Readers of CPW already know about Bryant involving litigation under the Illinois Biometric Information Privacy Act (“BIPA”).  That is because earlier this year in a closely watched decision the Seventh Circuit Court of Appeals held that the Plaintiff in Bryant adequately alleged Article III standing (for some of her BIPA claims)—meaning that the case could continue to be litigated in federal court.  Well, the newest development in Bryant came out right before Thanksgiving, with a federal district court ruling on Defendant’s motion to dismiss the Amended Complaint (which included a constitutional challenge to BIPA).  Bryant v. Compass Group United States, 2020 U.S. Dist. LEXIS 222219 (N.D. Ill. Nov. 29, 2020).  Read on to find out how it all went down.

A quick recap: BIPA regulates the storage and sale of biometric data—most simply, information regarding a person’s body measurements—and affords consumers the right to sue businesses that fail to comply.  Well, at least for Illinois residents (sorry everyone else).  For the full scoop on BIPA, click here.  The Plaintiff in Bryant filed a putative class action raising claims under BIPA after her fingerprint scan was collected when she signed up to use a smart vending machine.  This included raising, among other allegations, that Defendant violated Section 15(a) of BIPA by possessing Plaintiff’s biometric information and failing to destroy that information once the purpose for collecting that information was complete.  [Note: the Seventh Circuit held only last month that alleged violations of Section 15(a) under BIPA sufficed for purposes of Article III standing].

The Defendant in Bryant moved to dismiss the Amended Complaint for failing to satisfy federal pleading standards (a separate inquiry than standing).  The Court addressed each one in turn.

First, the Defendant argued that while BIPA does include a specific statute of limitations, a one-year period should govern Plaintiff’s claims (meaning that they were untimely and should be dismissed).  The Court disagreed, holding that BIPA claims under Illinois statutory law were subject to the default five-year statute of limitations.

Second, the Defendant argued that Count II of the Complaint (the Section 15(a) claim) should be dismissed as the Plaintiff failed to adequately allege each of the elements of this cause of action.  On this issue, the Court sided with the Defendant (in what might be seen as an interesting loophole for defendants named in BIPA litigation, although see CPW’s earlier analysis of another case involving a similar issue with a different result)  This was because, the Court reasoned,

To state a claim under § 15(a), a plaintiff must allege that the defendant has failed to comply with its established retention and destruction guidelines.  Making such an allegation requires making a[n] antecedent allegation—namely, that the defendant has established retention and destruction guidelines.  One cannot fail to comply with guidelines that do not exist.  Merely holding on to biometric information does not give rise to a § 15(a) claim unless holding on to it violates the established retention and destruction guidelines.

Because the Amended Complaint was silent as to whether Defendant had any retention and destruction guidelines in place, it failed to state a claim under Section 15(a) of BIPA.  The Court also held that this claim should be dismissed for the additional, independent ground that it was unripe (BIPA Section 15(a) requires that the guidelines an entity establishes must provide for the destruction of biometric identifiers within three years of the individual’s last interaction with the entity or when the initial purpose for collecting or obtaining such identifiers has been satisfied, whichever is earlier.  This three year period had not yet run).

And third, the Defendant also raised a constitutional challenge to BIPA.  The Illinois state constitution provides that the Illinois general assembly “shall pass no special or local law when a general law is or can be made applicable.”  The Illinois Supreme Court has held that this language “prohibits the General Assembly from conferring a special benefit or exclusive privilege on a person or a group of persons to the exclusion of others similarly situated.”  This constitutional provision was relevant in Bryant because BIPA excludes from its scope financial institutions, affiliates of financial institutions that are subject to the Gramm-Leach-Bliley Act, government agencies, and government contractors working in the capacity as contractors.  To put it otherwise: these entities do not need to comply with BIPA’s requirements.

In order for the Defendant to prevail on its constitutional challenge to BIPA, it had to establish that this exclusion was not rationally related to a legitimate government interest.  The Court held that the Defendant failed to do so, stating that “[t]he Illinois General Assembly’s decision to exclude certain entities from BIPA’s coverage is eminently rational.”  As just one of the examples given by the Court, financial institutions were appropriately excluded because they are already subject to a comprehensive privacy protection regime under federal law.  Because such entities already have privacy safeguards in place, imposing additional requirements on them in this area “would have been minimally efficacious.”

The dismissal of Plaintiff’s Section 15(a) BIPA claim was without prejudice (meaning that Plaintiff could seek to amend the Amended Complaint yet again and cure the deficiencies identified by the Court).  Even in the absence of this measure, however, litigation in Bryant will continue.  CPW will be there.  Stay tuned.