Privacy Litigation 2021 Year in Review: Biometric Information Privacy Act (BIPA)

Introduction

Illinois’s Biometric Information Privacy Act (BIPA) litigation had an active year in 2021. Defendants facing BIPA related lawsuits have ranged from restaurant franchises, nursing homes, and retailers to third parties retained by employers to scan data. Many of the year’s decisions arguably narrow the scope of certain BIPA claims, but that doesn’t mean we will see less litigation related to biometric information—especially given that other states are considering enacting their own laws regulating biometric information.[1]

BIPA by the Numbers

In 2021, at least 74 published court rulings referenced BIPA, outpacing the 62 rulings in 2020. The Court of Appeals for the Seventh Circuit weighed in on contested issues four times, with Illinois state appellate courts adding another two published decisions. Although most federal opinions were issued out of Illinois courts, six opinions hailed from California courts, four from Washington, and one each from Delaware and North Carolina.

Settlement activity saw an uptick in 2021. Final classwide settlement deals were approved in the range of about $1.6 million to $10 million.[2] Numerous other settlements were announced, but have not yet been finalized, including a settlement for $92 million.[3]

BIPA: Getting Past the Threshold

In 2021, significant BIPA litigation largely focused on: (1) statutes of limitations, (2) accruals of claims, and (3) standing issues.

Statutes of Limitations

Because BIPA itself does not expressly prescribe a limitations period, this issue has been extensively litigated. Recently, in Tims v. Black Horse Carriers, the Illinois Appellate Court for the First District addressed this issue. The case involved a former employee who alleged their employer scanned and has continued to scan employees via fingerprint scanning for timekeeping purposes.[4] The Court ultimately held that claims brought under Sections 15(c) and (d) are subject to the one-year statute of limitations, but all other BIPA claims, under Sections 15(a), (b), and (e), are subject to the state’s five-year catch-all limitations period.[5]

The court held that, in Illinois, “[a]ctions for slander, libel or for publication of matter violating the right of privacy, shall be commenced within one year after the cause of action accrued,”[6] and all other civil actions not otherwise governed by Section 13-205 are subject to a five-year limitations period.[7] The court thus focused heavily on whether publication was an element of the BIPA claim.[8] Applying this analysis, the court found that Sections 15(a) (regarding a written policy with a retention schedule and guidelines for permanently destroying biometric data), 15(b) (regarding a written notice and release when collecting and obtaining biometric data), and 15(e) (regarding reasonable care in storing, transmitting, and protecting biometric data) did not require allegations or proof that the biometric data was published, and thus were subject to Section 13-205’s five-year catch-all provision.

On the other hand, the court held that Sections 15(c) (regarding selling, leasing, trading, or otherwise profiting from biometric data) and 15(d) (regarding disclosure, or otherwise disseminating such data “absent prerequisites such as consent or a court order”) both related to publication or disclosure of biometric data.[9] The Tims court thus held that Sections 15(c) and 15(d) are subject to a one-year limitations period.

This same issue is currently under consideration in the Illinois Appellate Court for the Third District.[10] It remains unclear whether a circuit split will develop in the Illinois Appellate Courts. In the meantime, we can expect this issue to continue to be hotly contested.

Accruals of Claims

A case to watch is Cothron v. White Castle Systems Inc., in which the Seventh Circuit recently certified plaintiff’s request to have the Illinois Supreme Court decide whether conduct that is allegedly repeated against the same person gives rise to a single claim or multiple claims under Sections 15(b) and 15(d).[11] The court did not consider the plaintiff’s Section 15(a) claims based on a lack of standing.[12] In light of the potentially significant impact of the issue certified in Cothron, a number of courts have stayed proceedings pending a decision by the Seventh Circuit on this key issue.[13]

Cothron involves a suit by a former employee against an employer. The plaintiff alleges that the employer required employees to use their fingerprints to access work computers and their paystubs in violation of BIPA.[14] According to the plaintiff, their employer collected this data without employee consent and disclosed their data to third-party vendors, which used each employee fingerprint scan to authenticate the employee’s identity.[15] The employer moved for summary judgment arguing that the claim accrued the first time Cothron scanned her fingerprint...more than a decade before she sued,” thus making the claim untimely under the applicable statute of limitations.[16] The plaintiff, on the other hand, argued that every fingerprint scan was a “distinct and separately actionable section 15(b) violation and that each transmission of her fingerprint likewise amounted to a distinct and separately actionable section 15(d) violation,” and thus her claim came within the limitations period.[17] As highlighted by Cothron, how claims are accrued can significantly impact the potential exposure in BIPA cases. In particular, the Cothron court noted that the plaintiff’s “interpretation could yield staggering damages awards…[i]f a new claim accrues with each scan…violators face potentially crippling financial liability,” in addition to the impact it would have on the statute of limitations analysis.[18]

Standing Issues

Similar to 2020, standing questions continued to drive significant litigation in 2021.[19] In particular, courts have closely analyzed the specific allegations and claims asserted by a plaintiff to evaluate standing.

