One of the most notable trends in Illinois Biometric Information Privacy Act (“BIPA”) class action litigation is the marked increase in the number of class actions targeting third-party biometric technology vendors, such as identity authentication systems and employee timekeeping devices. Importantly, because these vendors do not maintain any direct relationship with the end users of their technology, compliance with Illinois’s biometric privacy statute—especially its notice and consent requirements—can be a challenging undertaking. Despite this, to date, the majority of courts have held that BIPA nonetheless applies equally to vendors vis-à-vis employers and other entities that maintain direct relationships with biometric data subjects.

Earlier this month, an Illinois federal court rejected a selfie ID facial recognition identity verification vendor’s bid for dismissal of a BIPA class action in Davis v. Jumio Corp., No. 22 CV 776, 2023 WL 2019048 (N.D. Ill. Feb. 14, 2023). The Davis decision illustrates the scope of exposure faced by vendors for alleged non-compliance with BIPA, as well as the challenges and complexities in obtaining dismissals of biometric privacy class actions prior to the commencement of costly discovery.

Background

Plaintiff maintained a membership with the online cryptocurrency marketplace operated by Binance. Jumio Corporation provides facial recognition identity verification services for its clients, including Binance. Plaintiff sued Jumio, alleging that the company violated BIPA’s Section 15(b) notice and consent requirements when it collected his biometric data during the process of verifying his identity for Binance.

Jumio moved to dismiss the class action pursuant to Federal Civil Rule 12(b)(6). Jumio raised two arguments in support of dismissal. First, Plaintiff’s suit was barred by BIPA’s financial institution exemption. Second, dismissal of the complaint was warranted under Illinois’s extraterritoriality doctrine.

The Decision

The court first considered whether BIPA’s exemption for financial institutions precluded Plaintiff’s claims against Jumio. BIPA Section 25(c) provides that “[n]othing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 [(“GLBA”)] and the rules promulgated thereunder.”

In raising this argument, Jumio did not contend that it was a financial institution itself; rather, Jumio argued that Binance was a financial institution and, as a result, applying BIPA to Jumio in connection with use of the Binance App would effectively result in applying BIPA to Binance, an action that is proscribed by BIPA.

The court disagreed, finding several flaws in Jumio’s argument. First, the court rejected consideration of materials submitted by Jumio in support of its motion to dismiss, which Jumio had argued allowed the court to take judicial notice of Binance’s qualification as a financial institution for purposes of BIPA’s Section 25(c) exemption. The court instead held that “Binance’s self-serving statements (such as characterizing itself as a financial institution in other litigation to avoid liability under BIPA) need not be accepted as true and do not support taking judicial notice of the contested fact that Binance is, in fact, a financial institution.” Additionally, the court also held that the allegations in the complaint were similarly inadequate to demonstrate Binance’s status as a financial institution, as other than using the term “cryptocurrency marketplace,” the complaint contains no further factual allegations about the financial activities of Binance.

Second, the court found that even if Binance was found to be a financial institution within the meaning of the GLBA—thus triggering the Section 25(c) exemption—it did not necessarily follow that the claim against Jumio was barred. In so doing, the court rejected Jumio’s argument that because its software was embedded and integrated into the Binance App, BIPA would be applied to Binance “in any manner” in contravention of Section 25(c) in the event the court granted the Plaintiff’s requested relief under the Illinois biometrics law. The court explained that even if Jumio were ordered to comply with BIPA’s notice and consent requirements, Jumio might have to modify the software it provided to Binance; Binance, however, would still nonetheless have no affirmative obligation under BIPA to change the Binance App. Without further information regarding how the Binance App functioned and how Jumio’s software was integrated into the Binance App, the court was unable to determine the extent to which requiring Jumio’s compliance with BIPA would necessitate changes to how Binance did business, such that BIPA could be construed as applying “in any manner” to Binance.

Accordingly, the court declined to dismiss the class action pursuant to BIPA’s financial institution exemption.

The court then turned to Jumio’s argument that Illinois’s extraterritoriality doctrine barred Plaintiff’s lawsuit. In Illinois, a statute is without extraterritorial effect unless a clear intent appears from the express provisions of the statute. Both parties agreed that BIPA did not apply extraterritorially. Therefore, for BIPA to apply to Jumio’s conduct, the circumstances giving rise to the suit must have occurred “primarily and substantially in Illinois.”

Jumio argued that the complaint did not allege that any relevant conduct giving rise to the class action occurred in Illinois, aside from Plaintiff’s allegation that he was an Illinois resident. Notably, after Jumio filed its motion to dismiss, Plaintiff added allegations in his response brief to bolster his opposition to Jumio’s extraterritoriality argument. In its reply, Jumio posited that dismissal was still warranted, as Plaintiff’s new allegations failed to allege that any of Jumio’s conduct took place within the borders of Illinois.

Considering the allegations in the complaint, as supplemented by additional facts in his response brief, the court found that Plaintiff sufficiently alleged a plausible claim that Jumio’s BIPA violations occurred primarily and substantially in Illinois. Specifically, the court found that the following allegations, without more, were enough at the pleading stage to avoid dismissal based on Jumio’s extraterritoriality argument: (1) Plaintiff was an Illinois resident; (2) Jumio conducted business transactions in Illinois; and (3) Plaintiff submitted photographs of his driver’s license and face through the Binance App while in Illinois.

