A federal court recently dismissed biometric litigation brought against a marketer and seller of video technology products. Jacobs v. Hanwha Techwin Am., Inc., 2021 U.S. Dist. LEXIS 139668 (N.D. Ill. July 27, 2021). Although at least two other prior cases had allowed similar claims against a third-party technology provider to proceed into discovery, the court found Plaintiff’s allegations in this instance distinguishable. Read on to learn more.
First, a recap. The Illinois Biometric Information Privacy Act (“BIPA”) was enacted in 2008 and has standards regarding the retaining and handling of the biometric data of Illinois residents. As readers of CPW know, BIPA protects the “biometric information” of Illinois residents, which is any information based on “biometric identifiers” that identifies a specific person—regardless of how it is captured, converted, stored, or shared. 740 ILCS 14/10. Biometric identifiers are, “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Id. (collectively, with “biometric information,” “biometric data”).
Now, a closer look at the allegations in Jacobs.
Plaintiff alleged that when shopping in December 2020, he saw several of Defendant’s security cameras installed at the entrance of a T.J. Maxx store in downtown Chicago. Plaintiff also alleged that he purportedly learned about the cameras’ “ability to perform facial recognition” during that shopping trip (cue CPW eye roll). Plaintiff asserted that Defendant collected his biometric data though facial recognition technology in the security cameras “to track, identify, and prosecute shoplifters.”
Plaintiff raised a litany of claims under BIPA for Defendant failing to provide notice that that it is collecting and storing biometric data, and alleged “upon information and belief” that Defendant disclosed such data in violation of the statute. Plaintiff sought certification of the following class: “[a]ll individuals in the State of Illinois who had their facial geometry scans, biometric identifiers, and/or biometric information collected, captured, received, or otherwise obtained, maintained, stored, disclosed, or disseminated by defendant during the applicable statutory period.”
Defendant in moving to dismiss focused on what was tellingly absent from the Complaint:
- Plaintiff does not allege that Defendant installed the cameras, operated the cameras, or in any way accesses or controls T.J. Maxx’s security system.
- Plaintiff also does not allege that Defendant operates any systems or servers to store any information captured by the cameras.
- Instead, Plaintiff’s complaint suggests that Defendant’s only alleged connection to those cameras was its role as the manufacturer and distributor.
The court ultimately sided with defendant, finding Plaintiff’s claims were conclusory or otherwise failed to state a cognizable claim under BIPA.
First, looking at Plaintiff’s Section 15(b) BIPA claim, the court found that Plaintiff’s allegations merely parroted the language of the statute. Recall that unlike Sections 15(a), (c), (d), and (e) of BIPA—all of which apply to entities “in possession of” biometric data—Section 15(b) applies to entities that “collect, capture, purchase, receive through trade, or otherwise obtain” biometric data. 740 ILCS 14/15(a)-(e). Additionally, “mere possession of biometric data is insufficient to trigger Section 15(b)’s requirements.” However, Plaintiff argued (in reliance on the “otherwise obtain” language in Section 15(b)) that the provision applies to any private entity that obtains biometric data, no matter the source or manner of collection.
The court rejected this interpretation as “flawed.” Following the rulings of other courts applying BIPA, it held that “for Section 15(b)’s requirements to apply, an entity must, at a minimum, take an active step to collect, capture, purchase, or otherwise obtain biometric data.” (emphasis supplied). However, here Plaintiff failed to adequately alleged that Defendant took any active steps to collect biometric data. Instead, the allegations in the complaint made clear to the court that Defendant is “a third-party technology provider (that is, merely provided the cameras), and that the active collector and processor of the data is T.J. Maxx.” (emphasis supplied).
Second, the court rejected Plaintiff’s Section 15(a) and (d) claims as similarly fundamentally flawed. This was because, the court explained, Sections 15(a) and 15(d) of BIPA apply to entities “in possession of” biometric data. 740 ILCS 14/15(a), (d). Because BIPA does not define “possession,” courts have routinely used the ordinary definition of the word. Accordingly, possession for purposes of BIPA occurs when someone “exercise[es] any form of control over the data or … held the data at [his] disposal.” However, the court held, Plaintiff “does not provide any factual allegations that plausibly establish that defendant exercised control over plaintiff’s data or otherwise held plaintiff’s data at its disposal.” (emphasis supplied).
Plaintiff’s complaint was dismissed. Notably, at least two other BIPA cases involving claims against a third-party technology provider made it past a motion to dismiss. However, unlike Jacobs, the factual allegations in those prior cases made clear that the manufacturers of the fingerprint scanners had themselves collected, obtained, or stored the biometric data. For more on this developing area of the law, stay tuned. CPW will be there.