CPW has previously covered how companies can proactively use binding arbitration agreements to manage litigation risk-including in the context of data privacy litigation.  But as a biometric software developer just learned, if you’re not a signatory to the agreement, you better make sure the arbitration clause is drafted broadly enough to cover you to avoid litigating Illinois Biometric Information Privacy Act (“BIPA”) claims in court.  Last week in Sosa v. Onfido, Inc., 2021 U.S. Dist. LEXIS 658 (N.D. Ill.), a judge in the Northern District of Illinois refused to motion to compel arbitration for litigation brought under BIPA, finding that the arbitration agreement did not cover the defendant.  Read on below.

The plaintiff in Sosa had an account with Offerup, Inc., a marketplace where people buy and sell goods online.  According to the pleadings, OfferUp partnered with the defendant, Onfido, to establish users’ identities. Specially, the plaintiff alleged that users (including himself) upload their driver’s license or ID along with photos of their faces, and that Onfido’s software scans the images and extracts biometric identifiers in order to confirm if they match the uploaded IDs. The plaintiff filed a putative class action complaint, alleging that Onfido violated BIPA by allegedly collecting and storing biometric information without obtaining written releases and providing certain required notices.

Onfido invoked the arbitration provision in OfferUp’s Terms of Service, which Onfido claimed the plaintiff  agreed to when he registered for OfferUp and each time he accessed his account. Ordinarily, as a matter of Illinois law, only signatories to an arbitration agreement can enforce it, but Onfido argued that three court-recognized exceptions to this rule applied: (1) third-party beneficiary, (2) equitable estoppel, and (3) agency.

The court disagreed.  The court first found that Onfido was not an intended beneficiary of OfferUp’s Terms of Service because the language in the arbitration provision did not extend to anyone but OfferUp and its users. Notably, this may have come out differently if the arbitration clause had explicitly covered disputes between users and Onfido, or even perhaps disputes between users and unspecified third-party providers, but the agreement here just referenced OfferUp.

The court also rejected the argument that equitable considerations required arbitration because, according to the court, under state-law principles, there was no indication that Onfido detrimentally relied on any representations about arbitration.  In this discussion, while the court recognized the liberal policy favoring arbitration agreements, it noted that this policy “has its limits,” and “[n]othing authorizes a court to compel arbitration of any issues, or by any parties, that are not already covered in the agreement.”

Finally, although recognizing that in Illinios, “an agent may invoke an arbitration agreement entered into by its principal,” the court held that Onfido was not an agent of OfferUp.  The court noted that “[c]ompanies routinely partner with one another to provide services to customers without acting as one another’s agents,” and there was nothing in the record to demonstrate a principle-agent between OfferUp and Onfido.

So there you have it.  Another day, another data privacy litigation.  Here, the plaintiff’s BIPA claims against this ID-verifying software developer will be resolved in federal court, not arbitration.  Stay tuned.