Last year was significant in Illinois Biometric Information Privacy Act (BIPA) litigation, primarily because of the many ‘firsts’ that resulted, including the first-ever BIPA trial that resulted in a staggering judgment of $228 million for 45,600 reckless/intentional violations of the statute. But aside from the jaw-dropping verdict and the Illinois Supreme Court’s decision in early 2022 holding that BIPA is not preempted by the Illinois Workers’ Compensation Act, not all decisions last year were discouraging for those defending BIPA lawsuits. Below we discuss a few of the important defense-friendly decisions from last year’s consumer-side BIPA lawsuits that will shape how businesses defend and plaintiffs prosecute BIPA actions in 2023 and beyond.
Virtual try-on tools can be exempt from BIPA under the “health care exemption.”
As the plaintiffs’ bar finds creative ways for BIPA’s applicability, we have seen a recent trend of lawsuits against businesses offering virtual try-on features for consumers to try various products at home, including glasses and makeup, through the use of a consumer’s computer or phone camera. But in September, the court held in Svoboda v. Frames for America, Inc., 21-C-5509, 2022 WL 4109719 (N.D. Ill. Sept. 8, 2022), that BIPA did not regulate the virtual try-on tool in this instance because it fell under the statute’s “health care exemption.”
Frames for America, Inc. sells prescription and non-prescription eyewear through its website FramesDirect.com, and consumers can use a virtual feature to try on glasses or sunglasses through its website. According to the complaint, the plaintiff alleged that Frames for America used software to scan a consumer’s facial geometry from a photograph uploaded by the consumer and then digitally placed the eyewear over the consumer’s face. Id. at *1. While there are only a few exemptions, BIPA contains an exemption for “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment or operations under the federal Health Insurance Portability and Accountability Act of 1996.” See 740 ILCS 14/10.
The court dismissed the plaintiff’s complaint, holding that she “was a patient receiving a health care service in a health care setting” when she used the virtual try-on tool. Id. at *3. Even though she did not request any medical treatment, consult an eye doctor, or ultimately purchase any eyewear (id. at *1), the court concluded that “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses are all Class 1 medical devices.” Id. at *2. Therefore, “[e]ven if she did not personally consult with any trained or licensed professional, [plaintiff] would have received a health care service had she purchased the glasses ….” Id. In as much, the court analogized the virtual try-on feature in this case to services similarly offered in optometrists’ offices. Id.
Universities are exempt from BIPA under the “financial institution exemption.”
In Powell v. DuPaul Univ., No. 21-cv-3001, 2022 WL 16715887 (N.D. Ill. Dec. 6, 2022), the plaintiff alleged that the university violated BIPA by using an online remote proctoring tool that captured, collected, and stored his biometric information and identifiers. Id. at *1. The plaintiff further alleged that the university collected his biometric data without providing notice, obtaining consent, or disclosing how long the data would be retained before it was permanently destroyed. Id.
In its Rule 12(b)(6) motion to dismiss, DePaul maintained that it is a financial institution under BIPA and thereby exempt from the statute under Section 25(c). Here, DePaul relied upon the express terms of BIPA, which states explicitly that the Act does not apply to financial institutions subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”). Id. at *1. Pointing out that it participates in the U.S. Department of Education’s Federal Student Aid Program, DePaul reasoned that it is therefore considered a financial institution subject to Title V of the GLBA. Id. To further its position, DePaul noted that both the Federal Trade Commission (“FTC”) and the Department of Education (“DOE”) recognize that universities are considered financial institutions under the GLBA and that Title V rulemaking authority lies with the Consumer Financial Protection Bureau (“CFPB”), which adopted and republished the privacy rules initially promulgated by the FTC. Id. at *2. There, the FTC rules state that any institution “significantly engaged in financial activities” is considered a financial institution. Id.
The court agreed with DePaul and determined that section 25(c) of BIPA applies to higher education institutions. The court was notably persuaded by DePaul’s reliance on the FTC’s position because it evidenced a longstanding, consistent, and well-reasoned interpretation of the GLBA it was tasked to administer. Id. at *2. Moreover, documents supporting DePaul’s motion further established that it “engage[d] in student aid and lending funds,” making it a financial institution subject to Title V of the GLBA and exempt from BIPA. Id. at *3. The court also pointed to many other 2022 decisions (and one late 2021 decision) that take a consistent position — that the financial institution exemption of BIPA applies to higher education institutions. Id., citations omitted.
A business may not be held liable under BIPA where there is no showing of acquisition of biometric data in Illinois.
In Vance v. Microsoft Corp., 20-1082, 2022 WL 9983879 (W.D. Wash. Oct. 17, 2022), plaintiffs were longtime Illinois residents who, beginning in 2008, uploaded digital photographs, including photos of themselves, to Flickr, a photo-sharing website. Id. at *1. In 2014, Yahoo!, Flickr’s then-parent company, publicly released a dataset of about 100 million photographs uploaded to Flickr’s website in the past decade. Id. To study fairness and accuracy in facial recognition technology, researchers working with IBM used one million photos from the released dataset to develop the Diversity in Faces Dataset (the “DiF Dataset”). Id. at *2. In 2019, two individuals affiliated with Microsoft downloaded the DiF Dataset. Id. The first individual, a consultant hired by Microsoft to assist with evaluating facial recognition technology, downloaded the DiF Dataset while in Washington State. Id. at *2-3. The other individual was a student intern for Microsoft who downloaded the DiF Dataset in New York to assist with her research on facial recognition facial systems. Id. at *3-5. Even though Microsoft’s two agents downloaded the DiF Dataset outside of Illinois, the plaintiffs brought the class action in a federal court in Washington state alleging that Microsoft’s data management process involved saved data being “chunked (i.e., divided into non-overlapping packets of data bits),” encrypted, and stored in a data center in Chicago, Illinois. Id. at *3.
