In a move that will be unwelcomed by plaintiffs’ lawyers, Illinois has enacted an amendment to its biometrics privacy law – the Biometric Information Privacy Act (“BIPA”) – to provide that when a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection, without the required prior notice and written release, it commits only a single violation for penalty calculation purposes, regardless of the number of times the data was disclosed, redisclosed, or otherwise disseminated.  This will significantly reduce the potential damages and lower the settlement value of BIPA claims.  The amendment also provides that an e-signature satisfies the written requirements for the release.  “Electronic signature” means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record[,]” thus clarifying that online “clickwrap” releases suffice.  This amendment follows previous failed attempts at similar reforms to stem the fold of BIPA class action litigation that has plagued companies that have enacted fingerprint time cards or other biometric fraud and security measures without strictly complying with BIPA.  Colorado recently enacted a BIPA-like biometrics law, but like other states except only Illinois, it does not have a privacy right of action and can only be enforced by the state.  However, states are active in enforcing their privacy laws as illustrated by a recent Texas settlement with a social media company for biometric consent claims that included a 9-figure civil penalty payment.

For more information, contact the author or your SPB relationship lawyer.


Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.

Last week, the Illinois House of Representatives joined the Illinois Senate in passing amendments to the state’s Biometric Information Privacy Act (“BIPA”) to limit the scope of possible damages for violations of BIPA. As covered extensively here on PW, last year in Cothron v. White Castle, the Illinois Supreme Court held that an individual person accrues a separate statutory claim each time a defendant collects or discloses the individual’s biometric information in violation of BIPA. While the dissent in Cothron accurately observed that the combination of statutory damages and “per-scan” accrual meant that businesses could face “punitive, crippling liability . . . wildly exceeding any remotely reasonable estimate of harm,” the Cothron majority determined that “concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”

Continue Reading Illinois Legislature to Amend BIPA to Overrule Illinois Supreme Court Damages Decision

On November 30, 2023, the Illinois Supreme Court unanimously held that an exclusion in the Illinois Biometric Information Privacy Act applies to healthcare workers where their biometric information is collected, used, or stored in the course of providing medical services.  The holding is a significant victory for healthcare institutions and clarifies that the applicable exemption, Section 10 of BIPA, does not only apply to hospital patients, but also extends to other circumstances.

Plaintiffs were healthcare workers who used finger scanning authentication devices in the course of providing patient care, including for medication dispensing systems and to gain authorized access to patient materials and medications. They filed suit against their employer, a hospital, alleging violations of Sections 15(a), (b), and (d) of BIPA.  The defendant hospital filed a motion to dismiss, arguing that the biometric data that it purportedly collected, used, and/or stored was used for internal purposes to restrict access to patients’ protected health information and medication.  Additionally, the defendant also asserted that because the data at issue was used for health care treatment and operations, it was, therefore, specifically exempt under Section 10 of BIPA.  This provision provides that “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [HIPAA].”

In this case, an Illinois circuit court ruled that the exemption in Section 10 of BIPA was limited only to patient information.  Defendant timely appealed that ruling.

On appeal, in a case of first impression, the Illinois Supreme Court held that healthcare workers’ use of biometric scanning devices fell within the scope of Section 10’s exemption by the plain language of the statute: “Pursuant to its plain language, [BIPA] excludes from its protections the biometric information of health care workers where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by HIPAA.”  As such, the Court ruled, using finger scanning devices to access patient medications and provide patient care fell within the scope of “information collected, used, or stored for health care treatment, payment, or operations.”

This ruling is a significant victory for the BIPA defense bar.  However, attorneys should be cautious of reading Mosby too expansively, as the Court cautioned that it did not intend to create a “broad, categorical exclusion of biometric identifiers taken from health care workers.”  It is anticipated that future cases applying the Section 10 exemption will further refine the standard resulting from this decision.  For more, stay tuned; Privacy World will be there to keep you in the loop.

Earlier this week, the Illinois Supreme Court denied a petition for rehearing of its decision in Cothron v. White Castle, a case which has tremendous implications on the effect of Illinois’s Biometric Information Privacy Act (“BIPA”). As previously covered here on PW, the Court’s decision in February concluded that that each separate incident which is a violation of BIPA constitutes a distinct and separately actionable violation of the statute. In other words, plaintiffs may seek to collect liquidated damages per violation—$1,000 per violation, $5,000 per intentional/reckless violation—instead of per plaintiff, even if a plaintiff alleges daily violations over the course of years. This week’s ruling leaves in place the Cothron decision and its exponential expansion of the scope of damages that may be sought by an individual plaintiff.

