Just recently, a California federal court issued a notable Illinois Biometric Information Privacy Act (“BIPA”) opinion in Zellmer v. Facebook, Inc., No. 18 CV 1880 (N.D. Cal. Mar. 31, 2022), which could have significant implications moving forward for companies seeking to limit their scope of liability exposure in BIPA class action litigation.  Read on to learn more and what it may mean for third-party biometric technology providers.

I.     Factual Background

Plaintiff Clayton Zellmer filed suit against Facebook in 2018 in California federal court for alleged violations of BIPA’s notice and consent requirements in connection with the company’s photo “tagging” feature that allegedly used facial recognition technology.  Importantly for purposes of this litigation, Zellmer filed suit despite the fact that he had never maintained an account with the company and had never even used its services.  Zellmer sought to represent a putative class of all other non-users of the social networking site in the litigation.

Among other challenges, Facebook moved for summary judgment on the BIPA claim, arguing that a Section 15(b) notice and consent claim could not be established by non-users against the company.

II.     Non-Users Precluded as a Matter of Law From Maintaining Cognizable Section 15(b) BIPA Claim

The court sided with Facebook at summary judgment, noting that the company’s reasoning was straightforward: it would be patently unreasonable to construe BIPA to mean that the company was required to provide notice to, and obtain consent from, non-users who were, for all practical purposes, total strangers to the company, and with whom the company had no relationship whatsoever.

The court further noted that the well-established “cardinal rule” followed by Illinois—that courts must ascertain and give effect to the intent of the legislature—also supported summary judgment in favor of the company.  Here, the court emphasized that the Illinois legislature “clearly” contemplated that BIPA would only apply in situations where a business had at least some measure of knowing contact with and awareness of the people subject to the biometric data collection.  Further, the legislative findings also strongly suggested that BIPA is intended to apply to interactions between businesses and their customers, such as “at grocery stores, gas stations, and school cafeterias.”  These examples, along with references to “financial transactions” and other business practices, conveyed the legislature’s intent that BIPA applies only where there is at least a minimum level of known contact between a person and an entity that might be collecting biometric information.  Ultimately, because the plaintiff and the putative class were entirely unknown to Facebook, the company could not be held liable for purportedly failing to satisfy Section 15(b)’s requirements.

In addition, it was also highlighted that “a court presumes that the legislature did not intend absurd, inconvenient, or unjust results” further supported the appropriateness of summary judgment on the plaintiff’s Section 15(b) claim.  In so doing, the court emphasized that the Illinois Supreme Court has specifically stated that compliance with the law should not be difficult and that any expense a business might incur to comply should be minimal.  To require Section 15(b) to apply to non-users, however, a company would need to identify every non-user in Illinois on a regular basis and figure out a way to communicate with them to provide notice and obtain consent.

This, the court concluded, entailed an unreasonable reading of Section 15(b) that would put companies like Facebook in an “impossible” position—one that was not consonant with the Illinois legislature’s intent or the Illinois Supreme Court’s determination that BIPA should not impose extraordinary burdens on businesses.

For these reasons, the court granted summary judgment to Facebook on the Section 15(b) claim.

III.     Takeaways

While the opinion itself was fairly short in length—comprising only eight pages—the Zellmer court’s reasoning may have a noteworthy impact on the scope of BIPA Section 15(b) claims moving forward.

Generally speaking, the opinion articulates several potential limitations on the scope of BIPA notice and consent claims that may be relevant for future litigations:

  • Section 15(b) does not impose notice and consent requirements on companies in connection with non-users who are, for all practical purposes, strangers to the company and with whom the company maintains no type of relationship;
  • BIPA—as a whole—applies only in situations where a business has “at least some measure of knowing contact with” and “awareness” of people who might be subject to biometric data collection;
  • BIPA applies only to interactions “between businesses and their customers,” such as “at grocery stores, gas stations, and school cafeterias”; and
  • Based on the principle of construction that “a court presumes that the legislature did not intend absurd, inconvenient, or unjust results” and the Rosenbach court’s specific statement with respect to BIPA that “[c]ompliance should not be difficult” and expenses incurred by a business to comply with the law should be minimal, companies cannot be required to provide notice and obtain consent where doing so would place significant monetary or other costs to do so.

More specifically, the Zellmer opinion may be especially relevant for third-party biometric technology providers.  Here, a fairly strong argument exists that pursuant to Zellmer, vendors cannot be held liable for Section 15(b) claims where the plaintiffs maintain a direct relationship with the vendor’s customer, but not the vendor itself, and where the vendor does not have any level of knowing contact with the plaintiffs who submit their biometric data to the vendor’s client.