Seventh Circuit Lowers the Federal Standing Threshold for Illinois Biometric Privacy Act Claimants
This week, the Seventh Circuit Court of Appeals issued a decision that opens the door to more frequent federal court determination of statutory claims under the Illinois Biometric Information Privacy Act,
In 2008, the Illinois Legislature passed BIPA to “regulat[e] the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”
In order to “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information,” BIPA, in its section 15(b), requires that the private entity attempting to collect, purchase, receive, or otherwise obtain such information:
[inform] the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
[inform] the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
[receive] a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.
Under section 15(a) of the statute, BIPA also separately requires a private entity that possesses biometric identifiers or information to develop and make public a written policy “establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.”
BIPA provides a private right of action to any person “aggrieved by a violation” of BIPA, whereby such a person may seek damages, attorney’s fees and costs, and injunctive relief.
The Bryant Opinion
In Bryant, a call-center employee filed a class-action lawsuit in the Cook County Circuit Court in the State of Illinois against Compass Group USA (“Compass”), claiming that Compass violated BIPA’s informed-consent requirement (section 15(b) of BIPA) when it mandated that employees provide fingerprints to use vending machines without first or concurrently informing the employees that, or for how long, their fingerprints would be collected and stored, and also without obtaining a written release from each employee to collect, store, and use their fingerprints. Bryant further alleged that Compass failed to publicly disseminate a retention and destruction policy for the fingerprints it collected and stored, in violation of section 15(a) of BIPA.
Compass removed the suit to federal court under the federal Class Action Fairness Act, 28 U.S.C. § 1332(d). Bryant sought a remand order by asserting that the alleged injury—technical violations of BIPA’s informed-consent and written-policy requirements—do not support the “aggrieved” party standing requirement of Article III of the U.S. Constitution. The United States District Court for the Northern District of Illinois agreed with Bryant’s position and remanded the case to state court.
In a long-awaited opinion, the Seventh Circuit Court of Appeals reversed the District Court’s remand order. Specifically, the Seventh Circuit held that the mere violation of BIPA’s informed-consent provisions (section 15(b)’s so-called “heart of BIPA”
In contrast to its conclusion concerning standing for informed consent litigation under section 15(b), the Seventh Circuit also held that a violation of BIPA’s written-policy requirement (section 15(a)) does not confer standing on individuals.
Bryant May Have a Significant Impact on BIPA Litigation
Many legal commentators believe that the impact of the Seventh Circuit’s Opinion in Bryant has a chance to be wide-ranging and fundamental. First, as Bryant removes a procedural standing hurdle necessary for a case brought under section 15(b) of BIPA to proceed in federal courts in the Seventh Circuit, there is likely to be an uptick in BIPA lawsuits filed in and removed to federal courts, particularly in the Northern District of Illinois, where so many businesses are based and the plaintiff’s bar is particularly active. Second, the Bryant opinion may result in a decrease of BIPA lawsuits filed in the Ninth Circuit, which previously stood alone in holding (similar to the Seventh Circuit in Bryant) that Article III standing may be found even where only a procedural violation of BIPA has occurred,
Still, it cannot be lost that the Seventh Circuit in Bryant expressly distinguished technical violations of BIPA’s written policy provision (section 15(a)) from technical violations of BIPA’s informed-consent provision (section 15(b)), finding the former to be insufficient to confer Article III standing. In so doing, the Seventh Circuit has confirmed a definitive viewpoint that not all statutory violations will automatically constitute grounds to pursue BIPA litigation in federal court. Bryant therefore stops short of the implicit rule endorsed by the Ninth Circuit that even technical violations of BIPA’s section 15(a) can confer Article III standing.
The Seventh Circuit’s Bryant Opinion comes at a unique time. COVID-19 has resulted in numerous legal and policy changes, both at governmental and corporate levels which implicate privacy concerns.
Over the coming months and years, companies must be attentive to their privacy policies and practices, and those of their vendors, as converging legal, social, and technological forces are increasing exposure to class-action litigations under BIPA and other privacy statutes in both state and federal courts. Paul Hastings remains uniquely positioned to aid in the review and revision of biometric information collection and retention policies, and can draw on its wealth of experience to capably guide clients through emerging data-privacy challenges. Our Chicago legal team’s experience navigating BIPA and other privacy issues is supported by Paul Hastings’ nationally unique and cross-disciplinary team of legal and regulatory experts—including a former U.S. Department of Homeland Security cyber-policy expert, high-profile privacy and security officers of Fortune 100 companies, and Ph.D.-credentialed data scientists with diverse perspectives and experiences in business, law, and technology.