Continue Reading Illinois Supreme Court Refuses to Reconsider Decision That BIPA Claims Accrue Individually with Each Violation

One of the most notable trends in Illinois Biometric Information Privacy Act (“BIPA”) class action litigation is the marked increase in the number of class actions targeting third-party biometric technology vendors, such as identity authentication systems and employee timekeeping devices. Importantly, because these vendors do not maintain any direct relationship with the end users of their technology, compliance with Illinois’s biometric privacy statute—especially its notice and consent requirements—can be a challenging undertaking. Despite this, to date, the majority of courts have held that BIPA nonetheless applies equally to vendors vis-à-vis employers and other entities that maintain direct relationships with biometric data subjects.

Earlier this month, an Illinois federal court rejected a selfie ID facial recognition identity verification vendor’s bid for dismissal of a BIPA class action in Davis v. Jumio Corp., No. 22 CV 776, 2023 WL 2019048 (N.D. Ill. Feb. 14, 2023). The Davis decision illustrates the scope of exposure faced by vendors for alleged non-compliance with BIPA, as well as the challenges and complexities in obtaining dismissals of biometric privacy class actions prior to the commencement of costly discovery.

Background

Plaintiff maintained a membership with the online cryptocurrency marketplace operated by Binance. Jumio Corporation provides facial recognition identity verification services for its clients, including Binance. Plaintiff sued Jumio, alleging that the company violated BIPA’s Section 15(b) notice and consent requirements when it collected his biometric data during the process of verifying his identity for Binance.

Jumio moved to dismiss the class action pursuant to Federal Civil Rule 12(b)(6). Jumio raised two arguments in support of dismissal. First, Plaintiff’s suit was barred by BIPA’s financial institution exemption. Second, dismissal of the complaint was warranted under Illinois’s extraterritoriality doctrine.

The Decision

The court first considered whether BIPA’s exemption for financial institutions precluded Plaintiff’s claims against Jumio. BIPA Section 25(c) provides that “[n]othing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 [(“GLBA”)] and the rules promulgated thereunder.”

In raising this argument, Jumio did not contend that it was a financial institution itself; rather, Jumio argued that Binance was a financial institution and, as a result, applying BIPA to Jumio in connection with use of the Binance App would effectively result in applying BIPA to Binance, an action that is proscribed by BIPA.

The court disagreed, finding several flaws in Jumio’s argument. First, the court rejected consideration of materials submitted by Jumio in support of its motion to dismiss, which Jumio had argued allowed the court to take judicial notice of Binance’s qualification as a financial institution for purposes of BIPA’s Section 25(c) exemption. The court instead held that “Binance’s self-serving statements (such as characterizing itself as a financial institution in other litigation to avoid liability under BIPA) need not be accepted as true and do not support taking judicial notice of the contested fact that Binance is, in fact, a financial institution.” Additionally, the court also held that the allegations in the complaint were similarly inadequate to demonstrate Binance’s status as a financial institution, as other than using the term “cryptocurrency marketplace,” the complaint contains no further factual allegations about the financial activities of Binance.

Second, the court found that even if Binance was found to be a financial institution within the meaning of the GLBA—thus triggering the Section 25(c) exemption—it did not necessarily follow that the claim against Jumio was barred. In so doing, the court rejected Jumio’s argument that because its software was embedded and integrated into the Binance App, BIPA would be applied to Binance “in any manner” in contravention of Section 25(c) in the event the court granted the Plaintiff’s requested relief under the Illinois biometrics law. The court explained that even if Jumio were ordered to comply with BIPA’s notice and consent requirements, Jumio might have to modify the software it provided to Binance; Binance, however, would still nonetheless have no affirmative obligation under BIPA to change the Binance App. Without further information regarding how the Binance App functioned and how Jumio’s software was integrated into the Binance App, the court was unable to determine the extent to which requiring Jumio’s compliance with BIPA would necessitate changes to how Binance did business, such that BIPA could be construed as applying “in any manner” to Binance.

Accordingly, the court declined to dismiss the class action pursuant to BIPA’s financial institution exemption.

