In recent years, a new genre of privacy litigation has emerged involving biometrics. Generally, biometrics consists of biological data that can be used to identify a person, such as retina and iris scans, fingerprints, voiceprints, and facial scans. Companies in several industries have invested significant resources in biometric identification technology – potential uses of the technology are vast, and include replacing traditional alphanumeric passwords, facilitating financial and retail transactions, and monitoring shopper behavior and employee hours. As this area of technology grows in scope and application, companies are challenged to keep up with evolving and often uncertain regulatory and judicial requirements governing use, storage, and disclosure of biometric data.
Plaintiffs’ attorneys appear to be monitoring all this activity, and their interest may be motivated by the Illinois Biometric Information Privacy Act, 740 ILCS 14 (BIPA). Like many state privacy statutes, the BIPA provides for a private right of action, attorneys’ fees and harsh statutory penalties for even technical violations, with no cap on aggregate damages.
Last week, in the first substantive ruling in a putative class action brought under the BIPA, a federal judge in the Northern District of Illinois denied the defendants’ motion to dismiss and allowed BIPA claims to proceed under a permissive and broad reading of the statute’s scope. Norberg v. Shutterfly, Inc. and ThisLife.Com, Inc., No. 15-cv-5351. Given this legal landscape, it is critically important for companies using biometric data to understand and comply with the requirements of the BIPA and similar statutes. To aid in that endeavor, below is a summary of the BIPA, as well as an explanation of the court’s denial of the motion to dismiss in the Shutterfly case.
Requirements of the BIPA
The BIPA regulates the collection and storage of “biometric identifiers” and “biometric information.” The BIPA defines a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 ILCS 14/10. Other potential identifiers are expressly excluded from the definition, including “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.” Id. “Biometric information,” in turn, “means any information, regardless of how it is captured, converted, stored, or shared based on an individual’s biometric identifier” that is “used to identify an individual.” Id. The statute, however, expressly excludes from that definition “information derived from items or procedures excluded under the definition of biometric identifiers.” Id.
The statute imposes numerous obligations on businesses regarding biometric identifiers and biometric information. For example, a business may not “collect, capture, purchase, receive through trade, or otherwise obtain” biometric identifiers or biometric information unless it first: (1) provides written notice that “a biometric identifier or biometric information is being collected or stored;” (2) provides written notice of “the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used;” and (3) “receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.” Id. 14/15(b).
Any business that possesses biometric identifiers or biometric information is prohibited from disclosing such information unless (1) the business obtains appropriate consent, (2) the disclosure completes a financial transaction requested or authorized by the subject or (3) the disclosure is required by law or pursuant to a valid warrant or subpoena. Id. 14/15(d). The business must develop a written policy that is made available to the public, “establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.” Id. 14/15(a). The business must store, transmit and protect from disclosure biometric identifiers and biometric information using the reasonable standard of care within its industry, and in a manner at least as protective as the manner in which the business stores, transmits, and protects other confidential and sensitive information. Id. 14/15(e). Finally, the business is prohibited from selling, leasing, trading or otherwise profiting from such information. Id. 14/15(c).
Significantly, the BIPA authorizes “any person aggrieved by a violation of this Act” to bring a private action. Id. 14/20. That language arguably suggests that any plaintiff must have suffered actual injury to have statutory standing to maintain a claim. See BLACK’S LAW DICTIONARY (9th ed. 2009) (“aggrieved” means “having suffered loss or injury”; “injured”). A plaintiff who can establish a BIPA violation can recover statutory damages of $1,000 up to $5,000 per violation, attorneys’ fees and costs. The potential for aggregating these penalties on a class-wide basis and the availability of attorneys’ fees is what makes the BIPA an attractive statute for the plaintiffs’ class action bar.