Last year, the court in Fox v. Dakkota Integrated Sys., LLC distinguished between a Section 15(a) claim that alleges “a mere procedural failure to publicly disclose a data-retention policy” and one that alleges a violation of “the full panoply of [] Section 15(a) duties—the duties to develop, publicly disclose, and comply with data retention and destruction policies.”[20] It held that there is no standing for the former, because the duty to disclose a data retention policy “is owed to the public generally,” but there may be standing for the latter, because “[a]n unlawful retention of biometric data inflicts a privacy injury in the same sense that an unlawful collection does.”[21]

In addition, in Thornley v. Clearview AI, Inc., the plaintiff alleged that the defendant’s collection and sale of biometric data violated Section 15(c), but specifically sought to represent a class of persons who “suffered no injury” from the violation.[22] Applying “the rule that the plaintiff controls her own case,”[23] the court held that there was no standing for the claim articulated by the plaintiff and affirmed the district court’s remand of the case to state court.[24]

Courts have thus applied standing principles on a section-by-section, claim-by-claim basis, which has required careful analysis of the specific allegations and claims at issue. In some cases, where BIPA cases have been removed to federal court, plaintiffs have argued that the federal court should split BIPA claims and remand the claims that are based on subsections for which plaintiff cannot establish Article III standing.

Looking Ahead

2020 and 2021 were foundational years in clarifying threshold issues for asserting a BIPA claim. Given the continuing risk of potentially significant exposure arising from BIPA claims, we can expect more litigation (and appeals) in 2022. In particular, given that standing decisions have arguably resulted in less clarity and may lead to more inefficiencies in resolving BIPA actions, standing and other threshold issues will continue to be debated in 2022.

[1] See, e.g., Massachusetts Information Privacy Act, S.46, 192d Cong. (2021), https://malegislature.gov/Bills/192/S46; Massachusetts Information Privacy Act, H.142, 192d Cong. (2021), https://malegislature.gov/Bills/192/H142.

[2] See Robin Rapai, et al. v. Hyatt Corp., No. 17-CH-14483 (Ill. Ct. Cl. Filed Oct. 30, 2017); Roach v. Walmart, Inc., Case No. 2019-CH-01107 (Ill. Ct. Cl. Filed Jan. 18, 2019).

[3] In re: TikTok Inc. Consumer Privacy Litig., No. 1:20-cv-04699 (E. Dist. Ill. Filed Sept. 30, 2021).

[4] Tims v. Black Horse Carriers Inc., 2021 IL App (1st) 200563, ¶ 5.

[5] Id.

[6] See 735 Ill. Comp. Stat. Ann. 5/13-201 (emphasis added).

[7] See 735 Ill. Comp. Stat. Ann. 5/13-205 (“…[A]ll civil actions not otherwise provided for [] shall be commenced within 5 years next after the cause of action accrued.”).

[8] Tims, 2021 IL App (1st) 200563, ¶ 29.

[9]Id. at ¶ 32.

[10] Marion v. Ring Container Techs., LLC, No. 3-20-0184 (Ill. App. Ct., 3d Dist.).

[11] Cothron v. White Castle Sys., Inc., No. 20-3202, 2021 WL 5998537, at 1 (7th Cir. Dec. 20, 2021).

[12] Cothron v. White Castle Sys., Inc., 477 F. Supp. 3d 723, 727 n. 1 (N.D. Ill. 2020).

[13] See, e.g., Nivea Lenoir v. Little Caesar Enterprises Inc., No. 1:19-cv-01575; Fluery v. Union Pac. R.R. Co., No. 1:20-cv-00390.

[14] Cothron, 2021 WL 5998537 at 1.

[15] Id.

[16] Id.

[17] Id. at 4.

[18] Id. at 7.

[19] See, e.g., Rosenbach v. Six Flags Entm’t Corp., 129 N.E.3d 1197 (Ill. 2019) (finding that a statutory violation is sufficient to establish a statutory cause of action).

[20] Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146, 1155–56 (7th Cir. 2020) (emphasis in original).

[21] Id. at 1155.

[22] Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1246 (7th Cir. 2021).

[23] Id. at 1248.

[24] Id. at 1249.