The court then turned to Jumio’s argument that Illinois’s extraterritoriality doctrine barred Plaintiff’s lawsuit. In Illinois, a statute is without extraterritorial effect unless a clear intent appears from the express provisions of the statute. Both parties agreed that BIPA did not apply extraterritorially. Therefore, for BIPA to apply to Jumio’s conduct, the circumstances giving rise to the suit must have occurred “primarily and substantially in Illinois.”

Jumio argued that the complaint did not allege that any relevant conduct giving rise to the class action occurred in Illinois, aside from Plaintiff’s allegation that he was an Illinois resident. Notably, after Jumio filed its motion to dismiss, Plaintiff added allegations in his response brief to bolster his opposition to Jumio’s extraterritoriality argument. In its reply, Jumio posited that dismissal was still warranted, as Plaintiff’s new allegations failed to allege that any of Jumio’s conduct took place within the borders of Illinois.

Considering the allegations in the complaint, as supplemented by additional facts in his response brief, the court found that Plaintiff sufficiently alleged a plausible claim that Jumio’s BIPA violations occurred primarily and substantially in Illinois. Specifically, the court found that the following allegations, without more, were enough at the pleading stage to avoid dismissal based on Jumio’s extraterritoriality argument: (1) Plaintiff was an Illinois resident; (2) Jumio conducted business transactions in Illinois; and (3) Plaintiff submitted photographs of his driver’s license and face through the Binance App while in Illinois.

Analysis & Takeaways

Continued Trend of Broad Exposure for Third-Party Biometrics Vendors and Service Providers

Since the start of the year, the Illinois Supreme Court has issued two notable plaintiff-friendly opinions, which resolved the uncertainty surrounding the applicable statute of limitations for BIPA claims and the issue of claim accrual in BIPA litigation, respectively, and significantly expanded the scope of potential liability exposure for BIPA non-compliance even further in the process. However, the applicability of BIPA to third-party vendors continues to persist as a significant area of ambiguity. To date, the majority of courts to analyze the issue have held that BIPA is applicable to vendors and service providers, even if they do not directly interface with end users. This line of reasoning was most recently affirmed in early February 2023 by an Illinois federal court in Johnson v. NCR Corp., No. 22 CV 3061, 2023 WL 1779774 (N.D. Ill. Feb. 6, 2023) (for more information on the Johnson opinion, you can read Privacy World team member David Oberly’s article analyzing the decision for Biometric Update here).

Davis further illustrates the potential perils that vendors face if they fail to satisfy the full range of BIPA compliance requirements when offering biometrics-related products and services to their commercial clients.

Scope of BIPA’s Financial Institution Exemption Not Unlimited

To date, the Section 25(c) financial institution exemption has been one of the most robust defenses to BIPA class actions, resulting in the dismissal of a number of defendants not traditionally known as “financial institutions,” such as colleges and universities. The Davis decision, however, demonstrates that the contours of the financial institution exemption are not unlimited.

In rejecting the vendor’s assertion of the financial institution exemption as a bar to the BIPA claims asserted against it, the Davis court relied primarily on the lack of sufficient evidence demonstrating that the defendant’s customer was, in fact, a financial institution entitled to seek refuge under BIPA Section 25(c). The reasoning of the Davis court comports with other courts that have denied motions to dismiss asserting BIPA’s financial institution exemption as a complete defense to liability—which have also found inadequate evidence demonstrating that the defendant or a related entity satisfied the GLBA’s definition of a financial institution so as to make Section 25(c) applicable to bar BIPA claims.

Importantly, Davis illustrates that defendants seeking dismissal pursuant to the financial institution exemption need to ensure that their motions are properly supported with sufficient evidence to permit a finding that Section 25(c) applies to the specific activities engaged in by the entity at issue in order to maximize the likelihood of a favorable outcome on a motion seeking to definitively end class action litigation. This task is especially critical when pursuing motions to dismiss, where the scope of evidence that can be considered by the court is curtailed.

Challenges Faced by Defendants in Procuring Dismissals from BIPA Litigation at the Pleading Stage

BIPA class actions have been challenging to defeat at the pleading stage, which is due to a combination of factors that include the deference given to Plaintiff’s allegations for purposes of a motion to dismiss, the lack of guidance offered to courts by BIPA’s statutory text, and courts’ willingness to interpret BIPA’s compliance requirements in a manner that heavily favors the plaintiff’s bar.