Early Ruling in the Shutterfly Action Under the BIPA
This summer, one of the first putative class actions under the BIPA was filed against Shutterfly, Inc., and its subsidiary, ThisLife.Com, Inc., in the Northern District of Illinois. Norberg v. Shutterfly, Inc. and ThisLife.Com, Inc., No. 15-cv-5351. In that case, the plaintiff alleges that the defendants violated the BIPA by using facial recognition technology to identify and categorize photographs uploaded to defendants’ websites based upon the people in them. Plaintiff, who is not a Shutterfly user, claims that the defendants used his unique facial geometry to recognize and identify him in photographs that others posted to Shutterfly’s websites, without his consent and without satisfying the many requirements of the BIPA. The suit seeks statutory damages for each alleged violation as well as injunctive relief, on behalf of a class of Illinois residents.
On July 31, 2015, the defendants filed a motion to dismiss, arguing that the BIPA did not apply to their conduct. They claimed that the definition of “biometric identifier” in the statute expressly excludes photographs, and that the definition of “biometric information” similarly does not encompass information derived from photographs. Therefore, defendants argued that the use of facial recognition technology on an uploaded photograph, and the information derived therefrom, was excluded from the BIPA’s reach. Defendants also challenged the court’s exercise of personal jurisdiction, as both of the sued entities were out-of-state corporations.
On December 29, 2015, Judge Norgle denied the defendants’ motion to dismiss, acknowledging that “to this date, the Court is unaware of any judicial interpretation of the statute.” After recognizing that the biometric data covered by the BIPA does not include photographs or information derived therefrom, the court nevertheless concluded as follows:
Here, Plaintiff alleges that Defendants are using his personal face pattern to recognize and identify Plaintiff in photographs posted to Websites. Plaintiff avers that he is not now nor has he ever been a user of Websites, and that he was not presented with a written biometrics policy nor has he consented to have his biometric identifiers used by Defendants. As a result, the Court finds that Plaintiff has plausibly stated a claim for relief under the BIPA.
In addition, the court rejected defendants’ personal jurisdiction argument, finding not only that their alleged violation of the BIPA “stems out of their contact with Illinois residents,” including the named plaintiff, but also that the defendants operated websites in all 50 states, offer their services to citizens of Illinois, and ship their products to consumers in Illinois as well.
Like the Shutterfly case, there are a handful of other putative class actions pending under the BIPA. See Licata v. Facebook, Inc., Nos. 3:15-cv-03748, 3:15-cv-03749, and 3:15-cv-03747 (N.D. Cal.); Gullen v. Facebook, Inc., No. 1:15-cv-07681 (N.D. Ill.); Norberg v. Shutterfly, Inc., No. 1:15-cv-5351 (N.D. Ill.); Santana v. Take-Two Interactive Software, Inc., No. 15-cv-8211 (S.D.N.Y.); Rottner v. Palm Beach Tan, Inc., No. 2015-ch-16695 (Cook Cty. Ill.); Sekura v. L.A. Tan Enters., Inc., No. 2015-ch-16694 (Cook Cty. Ill.). All of these cases are in early stages. In fact, Facebook has moved for dismissal of the BIPA actions against it based, in part, on the argument that the BIPA does not cover information derived from photographs using facial recognition technology. Whether other judges will follow the Shutterfly court’s lead on that issue, or whether they instead take a different approach to their early rulings under the BIPA, will likely serve as the barometer for how aggressively the plaintiffs’ bar continues to pursue this developing area.
* * *
The use of biometrics in business is expected to grow exponentially in the near future, and the laws governing its possession, collection, and use are likely to expand as well. In addition to the BIPA in Illinois, other states are considering their own biometrics legislation, and Texas has passed a biometrics statute that enables the state attorney general to sue for civil penalties. Tex. Bus. & Com. Code Ann. § 503.001. It is vitally important that, as companies consider using biometrics in their businesses, they understand and account for the requirements of the BIPA and other similar statutes, and take steps to ensure compliance. Indeed, the inherent risks and potential liability for even technical violations are substantial, particularly in the context of a class action.