Actual Injury Required for Biometric Suits

** Biometric Plaintiffs Face Significant Setback in Illinois **                                                                                                                                                                                                             

By: Brent E. Johnson

In a growing number of states, biometric information has become a new type of protected data.  This form of information has been of particular concern to legislators spurred by its adoption in everyday uses — for example, in fingerprint scanners and facial recognition technology in smart phones — and its increasing use by employers tracking and verifying their employees’ hours.  The use of biometric information poses unique privacy and security challenges, not the least of which is that — unlike other types of personal identifiers (like a PIN or Social Security Number) — biometric information is permanent and cannot be changed if it falls into the wrong hands.

Background: Illinois was the first state to enact biometric data protections.  Its Biometric Information Privacy Act (740 ILCS 14) (BIPA) passed in 2008, created a “notice and consent” regime wherein: (i) private entities may collect, use or store biometric information only after obtaining a written release by the persons whose biometric information is sought; (ii) private entities are required to notice persons in writing about the specific purposes for and the length of time during which their biometric information will be collected, used or stored; and (iii) private entities must follow notice and consent requirements before disclosing a person’s biometric information to a third party.  Under BIPA, individuals have the right to sue private party violators and recover a minimum of $1,000 for a negligent violation and $5,000 for each violation recklessly or intentionally committed. Plaintiffs may also collect attorneys’ fees and costs.  Texas passed a similar law in 2009 (Capture or Use of Biometric Identifier Act) (Bus & Com § 503.001), and in 2017, Washington state passed a biometric law (H.B. 1493).  During the 2017 legislative session, bills dealing with biometric notice and consent regimes similar to BIPA were introduced in several states, including Alaska (H.B. 72), Arizona, Connecticut (H.B. 5522), Massachusetts (H.B. 1985 ), Montana (H.B. 518), Missouri, New Hampshire (H.B. 523) and New York – but all failed to pass.  The Washington and Texas statutes only allow for enforcement by the attorney general’s office.  Accordingly, Illinois remains the only state with a biometric statute that includes a private right of action – and it is thus the only state that has so far caught the attention of the class action bar.

While the Illinois statute has been in force since 2008, it received little attention until the last two years.  In 2016 and 2017, BIPA actions were brought against companies that use facial-recognition technology, such as FacebookShutterflyGoogleSnapchat, and others, as well as companies that use fingerprint scans, such as L.A. Tan.  Employee suits have also become popular, stemming from the use of biometric information in the workplace, such as fingerprint-operated time clocks.  Hotel chain InterContinental Hotels Group, broadband company Zayo Group, and convenience store chain Speedway LLC have all been the subject of employee lawsuits under BIPA.

For the defense bar dealing with BIPA claims, two major questions have been: (i) Can a company be sued for technical violations of the Act where no damages were sustained by the plaintiffs’ class? and (ii) Does BIPA have extraterritorial application?

The first question recently received attention by the Illinois Court of Appeals.  In Rosenbach v. Six Flags Entm’t Corp., 2017 WL 6523910 (Il. Ct. App., Dec. 21, 2017), Stacy Rosenbach, whose son’s thumbprint was taken by Six Flags after he purchased a season pass for one of its Great America theme parks, sued the company for violating BIPA based on her allegation that it failed to properly obtain written consent or disclose Six Flag’s plan for the collection, storage, use or destruction of her son’s biometric identifiers or information.  Six Flags moved to dismiss, arguing that under Section 20 of BIPA any right of action is limited to a “person aggrieved,” which excludes Plaintiff because she failed to allege any actual injury.  The lower court denied the theme park company’s motion to dismiss, but later certified to the appellate court two questions relating to whether individuals “aggrieved by a violation of the act” can rely solely on alleged violations of the notice and consent requirements or whether they must allege some actual harm.  In answering these questions, the Court of Appeals held that in order to meet the definition of an aggrieved person under the statute, plaintiffs must claim some actual harm. The Court noted, “if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word ‘aggrieved’ and stated that every violation was actionable.  A determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous. Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under section 20 of the Act.”  2017 WL 6523910 at ¶ 23. The court rejected Plaintiff’s argument that biometric privacy, itself, is a right that is injured by violation of the statute.  Id. at ¶ 20.  This decision has the potential to foreclose on scores of current BIPA class actions – specifically those that have recently been filed and are seeking statutory penalties for naked violations of BIPA without a clear nexus to any consequential harm or injury.

The second question remains unsettled. To be sure, courts appear clear that an Illinois “statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute” (Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 852 (2005)) and recognize that none of BIPA’s express provisions indicate that the statute was intended to have extraterritorial effect (see Monroy v. Shutterfly, Inc., No. 16 C 10984, 2017 WL 4099846, at *5 (N.D. Ill. Sept. 15, 2017) (finding that BIPA does not apply extraterritorially). But what does that mean in the internet age?  For example, in Monroy, Plaintiff was acknowledged to be a resident of Florida and Defendant Shutterfly was acknowledged to be a Delaware Corporation – but the allegations of the Complaint were that Plaintiff’s friend, located in Illinois, uploaded his photo to Shutterfly’s servers triggering the alleged biometric violation.  In those circumstances, was the Florida resident entitled to the protections of BIPA?  The federal district court could not decide, noting that it was unclear where the actual scan of plaintiff’s face geometry took place, where the scan was stored once it was obtained, and, when stored in cyberspace, how physical location is to be determined – thus finding that the ultimate answer to the extraterritorial question raised a question of fact not suited for dismissal under Rule 12.