Davis is a textbook example of these challenges that are often faced by defendants in attempting to obtain dismissals of BIPA disputes before proceeding to the discovery phase of litigation. Of note, although courts are generally only permitted to consider the allegations in the complaint on a motion to dismiss, the Davis court permitted the Plaintiff’s elaborations to the complaint’s factual allegations in his response brief to be considered in ruling on the defendant’s motion to dismiss. Further, the court found that the Plaintiff’s allegations were sufficient at the pleading stage to plausibly allege circumstances that the alleged BIPA violation occurred in Illinois so as to avoid dismissal on extraterritoriality grounds, even though the Plaintiff only alleged a single fact relating directly to the defendant’s conduct—that it engaged in business transactions in Illinois. More than that, in rejecting Jumio’s extraterritoriality argument, the court acknowledged that discovery might reveal that the connection to Illinois is “sufficiently tenuous” as to warrant revisiting the matter at summary judgment, but that was not enough to prevent the case from moving past the pleading stage.

To mitigate BIPA litigation risk, all types of entities that use biometric data in their operations should consider taking a conservative approach to compliance—one that ensures all applicable BIPA requirements are satisfied—even where it is not definitively clear that Illinois’s biometrics statute applies to organizational operations.

Specifically, companies should ensure they maintain flexible, comprehensive biometric privacy compliance programs, which should include (among other things) the following:

  • A publicly-available, biometrics-specific privacy policy;
  • Set data retention and destruction guidelines and schedules containing a clear and unambiguous description of the event trigger(s) that will prompt the immediate and permanent destruction of an individual’s biometric data;
  • A mechanism for ensuring written notice is supplied to all data subjects before the time biometric data is collected; and
  • A separate mechanism for ensuring written consent is obtained, allowing the vendor to collect, possess, retain, store, and disseminate biometric data before the time any such data is obtained.

For more, stay tuned. Privacy World will be there to keep you in the loop.

Several months ago, you may have seen social media filled with artistic renditions of your connections as paintings, cartoons, or other artistic styles. These renditions came from Lensa, an app by which users upload “selfies” or other photos, which the app processes to generate artistic images of the user. Lensa, which is owned by Prisma Labs, Inc., is the latest subject of a putative class action brought under the Illinois Biometric Information Privacy Act (“BIPA”).

In Flora, et al., v. Prisma Labs, Inc., No. 5:23-cv-00680 (N.D. Cal.), Plaintiffs—a group that includes a minor child—are residents of Illinois who used the Lensa app to create artistic images of themselves. Plaintiffs allege that they used Lensa in December 2022, after the app exploded in popularity in November 2022 due to the launch of the “magic avatars” feature, which requires users to upload at least eight images of themselves (and up to 20 images) to create artistic, stylized “avatars” of the user’s face. The app can also be used to upload images of others, and create avatars based on those images. Plaintiffs allege that Lensa’s privacy policy as of December 2022 did not inform users that their facial geometry would be collected to create the avatars, and that several oblique references to Lensa’s use and processing of users’ images lead users to believe that their biometric data is “anonymized” and does not leave the user’s device—which seemingly contradicts Lensa’s model of collecting users’ images and generating avatars based on those images. The Complaint also alleges that Lensa’s privacy policy temporarily disclosed that “face data” will be used to “train” its “neural network algorithms,” but that the provision was subsequently removed, and never included provisions of how that data would be protected or disclosed.

Based on the allegations in the Complaint, Plaintiffs seek to represent a class of “All persons who reside in Illinois whose biometric data was collected, captured, purchased, received through trade, or otherwise obtained by Prisma, either through use of the Lensa app or otherwise.” Plaintiffs bring seven causes of action under Sections 15(a), 15(b)(1), 15(b)(2), 15(b)(3), 15(c), 15(d), and 15(e) of BIPA, as well as an additional claim for unjust enrichment based on Lensa’s paid subscription service.

The Complaint also raises additional concerns about Lensa’s business model and methods of generating images. For example, upon downloading the app, a user is prompted to begin a seven-day trial subscription with Lensa; the Complaint alleges that the app uses dark patterns to prompt users to choose this option, rather than closing out of it and declining the trial subscription. The Complaint also alleges that Lensa uses Stable Diffusion to generate images, which is an open-source AI model trained on over 2 billion copyrighted images, including images that are protected by copyright. As alleged in the Complaint, the system could violate the intellectual property rights of artists who own the copyrights in the images used to train the AI model.

