Is it true that what happens in Illinois, stays in Illinois? Not so, at least when it comes to litigation under the Biometric Information Privacy Act (“BIPA”). In 2008, the Illinois General Assembly enacted “BIPA”, which provides a private right of action to individuals whose biometric data is collected by private entities that don’t comply with the informed consent, retention policies, and security mandates imposed under the law. Under BIPA, plaintiffs may seek statutory damages of $1,000 or $5,000 per violation, depending on whether the conduct is negligent or intentional or reckless, respectively. Fast forward a little more than a decade, and the number of putative class action lawsuits asserting BIPA claims approaches one thousand and cases are settling for millions of dollars (and even hundreds of millions of dollars). Businesses both inside and outside of Illinois should be paying attention. Why? Because there is litigation risk, not only for Illinois companies but also those beyond the borders of the Prairie State. As of the publication date, at least 29 BIPA lawsuits have proceeded in jurisdictions outside of Illinois.
Under Illinois law, a statute is without extraterritorial effect unless a clear intent appears from its express provisions. Nothing in the legislative history of BIPA suggests it was intended to apply outside the state. Despite the lack of intent by the Illinois General Assembly, plaintiffs throughout the country have filed class actions seeking certification of broad classes of individuals, regardless of where alleged BIPA violations have occurred, where the named defendants are located or where the alleged information has allegedly been collected or otherwise obtained.
In Monroy v. Shutterfly, a case filed in the Northern District of Illinois, the plaintiff claimed that someone in Chicago uploaded his photograph onto Shutterfly’s website. He alleged Shutterfly then used facial recognition software to scan the photo and create a detailed template of his face. Shutterfly moved to dismiss the case, asserting that the plaintiff’s lawsuit was an improper attempt to apply BIPA extraterritorially. Although the photo was uploaded from a device in Illinois, Monroy was a citizen and resident of Florida, and Shutterfly is a Delaware corporation headquartered in California. Nevertheless, the court held that these factors alone were insufficient to determine whether BIPA applies extraterritorially. It denied the motion to dismiss but allowed Shutterfly to raise the issue again if and when the facts revealed where the scan was collected and stored, and whether the claim can be said to have occurred primarily and substantially within Illinois. Thus, the case proceeded through fact discovery. Another judge in the Northern District of Illinois very recently reached the same conclusion in Vance, et al. v. Int’l Bus. Machines Corp.
In Neals v. PAR Technology Corp., another Northern District of Illinois case, the defendant filed a motion to dismiss arguing that the extraterritoriality doctrine barred the plaintiff’s claims because the relevant circumstances occurred outside of Illinois due to the fact that the defendant is located outside of Illinois. While granting the motion to dismiss, the court noted that the defendant’s physical location and the location of its servers were not determinative of BIPA’s application. However, because the plaintiff did not allege that she scanned her finger while in Illinois, the court could not determine that her fingerprint was collected in Illinois. Had she done so, then she would have alleged sufficient facts indicating that the circumstances relating to the purported transaction occurred primarily and substantially in Illinois; the transaction would involve an Illinois resident having her biometric information collected in Illinois by a private entity without the entity providing the requisite disclosure and obtaining the required consent in Illinois. Id. at 1091.
The Ninth Circuit Court of Appeals applied a similar analysis in Facebookv. Patel, stating:
[T]he parties’ dispute regarding extraterritoriality requires a decision as to where the essential elements of a BIPA violation take place . . . . Given the General Assembly’s finding that ‘[m]ajor national corporations have selected the City of Chicago and other locations in this State as pilot testing sites for new applications of biometric-facilitated financial transactions,’ . . . it is reasonable to infer that the General Assembly contemplated BIPA’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state. . . If the violation of BIPA occurred when the plaintiffs used Facebook in Illinois, then the relevant events occurred ‘primarily and substantially’ in Illinois. . . . If the violation of BIPA occurred when Facebook’s servers created a face template, the district court can determine whether Illinois’s extraterritoriality doctrine precludes the application of BIPA.
Thus, while there seems to be little doubt that the location of the user is a major factor in determining whether BIPA would apply, the Ninth Circuit held it is not the only factor.
Going a step further, plaintiffs have been filing putative class action suits asserting BIPA claims outside of Illinois, while also asserting nationwide class claims for unjust enrichment and other non-Illinois state law theories, relying on BIPA violations to establish unlawful conduct by the defendant. For example, numerous lawsuits have been brought against Clearview AI in other states, including California, Illinois, New York, and Vermont. Clearview AI is a Delaware corporation with headquarters in New York. The company collects images on the internet and organizes them into a searchable database, which licensed users can comb through. Clearview AI hosts its data on servers located in New York and New Jersey. In one case filed in the Southern District of New York on May 4, 2020, residents of New York, California, and Illinois filed a putative class action complaint against Clearview AI on behalf of a nationwide class and separate sub-classes of residents of Illinois, California, and New York. In addition to a BIPA claim, the plaintiffs also brought claims under California Business and Professional Code Section 17200, California Common Law Right of Publicity, and California Constitutional Right to Privacy. The plaintiffs also alleged common law claims for intentional interference with contractual relations and unjust enrichment, using claimed BIPA violations as one of the predicates to assert that the defendant engaged in unlawful conduct.
Finally, other states, and even cities, have enacted legislation and ordinances similar to BIPA. Specifically, there are laws in Texas, Washington, California, New York, and Oregon that include informed consent and destruction requirements for biometric data. The city of Portland, Oregon, recently passed an ordinance prohibiting both city and private use of facial recognition technology. In addition, on August 4, 2020, Senators Jeff Merkley and Bernie Sanders proposed a federal bill—the National Biometric Information Privacy Act—which is modeled upon BIPA, including both a written consent requirement and a private right of action. With these significant developments, biometric privacy is no longer an Illinois-specific issue. Any businesses collecting, storing, or using biometric data should review relevant laws to avoid the substantial risks associated with biometric litigation.
Molly K. McGinley concentrates her practice at K&L Gates LLP in commercial litigation with a focus on complex litigation, including investment company litigation, securities litigation, and class action defense. Ms. McGinley is a leader of the firm’s biometric data compliance and defense affinity group and has advised several clients with respect to putative class action litigation and compliance under the Illinois Biometric Information Privacy Act.
Kenn Brotman focuses his practice at K&L Gates LLP on complex commercial litigation, including breach of warranty, breach of contract, and breach of fiduciary duty matters, as well as product liability, premises liability, general tort liability, and toxic tort. He is a member of the firm’s biometric data compliance and defense affinity group and has advised clients with respect to litigation and compliance under the Illinois Biometric Information Privacy Act.