Many of the litigations that CPW has previously covered involving Illinois’ Biometric Information Privacy Act (“BIPA”) have turned on issues with parties that have directly used biometric technology to collect and store personal information.  These parties are often employers collecting information about their employees, such as having employees scan fingerprints to clock in and out.  In case you need a refresher, check out some of CPW’s prior posts here and here.  But what about the manufacturers of those biometric technologies?  Three recent Illinois federal and state lawsuits illustrate potential litigation risks for third party vendors under BIPA.  Read on below.

First, a refresher for you BIPA novices out there.  BIPA was enacted in 2008.  It requires, among other things, that:

  • A private entity must establish and make publicly available a protocol for retaining and handling biometric data.
  • A private entity must first inform the subject in writing about the purpose of collecting the data, how long the data will be kept, and obtain consent of the subject.
  • This data must be destroyed: (1) when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or (2) within 3 years of the individual’s last interaction with the private entity (whichever occurs first).
  • Sales, leases, trades, or further actions in which a private entity may profit from a person’s biometric information are strictly prohibited while disclosures, redisclosures, or other dissemination of a person’s biometric information are statutorily limited.
  • Finally, private entities must protect biometric information from disclosure using “the reasonable standard of care within the private entity’s industry . . . . [and] in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”

With that in mind, lets turn to the case law.

Figueroa v. Kronos Inc., 454 F. Supp. 3d 772 (N.D. Ill. 2020) demonstrates a successful claim by plaintiffs against a third party vendor for violations of BIPA.  Plaintiffs brought a putative class action against Kronos, the timekeeping company used by their employer, for violations of sections 15(a), (b), and (d) of BIPA.[1]  Kronos brought a 12(b)(6) motion to dismiss and moved in the alternative to strike plaintiffs’ class allegations, but the court denied both motions.  While Kronos had argued that Section 15(b) delegated the applicable notice and consent obligations for obtaining individuals’ biometric information to plaintiffs’ employer, the court found that Kronos was still a “private entity” as defined by BIPA, and had to comply with the same obligations.  The court also found that plaintiffs had sufficiently pled under BIPA Section 15(d) that Kronos had disseminated their data to third parties that hosted the biometric data in Kronos’ data centers.

On the other hand, in Bray v. Lathem Time Co., No. 19-3157, 2020 U.S. Dist. LEXIS 53419 (C.D. Ill. March 27, 2020), a third party vendor prevailed in having a putative class action dismissed.  Similar to Figueroa, plaintiff had sued the timekeeping company his employer used for violations of Sections 15(a), (b), and (d) of BIPA.  Lathem moved to dismiss for failure to state a claim and lack of personal jurisdiction.  Ruling on Lathem’s motion, the court found that it lacked personal jurisdiction over Lathem.  It agreed that Lathem itself had not created sufficient “minimum contacts” with Illinois, because Lathem was a Georgia-based company that had no corporate presence in Illinois and had not targeted Illinois or made any direct sales there.  On this basis, Lathem successfully argued that any contacts it had with Illinois were the results of decisions made by its customers – the employers who had chosen to use its timekeeping software – and that it could not be subject to personal jurisdiction in Illinois based on its customers’ decisions.  Lathem had also separately argued that BIPA was not intended to apply to third party vendors like itself, and only provided a cause of action against plaintiff’s employer, but the court did not address this argument.

The jury is still out on one final state court action against a third party vendor.  In Bernal v. ADP, No. 2017-CH-12364, 2019 Ill. Cir. LEXIS 1025 (Ill. Cir. Ct. Cook Cty. Aug. 23, 2019), plaintiff had initially brought suit against his employer alleging violations of Sections 15(a)-(d) of BIPA, but amended the complaint to bring suit only against ADP, the entity which provided the biometric scanning technology his employer used to clock employees in and out.  ADP was successful in having plaintiff’s first complaint dismissed for failure to state a claim, as the court found that the complaint did not contain sufficient factual allegations for any of the alleged violations of BIPA.  For example, the court found that plaintiff had not sufficiently alleged violations of Section 15(d) because it raised only conclusory allegations that ADP’s technology allowed for and resulted in the dissemination of biometric information to third parties.  Similar to Bray, ADP also argued that Section 15(b) should not apply to third party entities like itself.  The court declined to rule on this argument, as it found that the complaint did not contain sufficient factual allegations to show ADP’s involvement in the actions plaintiff alleged, apart from supplying plaintiff’s employer with the technology used.  The court, however, granted plaintiff leave to file an amended complaint, which he did, and the litigation is ongoing.

While suits against employers are still the most prominent BIPA trend, vendors manufacturing biometric technology or software are not without risk.  As demonstrated by these cases, the most important inquiry for BIPA suits against third party vendors will likely be jurisdictional (whether the court can actually exercise personal jurisdiction over the vendor).  Courts will also likely continue to face the question of whether BIPA is intended to provide a private right of action against third party vendors or solely against the parties employing vendors’ software or technologies.  For more on this developing area of the law, stay tuned.  CPW will be there.

[1] Section (a) of BIPA provides that a private entity possessing biometric identifiers or information must have a written policy that is made available to the public, including a retention schedule and guidelines for destroying biometric information.  Section (b) gives guidelines for collecting, capturing, or receiving biometric information, and Section (d) requires that an entity obtain individuals’ consent before disclosing or disseminating biometric data.