Analysis & Takeaways

Continued Trend of Broad Exposure for Third-Party Biometrics Vendors and Service Providers

Since the start of the year, the Illinois Supreme Court has issued two notable plaintiff-friendly opinions, which resolved the uncertainty surrounding the applicable statute of limitations for BIPA claims and the issue of claim accrual in BIPA litigation, respectively, and significantly expanded the scope of potential liability exposure for BIPA non-compliance even further in the process. However, the applicability of BIPA to third-party vendors continues to persist as a significant area of ambiguity. To date, the majority of courts to analyze the issue have held that BIPA is applicable to vendors and service providers, even if they do not directly interface with end users. This line of reasoning was most recently affirmed in early February 2023 by an Illinois federal court in Johnson v. NCR Corp., No. 22 CV 3061, 2023 WL 1779774 (N.D. Ill. Feb. 6, 2023) (for more information on the Johnson opinion, you can read Privacy World team member David Oberly’s article analyzing the decision for Biometric Update here).

Davis further illustrates the potential perils that vendors face if they fail to satisfy the full range of BIPA compliance requirements when offering biometrics-related products and services to their commercial clients.

Scope of BIPA’s Financial Institution Exemption Not Unlimited

To date, the Section 25(c) financial institution exemption has been one of the most robust defenses to BIPA class actions, resulting in the dismissal of a number of defendants not traditionally known as “financial institutions,” such as colleges and universities. The Davis decision, however, demonstrates that the contours of the financial institution exemption are not unlimited.

In rejecting the vendor’s assertion of the financial institution exemption as a bar to the BIPA claims asserted against it, the Davis court relied primarily on the lack of sufficient evidence demonstrating that the defendant’s customer was, in fact, a financial institution entitled to seek refuge under BIPA Section 25(c). The reasoning of the Davis court comports with other courts that have denied motions to dismiss asserting BIPA’s financial institution exemption as a complete defense to liability—which have also found inadequate evidence demonstrating that the defendant or a related entity satisfied the GLBA’s definition of a financial institution so as to make Section 25(c) applicable to bar BIPA claims.

Importantly, Davis illustrates that defendants seeking dismissal pursuant to the financial institution exemption need to ensure that their motions are properly supported with sufficient evidence to permit a finding that Section 25(c) applies to the specific activities engaged in by the entity at issue in order to maximize the likelihood of a favorable outcome on a motion seeking to definitively end class action litigation. This task is especially critical when pursuing motions to dismiss, where the scope of evidence that can be considered by the court is curtailed.

Challenges Faced by Defendants in Procuring Dismissals from BIPA Litigation at the Pleading Stage

BIPA class actions have been challenging to defeat at the pleading stage, which is due to a combination of factors that include the deference given to Plaintiff’s allegations for purposes of a motion to dismiss, the lack of guidance offered to courts by BIPA’s statutory text, and courts’ willingness to interpret BIPA’s compliance requirements in a manner that heavily favors the plaintiff’s bar.

Davis is a textbook example of these challenges that are often faced by defendants in attempting to obtain dismissals of BIPA disputes before proceeding to the discovery phase of litigation. Of note, although courts are generally only permitted to consider the allegations in the complaint on a motion to dismiss, the Davis court permitted the Plaintiff’s elaborations to the complaint’s factual allegations in his response brief to be considered in ruling on the defendant’s motion to dismiss. Further, the court found that the Plaintiff’s allegations were sufficient at the pleading stage to plausibly allege circumstances that the alleged BIPA violation occurred in Illinois so as to avoid dismissal on extraterritoriality grounds, even though the Plaintiff only alleged a single fact relating directly to the defendant’s conduct—that it engaged in business transactions in Illinois. More than that, in rejecting Jumio’s extraterritoriality argument, the court acknowledged that discovery might reveal that the connection to Illinois is “sufficiently tenuous” as to warrant revisiting the matter at summary judgment, but that was not enough to prevent the case from moving past the pleading stage.

To mitigate BIPA litigation risk, all types of entities that use biometric data in their operations should consider taking a conservative approach to compliance—one that ensures all applicable BIPA requirements are satisfied—even where it is not definitively clear that Illinois’s biometrics statute applies to organizational operations.

Specifically, companies should ensure they maintain flexible, comprehensive biometric privacy compliance programs, which should include (among other things) the following:

  • A publicly-available, biometrics-specific privacy policy;
  • Set data retention and destruction guidelines and schedules containing a clear and unambiguous description of the event trigger(s) that will prompt the immediate and permanent destruction of an individual’s biometric data;
  • A mechanism for ensuring written notice is supplied to all data subjects before the time biometric data is collected; and
  • A separate mechanism for ensuring written consent is obtained, allowing the vendor to collect, possess, retain, store, and disseminate biometric data before the time any such data is obtained.

For more, stay tuned. Privacy World will be there to keep you in the loop.