Companies facing class action litigation stemming from Illinois’ Biometric Privacy Act, 740 ILCS 14/1 et seq. (BIPA), will not get conclusive guidance from the U.S. Supreme Court on the issue of Article III standing. Despite the substantial increase in BIPA class actions filed between 2018 and 2019, and amici briefs imploring the Supreme Court to review a Ninth Circuit holding for one such case, the high court declined to weigh in and denied certiorari. As a result, questions persist as to whether class action plaintiffs bringing BIPA claims in federal court have Article III standing due to continued inconsistent treatment within the Ninth Circuit and elsewhere regarding what constitutes real, concrete and particularized injury in cases relating to intangible harms. Therefore, companies with Illinois employees or consumers will continue to face uncertainty, and plaintiffs may aggressively shop for favorable fora (including California) to bring such cases.
BIPA seeks to provide privacy safeguards to Illinoisans around the collection of “biometric identifiers,” like facial recognition, hand geometry, retina scans, and fingerprints, and the use of those identifiers as “biometric information.” BIPA prohibits entities from collecting certain biometric identifiers and biometric information without providing prior written notice to and obtaining prior informed written consent from the individual whose biometric data is collected. BIPA also prohibits profiting from the sale of biometric data and restricts how entities transfer, retain, and store certain biometric data they collect. Entities that collect biometric data subject to BIPA must have a written policy that details that entity’s retention schedule for that data, including guidelines for how it destroys the biometric data it collects. Such policies must also be publicly available. The notice, policy, and retention requirements have been easy areas for technical noncompliance, triggering litigation and ground-breaking settlements.
Because BIPA’s private right of action grants those who have been “aggrieved” by an “offending party[’s]” BIPA violation the right to sue, plaintiffs have alleged that violations of law, in and of themselves, where privacy interests are present, amount to concrete and particularized injuries. Effectively, in Patel, both the Northern District of California and the Ninth Circuit held that injuries in-law amount to injuries in-fact where privacy interests are alleged to be present. The Ninth Circuit ruled that the provisions of BIPA at-issue were implemented to protect “concrete interests” in privacy and that the alleged violation of BIPA amounted to an injury-in fact given the unique nature of biometric data and how easily it can be comprised if mishandled – although there was no allegation of any actual or imminent risk of mishandling. Reed Smith represented TechFreedom, a non-partisan think tank that supports privacy and innovation, in amicus curiae briefs filed in both the Ninth Circuit petition for rehearing and the petition for certiorari at the U.S. Supreme Court. Without the clarity that would have been afforded from the Supreme Court, what qualifies as an injury-in fact to a plaintiff, particularly given the unique nature of biometric data and how easily it can be compromised if mishandled, remains a key open question.
The Supreme Court’s denial of certiorari could have major implications for BIPA class actions, both outside and within the Ninth Circuit unless and until clearer standards for standing and other unsettled aspects of BIPA are resolved. Additionally, this could potentially lead to a significant uptick in forum shopping, as the courts of many other jurisdictions have refused to find Article III standing in cases brought under consumer privacy statutes, and thus plaintiffs will be inclined to seek out courts located within the Ninth Circuit’s bounds. This could have a major impact on how companies that collect and use biometric data approach BIPA litigation (as each BIPA violation can cost the “offending party” up to $1,000 for a negligent violation and $5,000 for an intentional or reckless violation) and compliance strategy (as synergies may grow between class actions and FTC enforcement, which has seen significant recent upticks).
Beyond the issue of Article III standing, there are other questions that will be left for lower courts to answer. For example, there remain outstanding interpretive issues, including the contours of the “biometric identifier” definition and whether a biometric data point sufficiently separated from its subject (such that it could not reliably identify them) would still qualify. BIPA’s legislative findings state that biometrics are “biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions” 740 ILCS 14/5(c). However, courts have yet to clarify whether such biometrics must be sufficiently capable of identifying their owner before they can qualify as a “biometric identifier” under the statute. Additionally, lower courts will have to decide how to distinguish negligent BIPA violations and intentional or reckless BIPA violations, what the appropriate statute of limitations is for BIPA claims, and when an entity that collects biometric identifiers must develop a written retention schedule and disclosure policy. At the same time that lower courts grapple with these issues, companies seeking to implement biometric technologies will face challenges as they seek to comply and mitigate class action risk in an unresolved biometric legal landscape.