Flora is similar to past BIPA class actions brought against apps that allow users to virtually “try on” makeup, clothing, or other beauty items, as well as class actions brought against entities that use images to “train” models of AI. Plaintiffs are represented by Loevy & Loevy, which notably prevailed in the first BIPA case to go to trial, Rogers v. BNSF Railway Company. Privacy World will continue to keep an eye on how this case develops for you.

Today, the Illinois Biometric Information Privacy Act (“BIPA”) remains one of the hottest areas of class action litigation. Despite the high volume of class action filings, however, many significant aspects of Illinois’s biometrics statute remain unsettled and uncertain. One of the most notable open-ended issues pertains to the applicability of BIPA to third-party vendors and service providers, such as the developers and manufacturers of biometrics technologies. To date, the majority of courts to analyze the issue have found that BIPA is squarely applicable to vendors and similar entities that do not directly interface with end users. David Oberly analyzes a recent decision—Johnson v. NCR Corp.—that continues the trend of courts finding in favor of broad BIPA liability exposure for third-party vendors, as well as the implications of the opinion, in this Biometric Update article: Lessons Learned From Recent BIPA Third-Party Vendor Decision.

The Illinois Supreme Court today resolved one of the most significant unsettled areas of law for claims arising under the Illinois Biometric Information Privacy Act (“BIPA”). In its decision in Cothron v. White Castle Sys., Inc., the Court confirmed that each separate violation of BIPA constitutes a distinct and separately actionable violation of the statute. The decision exponentially increases liability exposure and the scope of damages that may be collected for alleged violations of BIPA.

Background and Decision

In Cothron (covered extensively by Privacy World articles hereherehere, and here, and discussed in Squire Patton Bogg’s 2022 Q2 AI & Biometric Privacy Quarterly Review Newsletter), Plaintiff, a former employee of defendant White Castle, brought claims under Sections 15(b) and 15(d) of BIPA for alleged violations stemming from collections of her fingerprint. Plaintiff initially began working at White Castle in Illinois in 2004, and White Castle subsequently implemented an optional, consent-based finger-scan system for employees to sign documents and access their paystubs and computers. Plaintiff consented in 2007 to the collection of her biometric data but sued in 2018. She alleged that White Castle did not obtain consent to collect or disclose her fingerprints at the first instance the collection occurred under BIPA because BIPA did not exist in 2007. The Illinois Supreme Court denied White Castle’s judgment on the pleadings; White Castle appealed to the Seventh Circuit, which certified the question to the Illinois Supreme Court of “[w]hether, when conduct that allegedly violates BIPA is repeated, that conduct gives rise to a single claim under Sections 15(b) and 15(d) of BIPA, or multiple claims.”

The Illinois Supreme Court held that “a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).” Looking at the plain language of Section 15(b), the court disagreed with White Castle that “collection” or “capture” of biometric identifiers occurs only once, when an entity first obtains an individual’s fingerprint, in part because of the position White Castle had taken in prior pleadings. The court also looked to Section 15(b)’s language distinguishing collection and storage of biometric identifiers, observing that Section 15(b)(2)’s requirement that an entity notify an individual of how long their biometric identifiers would be collected “shows that the legislature contemplated collection as being something that would happen more than once.”

Similarly, in analyzing Section 15(d), the court held that the plain language of the provision applies to every transmission of biometric identifiers to a third party. The court looked to the dictionary definitions of terms in the statute, including “disclose” and “redisclose.” Ultimately, the court concluded that BIPA does not include a limitation that claims should only arise the first time that an entity scans or transmits an individual’s biometric data and that it could not rewrite the statute to include such a limitation.

The court also addressed White Castle’s argument that Plaintiff’s construction of the statute could lead to “astronomical” damages awards that could be unconstitutional but held that the statutory language “clearly support[ed]” Plaintiff’s position, and it was bound to give that language effect. The court observed that policy-based concerns about damages awards were best addressed by the legislature.

In a dissent joined by Chief Justice Theis and Justice Holder White, Justice Overstreet stated that the majority’s interpretation could not be reconciled with the plain language of the statute and would render compliance with BIPA unduly burdensome for employers. Justice Overstreet observed that Section 15(b) “broadly applies to any way that a private entity obtains a person’s biometric identifier or information,” which “can happen only once” because White Castle obtained the biometric identifiers with an employee’s first fingerprint scan—it does not obtain that information in subsequent scans, because it already has it. Subsequent scans did not collect any new information from Plaintiff, and she did not suffer any additional loss of biometric information. The dissent applies the same analysis to claims arising under Section 15(d), holding that this reading is the only one that is consistent with the original purpose of BIPA—to protect a privacy interest—because the individual loses control over their biometric information only once.