All of the claims went to summary judgment, and Microsoft argued that plaintiffs’ BIPA claims failed because the statute cannot apply to conduct outside Illinois. Id. at *5. Thus, applying BIPA to Microsoft’s conduct outside of Illinois would violate the Commerce Clause of the United States Constitution. Id. Under Illinois law, a “statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute.” Id. at *6, citation omitted. Microsoft asserted that Illinois’ extraterritoriality doctrine bars plaintiffs’ BIPA claims because none of its conduct relating to those claims took place in Illinois. Id. at *6. Instead, the relevant conduct — downloading, reviewing, and evaluating the DiF Dataset — took place in Washington and New York. Id. Therefore, Microsoft argued that the plaintiffs cannot prove that its conduct occurred “primarily and substantively in Illinois.” Id., citation omitted.
The court granted summary judgment in favor of Microsoft in its entirety and, concerning the BIPA claims, held that even if Microsoft stored “chunked” and encrypted copies of the DiF Dataset on a cloud server in Illinois, “the relevant section of BIPA regulates only the acquisition of data, rather than the encrypted storage of data after it is acquired. Id. at *7, citing BIPA § 14/15(b). Pointedly, the court held that plaintiffs “have not identified any other relevant conduct by Microsoft that took place either primarily or substantively in Illinois. Id. The plaintiffs’ key argument in its opposition was reliance upon various high-profile BIPA cases, including the In re Clearview multi-district litigation, Rivera v. Google, and Monroy v. Shutterfly, to argue that claims relating to photos taken and uploaded to the internet in Illinois survived the extraterritoriality doctrine. Id. The court readily distinguished those cases by highlighting that, in each instance, “the plaintiffs alleged that the defendant itself reached into Illinois to collect their photographs, scan the photographs, and/or generate facial measurements or templates for use in facial recognition systems without the plaintiffs’ consent” Id. Therefore, and not having to address the Commerce Clause argument, the court concluded that “any connection between Microsoft’s conduct and Illinois is too attenuated and de miminis for a reasonable juror to find that the circumstances underlying Microsoft’s alleged BIPA violation ‘occurred primarily and substantively in Illinois.'” Id. at *8.
Plaintiffs are not entitled to nationwide discovery for BIPA claims.
The In re Clearview AI, Inc. multi-district class action, No. 21-cv-135 (N.D. Ill.), is a consolidated lawsuit alleging that Clearview violated BIPA and California and New York laws through its development and use of facial recognition technology. Specifically, the plaintiffs’ complaint alleges that Clearview “covertly scraped billions of photographs of facial images from the internet and then used artificial intelligence algorithms to scan the face geometry of each individual depicted in the photographs to harvest the individuals’ unique biometric identifiers and corresponding biometric information.” Id. at Dkt. 272, p. 1. Retail giant Macy’s is the lone retail defendant in the lawsuit and is alleged to have used Clearview’s database over 6,000 times, each time uploading an image to the database to search for a match. Id. at p. 2.
In June, a discovery dispute arose between plaintiffs and Macy’s after Macy’s limited its discovery responses to activities taking place in Illinois, New York, and California. Dkt. 361, p. 7. Plaintiffs argued that Macy’s limitation was improper because “regardless of whether Macy’s, Inc. performed the search from a store in Texas, Alabama, Delaware or any other location … each such search necessarily involved Plaintiffs’ and class members’ biometrics and possibly resulted in their images being returned as search results.” Id. In response, Macy’s argued that it is only defending state law claims arising under Illinois, New York, and California laws, and its alleged activities and conduct outside those states is irrelevant. Dkt. 378, p. 2. Macy’s further argued that “[p]laintiffs’ request is an attempt to investigate over five-hundred Macy’s store locations, in forty-three jurisdictions that are not at issue in this litigation.” Id.
The court agreed with Macy’s — that its limitation to discovery in only Illinois, New York, and California is appropriate, “given that [p]laintiffs’ current claims are predicated solely on the state laws of those three states.” Dkt. 388, citing Miner v. Gov’t Payment Serv., Inc., No. 14-cv-7474, 2017 WL 3909508, at *5 (N.D. Ill. Sept. 5, 2017) (“[T]he factual allegations of the [putative class action] complaint, confined as they are to Cook County transactions, do not support discovery as to any other counties.”). The court further agreed that requiring Macy’s “to gather discovery for its stores located in forty-three other jurisdictions where [p]laintiffs do not allege claims would be unreasonably burdensome.” Id.
As evidenced above, the BIPA landscape continues to take shape, and 2022 provided substantive decisions to help businesses defend against BIPA class actions moving forward. From a pleading perspective, companies need to understand the type of biometric information at issue in the lawsuit, how it is obtained, and how the technology is described and plead in the complaint. In addition to essential compliance, including providing a publicly available retention schedule, written notice, and obtaining written consent, businesses using biometric technology should also consider auditing their technologies to determine whether any exemptions to BIPA are applicable. While an audit will not eliminate the possibility of a lawsuit, it will allow businesses to analyze potential defenses and take cost-effective measures.