a bare procedural violation, divorced from any concrete harm” does not pass constitutional muster. Id. at 1549 (emphasis added).
So while a Plaintiff certainly has statutory standing to pursue a BIPA claim in the absence of concrete harm, does her or she have constitutional standing to pursue such a claim in federal court? The district courts are (or at least were before Bryant) split on the issue. Some have set a very low bar for concrete harm.
Which brings us to Bryant. At the district court level, it was actually the Plaintiff that moved to remand the case to state court, following its removal—the Plaintiff asserted that he and class members actually lacked constitutional standing in that they did not suffer a concrete harm from the violation—how about that? While Plaintiff alleged that the Defendant obtained her fingerprints without providing required BIPA disclosures, she did not allege that Defendant had allowed the data to fall into the wrong hands or that the capture of the data otherwise caused harm.
The district court granted the motion concluding that “no harm” really means “no foul” for purposes of constitutional standing: “[s]everal courts in the Northern District of Illinois have ruled on the precise question before this Court and have uniformly held that BIPA procedural violations—without some additional action by the defendant, like surreptitious collection or disclosure to third parties—do not give rise to concrete injuries.” Id. at *5-6 (collecting cases). So the case was dismissed and Plaintiff’s motion for remand was granted.
The Seventh Circuit disagreed, however, reversing the district court. Op. at 2 (“a failure to follow section 15(b) of [BIPA] leads to an invasion of personal rights that is both concrete and particularized.”). Focusing on whether or not the Plaintiff was vindicating a private right or a public right the Seventh Circuit panel concluded that Plaintiff did have standing to sue because it was her own biometric information that was obtained without disclosures, and not data about the public at large. Accordingly, for purposes of Section 15(b) of BIPA, the Seventh Circuit held that plaintiff was not asserting a “bare procedural violation” and rather the alleged conduct of the defendant amount to “an invasion of her private domain, much like an act of trespass would be,” and therefore a “direct application of Spokeo,  leads to the result that [plaintiff] satisfied the injury-in-fact requirement of Article III.” Id.
However, the same result was not reached in regards to plaintiff’s claim under Section 15(a) of BIPA, which concerned the statute’s data retention schedule requirements, among others. The court concluded that “[i]n contrast to the obligations set forth under section 15(b), the duty to disclose under section 15(a) is owed to the public generally, not to particular persons whose biometric information the entity collects.” Op. at 16. As such, the court held that the plaintiff “alleges no particularized harm that resulted from [defendant’s] violation of section 15(a)” and “did not suffer a concrete and particularized injury.” Id. Therefore, the plaintiff lacked standing under Article III to pursue her claims arising under Section 15(a) of BIPA in federal court. Id.
So there you have it. Bryant is obviously a huge deal for BIPA litigants—all of whom bring suit within the Seventh Circuit footprint—because it clarifies which classes of BIPA provisions afford nearly-automatic standing, and which classes do not. As litigation continues to be filed under BIPA and other states consider passing statutes to protect resident’s biometric information, this issue will take on continued importance—especially with the outbreak of COVID-19 and the possible proliferation of biometric tracking in response. But Bryant is important beyond BIPA cases—with courts still struggling to apply Spokeo in the context of other privacy statutes—think FCRA and TCPA—the Seventh Circuit’s focus on “private” vs “public” harm might provide some (at-times unwanted) guideposts to federal court litigants.
We’ll keep an eye on further BIPA developments.
Note: Following this post and a petition for rehearing in Bryant, the Seventh Circuit amended the opinion to clarify the limits of the Section 15(a) holding, ruling that the plaintiff’s claim was extremely narrow, alleging only a violation of the Section 15(a) duty to publicly disclose data retention and destruction protocols. The Court specifically emphasized that “[o]ur analysis is thus limited to the theory [plaintiff] invoked” and did not address other provisions in Section 15(a).
See also The Illinois Biometric Information Privacy Act (“BIPA”): When Will Companies Heed the Warning Signs?