Takeaways

Cothron reflects a consistently expansive and plaintiff-friendly interpretation of BIPA in courts, following the much-anticipated Tims decision, which resolved the applicable statute of limitations for BIPA claims as five years rather than one year. Plaintiffs may now seek to collect liquidated damages for each separate violation of BIPA, compounding the associated statutory negligent damages of $1,000 per violation and intentional/reckless damages of $5,000 per violation for each alleged violation. The Cothron decision exponentially expands the scope of damages that may be sought by an individual plaintiff or a class and is certain to increase the already-high number of putative class actions filed under BIPA.

For more, stay tuned; Privacy World will be there to keep you in the loop.

For over two years now, online retailers—such as cosmetics and eyewear brands—that utilize virtual try-on (“VTO”) tools have faced a barrage of class action litigation alleging that their technology violates the Illinois Biometric Information Privacy Act (“BIPA”). During this period, a defense has emerged for the targets of VTO suits and online eyewear retailers in particular—BIPA’s health care exemption. Relying on this exemption, a major apparel brand recently defeated a class action suit alleging it improperly collected website visitors’ face geometry scans through its VTO tool in violation of Illinois’s biometric privacy law. The opinion re-affirms the strength of this defense to facilitate complete dismissals of BIPA class actions involving eyewear brands involved in the defense of VTO biometric privacy class claims.

Facts

The defendant, an apparel brand that sells eyewear (as well as other products), provides shoppers a VTO tool on its site, which allows users to virtually “try on” eyewear frames to see how they look on them prior to making a purchase by virtually placing the frames on the user’s face.

Delma Warmack-Stillwell filed suit against an apparel brand, alleging that the retailer’s VTO tool ran afoul of BIPA Sections 15(a), 15(b), and 15(c)—relating to the law’s privacy policy, data retention, and informed consent requirements, as well as its prohibition on selling or otherwise profiting from individuals’ biometric data. In response, the apparel brand moved to dismiss the complaint under Federal Civil Rule 16(b)(6), arguing that the plaintiff could not establish a cognizable BIPA claim against it because the law’s general health care exemption—which provides that “information captured from a patient in a health care setting” is excluded from the definition of “biometric identifiers” and “biometric information”—served as a complete defense to liability against the apparel brand.

BIPA’s Health Care Exemption Dooms Plaintiff’s Eyewear VTO Class Action

The court agreed, finding the plaintiff’s BIPA claims to be barred as a matter of law under the general health care exemption. In reaching this conclusion, the court noted that whether the exemption applied to the apparel brand depended on whether the plaintiff, in using the VTO tool, was a “patient” in a “health care setting.” Because BIPA did not define these terms, the court ascertained their meaning by looking to their respective dictionary definitions.

The court first found that the plaintiff met the definition of a “patient,” which is defined as “an individual awaiting or under medical care or treatment” or “the recipient of any various personal services.” The court reasoned that under an objective application of the exemption’s text, sunglasses—even if non-prescription—protect one’s eyes from the sun and are Class I medical devices under the Food and Drug Administration’s regulations. Thus, by using the VTO tool to try on sunglasses, the plaintiff was “an individual awaiting . . . medical care,” and therefore a “patient,” because the tool facilitated the provision of a medical device that protected vision.

The court also concluded that use of the VTO tool constituted “health care,” defined as “efforts made to maintain or restore physical, mental, or emotional well-being especially by trained and licensed professionals,” as the VTO tool facilitated the purchase of sunglasses to wear on one’s face—which the court noted is exactly the use that fulfills that product’s medical purpose.

The court further highlighted the fact that its conclusion comported with the one reached by other courts that have considered whether BIPA’s general health care exemption applies in the context of eyewear VTO tools, namely, Svoboda v. Frames For Am., Inc., No. 21 CV 5509, 2022 WL 4109719 (N.D. Ill. Sept. 8, 2022), and Vo v. VSP Retail Dev. Holding, Inc., No. 19 CV 7189, 2020 WL 1445605 (N.D. Ill. Mar. 25, 2020). In so doing, the court noted that both the Svoboda and Vo courts recognized that the VTO tools at issue in those disputes fell within the exemption, despite the fact they were also used for virtually trying on non-prescription sunglasses.

