Yesterday, the Seventh Circuit weighed in on the critical issue of whether a plaintiff bringing a data privacy action – this time, under Illinois’ Biometric Information Privacy Act (“BIPA”) – has Article III standing to sue in federal court.  In a twist that civil procedure buffs will love, Plaintiffs claimed that they did not have standing (because they preferred to litigate in state court), while defendant claimed the Plaintiffs had valid standing.  Ultimately, Plaintiffs won the day, and the Seventh Circuit affirmed the district court’s remand to Illinois state court.[1]

In Thornley v. Clearview AI, No. 20-3249, 2021 U.S. App. LEXIS 1006 (7th Cir. Jan. 14, 2021), Plaintiffs initially filed suit in Illinois state court against Clearview, alleging violations of BIPA §§ 14/15(a), (b), and (c).  Clearview removed the case to federal court, and Plaintiffs voluntarily dismissed, only to bring another claim against Clearview in Illinois state court.  This time, Plaintiffs alleged only a violation of BIPA § 15(c), with a narrower proposed class definition.  When Clearview promptly removed to federal court again, Plaintiffs filed a motion to remand, alleging (under Spokeo) that the BIPA violation alleged in the complaint was a “bare procedural violation, divorced from any concrete harm” that did not support Article III standing.  In general, a plaintiff must show that three things are true to establish Article III standing, which is necessary for suit in a federal court: (1) that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief.  The Thornley court focused only on the first factor (the “injury in fact requirement”).

The Thornley court first turned to relevant Seventh Circuit precedent in which it had already examined the issue of Article III standing under BIPA, pointing back to its decisions in Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019); Bryant v. Compass Group USA, Inc., 958 F.3d 617 (7th Cir. 2020); and Fox v. Dakkota Integrated Systems, LLC, 980 F.3d 1146 (7th Cir. 2020).  It did so to underscore two points: first, that “allegations matter,” specifically the particular allegations that each plaintiff brings, even in cases that are factually similar or brought under the same statutory provision; and second, that Article III must be satisfied regardless of the type of violation that is alleged (procedural or substantive).

The Thornley complaint alleged a violation of BIPA § 15(c), which specifies that companies may not profit from individuals’ biometric information, and conceded that no class member suffered any injury aside from that statutory violation (the inclusion of their biometric information in Clearview’s database).  In evaluating the removal to federal court, the district court found that these particular allegations did not show concrete or particularized harm.  The Seventh Circuit agreed, noting that its decision would be different if the allegations had been different – for example, if the named plaintiff had alleged that, by selling her data, defendant had amplified an invasion of privacy, or deprived her of her own opportunity to profit from her data, that could have potentially satisfied Article III standing.  As the complaint was written, though, it did not allege any particularized injury.

The Thornley court also considered whether the fact that Plaintiffs had brought a class action – in which class members might potentially have suffered more particularized harm – would defeat the remand to state court.  It distinguished Thornley from Standard Fire Insurance Co. v. Knowles, 568 U.S. 588 (2013), a case in which a plaintiff sought remand to state court with a stipulation that he and the class would not seek more than $5,000,000 in damages; the Supreme Court found that such a stipulation could not be binding on class members.  Thornley differed because the issue turned on Plaintiffs’ class definition, and because “the plaintiff controls her own case,” Plaintiffs had the right to file a complaint with a narrower class definition than they could have otherwise sought.  The Seventh Circuit noted that other putative plaintiffs were free to bring their own class actions against Clearview with broader class definitions.

Ultimately, the Seventh Circuit acknowledged that it was “no secret” that Plaintiffs had taken care with their allegations and proposed class definition to “steer clear of federal court,” but noted that, “in general, plaintiffs may do this.”  Plaintiffs were permitted to “take advantage” of the fact that BIPA permits suit for solely statutory violations.

In a concurrence, Judge David Hamilton opined on the different outcomes of Seventh Circuit decisions on standing for private plaintiffs bringing suit under consumer protection statutes, observing, “I confess that I have not yet been able to extract from these different lines of cases a consistently predictable rule or standard.”  Judge Hamilton noted that Spokeo may have “raised more questions than it answered” in its finding that standing requires concrete injury, but that intangible injuries may sometimes be considered concrete.  As a result, he observed that some Seventh Circuit decisions may have “take[n] Spokeo too far” in denying standing for private plaintiffs alleging substantive violations of consumer protections statutes.

Thornley is the latest in a slate of federal court decisions on Article III standing in the context of data breach litigation, but is a win for class action plaintiffs looking to litigate BIPA claims in Illinois state courts.  Defendants seeking removal to federal court in data privacy actions should take special notice of the specific allegations they are contesting.  As Thornley demonstrates, those allegations can make or break your removal case.

[1] As many CPW readers know, BIPA regulates the storage and sale of biometric data, and offers consumers protections of that data, including the right to sue a business that fails to comply with BIPA’s requirements.  CPW readers will also be familiar with Clearview AI, a manufacturer of software that “scrapes” pictures from social media sites and sells access to a database of these pictures to clients, many of whom are law enforcement agencies.