Privacy Litigation 2020 Year in Review: BIPA Litigation

Last year was busy for Biometric Information Privacy Act (BIPA) litigants. Defendants in 2020’s flood of BIPA cases ranged from technology companies developing novel biometric products to amusement parks and healthcare organizations leveraging biometric tools for employee and customer authentication. Even small businesses, such as bakeries and restaurants, found themselves in the crosshairs of BIPA cases. Yet despite the healthy clip of litigation, open questions remain about the law’s scope and reach. These questions—involving standing, settlement value, and more—were hotly contested in 2020, with no signs of letting up this year.

BIPA by the Numbers

In 2020, at least 54 court rulings referenced BIPA. This is more than double 2019’s count. Appeals courts in the Ninth and Seventh Circuits last year weighed in on contested issues three times, along with another three appellate decisions from Illinois State courts. Most of the action was in the federal district courts, with at least 48 rulings. Of those, at least 44 were filed in Illinois federal courts, three in California, and one in New York. And the pace does not appear to be slowing; just this past December, plaintiffs filed at least 30 new BIPA complaints, following more than 25 last November.

Just as BIPA case filings and rulings grew, so did settlement activity. 2020 saw multiple settlements, ranging from $1.8 million to an estimated $650 million in value.[1] Judges in Illinois and California federal courts also rejected initial settlement proposals last year. With such a wide range of settlement amounts, assessing potential settlement value of a case remains uncertain. We expect more data points will spring up in 2021.

BIPA’s (Multi) million-Dollar Question: Article III Standing

A great deal of last year’s BIPA litigation activity concerned Article III standing disputes. The Second, Seventh, and Ninth Circuits split on questions of Article III standing under BIPA. As we enter 2021, these circuit splits remain.

Standing questions about BIPA abound in large part due to the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins,[2] which held that a “bare procedural violation” of a statute cannot confer Article III standing if the plaintiff fails to also allege a “concrete harm.”

Litigants raised Article III standing issues in the context of two types of BIPA claims in 2020:

First – Section 15(b) claims against a private entity that collects or stores an individual’s biometric information without obtaining their informed and written consent.[3] For instance, can employees who scan their fingerprints to clock in and out of a workplace for timekeeping purposes bring suits against employers who do not obtain consent for the collection of fingerprint data?

Courts have not ruled uniformly on whether a plaintiff has standing to bring a Section 15(b) claim (concerning collection and storage of biometric information) even if no further injury is asserted. Some courts have interpreted the collection of the biometric information itself as an actionable invasion of privacy. The Ninth Circuit, for instance, concluded in 2020 that social media users had standing to bring a claim that a social media platform collected and stored their face templates.[4] The Seventh Circuit similarly found that there was standing for claims brought by an employee who had to create an account using her fingerprint to access a vending machine in her workplace, and another employee whose handprint was collected and used by her employer for its timekeeping system.[5]

The Second Circuit, however, has found no standing in a case involving a bare, technical procedural violation. In a 2017 case—still good law in 2020—the Second Circuit held that two plaintiffs lacked standing to bring a claim against a video game developer for the collection of their facial geometry scans, where the developer informed them that their “face scan[s]” were being collected and would be visible to other players.[6] The court noted that the developer’s only departure from BIPA’s requirements was the omission of the term “geometry”; that “[n]o reasonable person” would have believed that the developer “was conducting anything order than [a facial geometry] scan”; and that the plaintiffs had not plausibly asserted that they would have withheld their consent had the term “geometry” been included.[7] The court therefore concluded that plaintiffs had failed to raise a material risk of harm, and lacked standing for the claim.[8]

Second – Section 15(a) claims against a private entity in possession of biometric information that fails to publish a written policy with (1) a schedule for retaining that data, and (2) guidelines for permanently destroying the data. BIPA provides that such data must be destroyed either when the initial purpose for collecting the data has passed, or within three years of the entity’s “last interaction” with the individual, whichever comes first.[9]

A Section 15(a) claim poses even more complex challenges. Early last year, the Ninth Circuit concluded that a plaintiff has standing for such a claim, because the failure to either develop or follow the policy is a violation of the plaintiff’s right to privacy.[10]

The Second and Seventh Circuits, however, have espoused a more nuanced view. In decisions issued in 2017 and May of last year, respectively, both found that a failure to develop and publish a policy does not, in and of itself, give rise to a particularized harm to a plaintiff.[11] That is a bare procedural violation of the sort that Spokeo intended to exclude. But both decisions left open the possibility that a claim that an entity had not followed a policy or failed to destroy a plaintiff’s biometric data within the statutory time period could potentially confer standing.

Last November, the Seventh Circuit again addressed a Section 15(a) claim. There the plaintiff alleged both that her employer failed to publish a policy for the collection of employees’ handprint data and that the employer failed to destroy her handprint data even after she left the company. The court concluded that “[a]n unlawful retention of biometric data inflicts a privacy injury in the same sense that an unlawful collection does.”[12]

Looking Ahead

This year, we anticipate BIPA cases will continue their steady forward advance. If 2020’s growth rates hold, this would project out to 100+ new BIPA rulings and dozens of new filings per month. As cases progress beyond the pleading stage, we expect to see more rulings addressing merits rather than jurisdictional issues. BIPA’s standing-heavy case law poses challenges for businesses and product teams developing new biometric technology innovations. More case law interpreting the substance of BIPA claims in 2021 would provide welcome clarity to the scope of this privacy law. Whatever happens next, 2020 undoubtedly left its imprint—biometric or not—on this emerging and rapidly evolving area of privacy litigation.

[1] See, e.g., Martinez v. Nando’s Rest. Grp. Inc., No. 1:19-cv-07012 (N.D. Ill.); Patel v. Facebook, Inc., No. 3:15-cv-03747 (N.D. Cal.).

[2] 136 S. Ct. 1540 (2016), as revised (May 24, 2016).

[3] 740 Ill. Comp. Stat. § 14/15(b).

[4] Patel v. Facebook, Inc., 932 F.3d 1264, 1274 (9th Cir. 2019), cert. denied, 140 S. Ct. 937 (2020).

[5] Bryant v. Compass Grp. USA, Inc., 958 F.3d 617, 619 (7th Cir. 2020), as amended on denial of reh’g and reh’g en banc, 2020 WL 6534581 (7th Cir. June 30, 2020); Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146, 1155–56 (7th Cir. 2020).

[6] Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12, 15 (2d Cir. 2017).

[7] Id. at 15–16.

[8] Id.

[9] 740 Ill. Comp. Stat. § 14/15(a).

[10] Patel, 932 F.3d at 1274.

[11] Santana, 717 F. App’x at 16; Bryant, 958 F.3d at 626.

[12] Fox, 980 F.3d at 1154.