Taken together, because—in using the VTO tool—the plaintiff was a patient receiving a health care service in a health care setting, BIPA’s general health care exemption was applicable to the claims asserted against the apparel brand, precluding the company from being held liable under Illinois’s biometric privacy statute for its alleged collection and use of website visitors’ biometric identifiers or biometric information. As such, the court granted the apparel brand’s motion to dismiss under Rule 12(b)(6) for failure to state a claim.

Analysis & Takeaways

As indicated above, Warmack-Stillwell is not the first eyewear VTO biometric privacy class action to be dismissed outright under the law’s general health care exemption. Of note, both the Svoboda and Vo courts rejected the argument that the health care exemption was inapplicable because the plaintiffs were never patients of the eyewear retailers and never sought or received any health care or treatment from those entities. Taken together, Warmack-Stillwell, Svoboda, and Vo demonstrate BIPA’s health care exemption as a defense, which can serve as a valuable tool for eyewear brands in the defense of BIPA claims to defeat class action lawsuits alleging purported violations of Illinois’s stringent biometric privacy statute.

At the same time, Warmack-Stillwell demonstrates the broad scope of the health care exemption to procure outright dismissals in a wide range of BIPA disputes—even those outside the VTO context—through the assertion of this defense, where the facts underlying the litigation involve prescription or non-prescription medical devices (such as eyewear).

Today, the Illinois Supreme Court resolved the hotly disputed question of whether a one-year or five-year statute of limitations period applies to claims brought under the Biometric Information Privacy Act (“BIPA”). In Tims v. Black Horse Carriers, Inc., the Court conclusively held that a five-year statute of limitations period applies to BIPA claims, expanding the timeframe for a plaintiff to bring a claim in a plaintiff-friendly ruling.  

The Tims Decision 

Tims initially brought claims under Sections 15(a), 15(b), and 15(d) of BIPA against his former employer, Black Horse Carriers, Inc., and Black Horse moved to dismiss the complaint as untimely, claiming that because the text of BIPA does not contain a statute of limitations period, the one-year statute of limitations for privacy actions under Illinois code provision 735 ILCS 5/13-201 should apply. Plaintiff argued in response that the five-year statute of limitations provided as a catchall for civil actions under 735 ILCS 5/13-205 should apply instead. In a closely watched decision, the First District split the difference, holding that Section 13-201 applied to claims brought under Sections 15(c) and (d), while Section 13-205 applied to BIPA actions under Sections 15(a), (b), and (e).

On appeal, the Illinois Supreme Court affirmed in part and reversed in part, holding that the five-year statute of limitations in Section 13-205 applies to all BIPA claims. The Court agreed with the plaintiffs’ assertion that the five-year limitations period should apply where a statute itself does not contain its own limitations period. Observing that Section 13-201 governs actions for the “publication of matter violating the right of privacy” (emphasis added), the Court looked to the plain text of BIPA and affirmed that Sections 15(a), (b), and (e) did not concern publication in any respect. Although the Court acknowledged that the terms “sell,” “lease,” “trade,” “disclose,” “redisclose,” and “disseminate” in Sections 15(c) and (d) could potentially be read as involving publication, it found that it would be “best” to apply the five-year statute of limitations period to the entire statute in considering the intention of the legislature, the intended purposes of BIPA, and the absence of a statute of limitations in the law. The Court found that this would also further certainty and predictability in BIPA actions.

Analysis & Takeaways 

Expanded Scope of Potential Liability 

With the Tims decision, plaintiffs now have five years from the date of non-compliance with Illinois’s biometric statute to file suit for BIPA non-compliance. More importantly, in addition to the extremely low bar set for establishing cognizable claims in BIPA litigation set by the Illinois Supreme Court in Rosenbach v. Six Flags Ent. Corp. 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), the Tims opinion now allows plaintiffs in BIPA disputes to broaden putative classes. Classes may now comprise all individuals who allegedly had their privacy rights violated due to BIPA non-compliance over a five year period dating back from the time suit is filed—a significant expansion for BIPA putative class actions.

