Earlier this month, a federal court in Illinois dismissed a BIPA fingerprint timekeeping class action that had been pending for over three years, finding that Plaintiff failed to adequately allege a claim under Section 15(b) of the Illinois Biometric Information Privacy Act. Stauffer v. Innovative Heights Fairview Heights, LLC, 2022 U.S. Dist. LEXIS 140010 (S.D. Ill. Aug. 5, 2022). This ruling was based on the Court’s primary conclusion that:
Nowhere in her complaint does Plaintiff allege that [Defendant] itself stored biometric information on its own computers or servers, or that [Defendant] used the biometric information for its own purposes. In fact, Plaintiff does not allege that [Defendant] actually accessed this information. Plaintiff” allegations are simply that [Defendant] could access the biometric information one day. But equally as plausible as [Defendant] accessing the information one day is that [Defendant] never accessed the information.
As reported earlier in CPW’s 2022 Q1 AI/Biometric Litigation Trends by Kristin Bryan, David Oberly and Christina Lamoureux, the majority of BIPA cases filed thus far in 2022 arise under the circumstances analogous to the Stauffer litigation in the timekeeping context. As such, the Court’s ruling in this case is anticipated to bear upon other pending and future filed cases.
In this instance, the Court rejected the Plaintiff’s allegations that the use of a uniform franchise agreement which (i) required franchisees adopt a common timekeeping system (“POS System”) that “collect[ed] employee fingerprints and information used to identify such employees based on their fingerprints” and (ii) and gave the Defendant “the right to have independent access to all information or data” on the POS System used by franchisees sufficient for purposes of a pleading a cognizable Section 15(b) BIPA claim.
Read on to learn more about the particular facts of this case and the Court’s analysis.
I. Factual Background
Stauffer involved a BIPA fingerprint timekeeping class action filed by Plaintiff Madison Stauffer (“Stauffer”) against Innovative Heights Fairview Heights, LLC (“Innovative Heights”), CenterEdge Software, LLC (“CenterEdge”), and Sky Zone Franchise Group, LLC (“Sky Zone”). According to Stauffer, her employer, Innovative Heights, collected and used her fingerprints for timekeeping purposes. CenterEdge controlled and operated the system and database that was used by Innovative Heights to store Stauffer’s and her co-workers’ biometric data. Sky Zone allegedly required Innovative Heights, as its franchisee, to use the CenterEdge system under the franchise agreement entered into between Stauffer’s employer and Sky Zone. Stauffer alleged a violation of BIPA Section 15(b) against all three companies, as well as an additional violation of Section 15(a) against Innovative Heights and CenterEdge.
II. Defendant Moves to Dismiss
Sky Zone subsequently moved to dismiss the Section 15(b) notice and consent claim against it under Federal Civil Rule 12(b)(6) for failure to state a claim. Sky Zone argued that Stauffer could not maintain a cognizable Section 15(b) claim against the entity because its relationship to Stauffer’s biometric data was “too attenuated” to sustain a Section 15(b) claim, as it never took the necessary “active step” required by Section 15(b) to collect class members’ biometric data. Rather, Sky Zone argued, at the most, it had access to Stauffer’s biometric data, but at no time did the company ever collect or store that biometric data itself. Along the same lines, absent from Stauffer’s complaint were any allegations that Sky Zone did anything to extract or obtain her biometric data from the Innovative Heights CenterEdge system.
In opposing Sky Zone’s motion to dismiss, Stauffer contended that her complaint was clear that Sky Zone retained an “unlimited right to access the computer systems” where her biometric data was stored, which provided Sky Zone with complete control over all data in the CenterEdge system. Importantly, Stauffer also argued that—contrary to Sky Zone’s assertions—the relevant case law did not require a defendant to take an “active step” to properly allege a Section 15(b) claim. In any event, Stauffer continued, Sky Zone did take an active step, as it was “behind every step of the process in the collection of [her] biometric data, which—according to Stauffer—constituted an “active step.”
III. An “Active Step” Is Required for a Section 15(b) BIPA Claim
In its opinion, the court began its analysis by addressing whether BIPA requires a party to take an “active step” to acquire biometric data for a cognizable Section 15(b) claim to exist, answering that question in the affirmative. In so doing, the court highlighted the fact that other courts from within the Seventh Circuit that had previously confronted this question had all concluded in uniform fashion that in order for Section 15(b) to apply, the Defendant must take an active step to collect, capture, or otherwise obtain the Plaintiff’s biometric data.
IV. Retaining Access to Data is Not “Active Step” Sufficient to Support a BIPA Claim
Having resolved the “active step” issue, the court then turned its attention to Stauffer’s Section 15(b) claim, the thrust of which was that Sky Zone retained an “unlimited right to access the system in which [her] fingerprints were stored.” Therefore, the operative question before the court was whether retaining access to biometric data constitutes an active step for purposes of Section 15(b). Here, the court noted that when a plaintiff alleges that the Defendant played “more than a passive role in the process,” a motion to dismiss for failure to state a Section 15(b) claim should be denied. With that said, the court cautioned, this “more than a passive role in the process” must push the claim “across the line from conceivable to plausible.”
With respect to Stauffer’s complaint, the court highlighted the fact that no allegations of any kind had been asserted that Sky Zone itself stored biometric data on its own computers or servers or that Sky Zone used the data for its own purposes. Nor did Stauffer allege that Sky Zone ever actually accessed the biometric data in question; instead, her allegations were simply that Sky Zone could access the data at some unspecified point in the future. Taken together, the court concluded that Stauffer’s allegations did not take her Section 15(b) claim “across the line from conceivable to plausible,” as Stauffer failed to plead—or sufficiently raise the interference—that Sky Zone ever did anything to extract or obtain the biometric data from Innovative Heights’ CenterEdge System. Ultimately, then, Stauffer failed to adequately allege that Sky Zone took any type of active step to collect or obtain her data, necessitating the dismissal of the Section 15(b) claim.
This decision offers persuasive guidance as to the scope of Section 15(b) BIPA claims and is a welcome win for the defense bar. However, important questions regarding BIPA claim accrual, the statute of limitations considerations and assessment of liquidated damages under the statute remain open as several significant cases remain pending with the Illinois Supreme Court.
In 2022, as in prior years, BIPA continues to be one of the most frequently litigated privacy statutes. This year, in particular, has brought an increased volume of BIPA class action filings targeting biometric voice technologies, facial recognition used for timekeeping purposes and motor vehicle monitoring. These cases collectively underscore the complex compliance decisions that arise when attempting to mitigate BIPA liability exposure in connection with new and advanced technologies where courts have not clearly addressed whether they fall under the scope of Illinois’ biometric privacy law—and the need to consult with experienced biometric privacy counsel before rolling out any new type of biometric- or AI-related technology to ensure legal risks are addressed to the greatest extent possible.