Continued Trend of Liberal Interpretations of BIPA’s Statutory Text 

As noted in Privacy World’s 2022 Biometrics and Artificial Intelligence Year-in-Review Report, one of the most significant trends in BIPA class action litigation that took place over the course of last year was the broad, expansive interpretation of key aspects of Illinois’s biometric privacy statute employed in a number of BIPA decisions by both state and federal courts. The Illinois Supreme Court’s decision in Tims continues this trend and, in so doing, also continues the outward expansion of the contours of Illinois’s biometric statute even further. Of note, the Tims Court readily acknowledged that Section 15(c) and (d) claims could arguably involve activities properly characterized as a “publication,” which would make Illinois’s shorter, one-year limitations period applicable. Despite this, however, the Court nonetheless applied the longer, five-year period, which the Court reasoned was necessary in order to best safeguard the privacy interests of Illinois residents that BIPA was enacted to protect.

Importantly, the reasoning set forth in Tims demonstrates how courts heavily favor plaintiff-friendly, liberal interpretations of BIPA’s statutory text, often reasoning that these interpretations align with the stated intent and purposes of Illinois’s biometrics statute. Tims serves as a cautionary tale and a reminder of the significant risks and liability exposure associated with BIPA non-compliance. Not only that, but the Illinois Supreme Court’s use of BIPA’s statutory intent and purposes as its main basis for applying a more plaintiff-friendly limitations period for BIPA claims will likely be utilized by plaintiffs in subsequent class actions in support of arguments designed to expand the contours and scope of Illinois’s biometrics statute even further as it relates to other key, unsettled aspects of the law.

The Illinois Supreme Court May Soon Expand Liability Exposure Even Further in Resolving the Question of Claim Accrual in BIPA Class Litigation 

Beyond Tims, the Illinois Supreme Court is set to render another much-anticipated opinion in Cothron v. White Castle Sys., No. 128004 (Ill Sup. Ct.) sometime in the immediate future, which will definitively resolve the currently unsettled issue of claim accrual in BIPA litigation. Depending on how the Court answers the question of whether every discrete failure to comply with BIPA’s requirements amounts to a separate, independent violation of the statute, the scope of liability exposure and damages underlying BIPA class actions may further increase for those companies that leverage the benefits of biometrics in their day-to-day operations.

What to Do Now: Practical Compliance Tips

The forthcoming Cothron opinion will offer much-needed clarity regarding the scope of statutory damages at issue for purported BIPA violations. However, if the Illinois Supreme Court rejects a “one and done” theory of accrual, and instead applies the continuing violation theory to BIPA claims, the overall scope of potential damages—which is already significant—will further expand.

In the interim, companies should work closely with experienced biometric privacy counsel to review and conduct a thorough audit of their current compliance practices to identify and remediate any gaps in advance of the Cothron decision and any resulting expansion in liability exposure. In particular, companies should assess their current compliance programs to ensure they encompass the following practices:  

  • Maintain a Public Privacy Policy: Maintain a publicly-available privacy policy which, at a minimum, establishes a retention schedule and guidelines for permanently destroying biometric data when the initial purpose for collecting or obtaining such data has been satisfied.
  • Permanently Destroy Biometric Data in a Timely Manner: Maintain practices and protocols to ensure that biometric data is permanently destroyed within BIPA’s mandated timeframes. As a general rule of thumb, biometric data should be permanently destroyed when it is no longer needed for the initial purpose for which it was originally collected (even where compliance with BIPA is not required). 
  • Supply Pre-Collection Notice: Provide notice to all individuals prior to the time biometric data is collected which, at a minimum, informs the individual: (1) that biometric data is being collected/stored; (2) the specific purpose for collecting the individual’s biometric data; and (3) the period of time over which the company will use and store such biometric data before it is permanently destroyed.
  • Obtain Pre-Collection Consent: Obtain consent from all individuals prior to the time biometric data is collected, allowing the company to collect, use, and store their biometric data, as well as permitting the company to share/disclose such data with the company’s vendors and service providers.
  • Maintain Security Measures to Safeguard Biometric Data: Store, transmit, and safeguard biometric data using reasonable security measures designed to prevent unauthorized access, disclosure, or acquisition of such data. Two security protocols that all companies should consider implementing whenever feasible are encryption and multi-factor authentication, both of which are extremely effective in safeguarding all types of sensitive personal information. At the same time, only those individuals with a business need for biometric data should be afforded access to such data. 
  • Strictly Prohibit Sales and Any Other Form of Profiting From Biometric Data: Strictly bar employees and vendors from selling or otherwise profiting from biometric data, which can be accomplished through the implementation and enforcement of an internal biometric data policy.
  • Vendor Compliance: Ensure that all of the company’s vendors and service providers are also fully compliant with the mandates of Illinois’s biometric privacy statute.