FB pixel

Designing a defense: strategies for defending against an Illinois biometric class action

Designing a defense: strategies for defending against an Illinois biometric class action

This is a guest post by Ana Tagvoryan, Jeffrey N. Rosenthal and David J. Oberly, attorneys at Blank Rome LLP.

This is the second article in a two-part series examining Illinois’ Biometric Information Privacy Act (BIPA) and the flood of class action lawsuits alleging violations of Illinois’ biometric privacy law. The first article explained BIPA’s legal requirements and the impact of the Illinois Supreme Court’s January 2019 Rosenbach v. Six Flags Entertainment Corp. decision, which opened the floodgates for individuals to sue businesses utilizing biometric data for mere technical or procedural violations of the law. This article provides tips and strategies for corporate defendants to defend against BIPA class action suits.

While there are a range of applicable defenses to BIPA claims, the following are some of the more robust potential strategies to halt BIPA claims in their tracks, or, at a minimum, limit the amount of damages.

Lack of Article III standing in Federal Court.

One potential defense available to defendants in federal BIPA litigation is Article III standing. To establish Article III standing, a plaintiff must show, among other things, a cognizable injury-in-fact. Thus, a plaintiff must show he or she suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual and imminent, not conjectural or hypothetical.” To be “concrete,” an injury “must be ‘de facto’; that is, it must actually exist.” Significantly, in Spokeo v. Robins, 136 S. Ct. 1540 (2016), the U.S. Supreme Court held standing requires a concrete and particularized injury, even in the context of a statutory violation.

In BIPA class action litigation, plaintiffs often allege mere technical violations of the law without any real-world, actual damages. When such bare procedural violations are alleged, defendants can attack BIPA class lawsuits at the pleading stage by arguing a district court lacks subject matter jurisdiction over the case because plaintiffs cannot demonstrate they suffered “concrete injuries” sufficient to satisfy Article III standing. For example, in Rivera v. Google, Inc., No. 16-C-02714 (N.D. Ill. Dec. 29, 2018), the U.S. District Court for the Northern District of Illinois dismissed a BIPA lawsuit against Google pertaining to the company’s photo app technology based on an absence of any “concrete injury” suffered by the plaintiffs sufficient to confer Article III standing in connection with Google’s alleged technical violations of the law. Likewise, in Santana v. Take-Two Interactive, 717 Fed. App’x 12 (2d Cir. 2017), the Second Circuit Court of Appeals held that NBA 2K players lacked standing to pursue BIPA claims because they suffered no actual injury or harm by the video game’s collection and retention of their face scans.

However, litigants must be careful to avoid using this tactic in actions originating in state court, which are then subsequently removed to federal court. In several recent cases, federal courts have remanded suits back to state court where the defendant challenged standing under Spokeo after removing the case from state court to federal court. Here, courts are concerned with defendants taking inconsistent positions: on the one hand arguing in favor of federal jurisdiction, while on the other positing plaintiffs do not have standing to pursue their claims in federal court. Thus, BIPA defendants would be wise to exercise caution to only use a Spokeo standing defense in suits originating in federal court. Even then, a plaintiff may still refile a lawsuit in state court after dismissal in federal court.

Lack of personal jurisdiction.

Second, personal jurisdiction arguments can also be raised at the pleading stage to obtain an early dismissal.

For personal jurisdiction to exist, there must be either “general” or “specific” jurisdiction over the defendant. With respect to general personal jurisdiction, in Daimler AG v. Bauman, 134 S.Ct. 746 (2014), the U.S. Supreme Court clarified that, absent exceptional circumstances, a corporation is only subject to general personal jurisdiction where its “affiliations with the state [] are so ‘continuous and systematic’ as to render them essentially at home in the forum state.” To date, the Court has identified only two places where that condition will be met: the state of the corporation’s principal place of business, and the state of its incorporation. As such, a BIPA defendant would not be subject to general personal jurisdiction where they are not “at home” in Illinois—i.e., where Illinois is not the defendant’s principal place of business or its state of incorporation.

As to specific personal jurisdiction, in Bristol-Myers Squibb Co. v. Superior Court of California, San Francisco County, 137 S.Ct. 1773 (2017), the U.S. Supreme Court held “[i]n order for a state court to exercise specific jurisdiction, ‘the suit’ must arise out of or relate to the defendants’ contacts with the forum.” “In other words, there must be ‘an affiliation between the forum and the underlying controversy, principally, an activity or an occurrence that takes place in the forum State and is therefore subject to the State’s regulation.’”

Applied to BIPA litigation, defendants can establish a lack of specific jurisdiction by demonstrating the absence of any forum-related activities that caused plaintiffs harm for which the defendant is responsible. Here, defendants should aim to show plaintiffs’ claims do not arise out, of, and are not related to, the defendant’s contacts with Illinois—i.e., that all the defendant’s biometric-related activities took place beyond the state’s borders.

For example, in Gullen v. Faceboook.com, Inc., No. 15 C 7681 (N.D. Ill. Jan. 21, 2016), a BIPA action involving a suit by an Illinois resident against Facebook was dismissed based on a lack of personal jurisdiction where Facebook was neither incorporated nor had its principal place of business in Illinois, and where the court further concluded that specific jurisdiction did not exist because Facebook did not target its biometric collection activities at Illinois residents. Importantly, in reaching this conclusion the court noted that the mere fact that Facebook’s site was accessible to Illinois residents did not confer specific jurisdiction over the social media company. Moreover, the Gullen decision illustrates the significant point that the focus of the personal jurisdiction analysis is on the defendant, not the plaintiff(s). Thus, even in cases involving plaintiffs who are Illinois residents, defendants can still defeat BIPA suits where the defendant is not incorporated nor has its principal place of business in Illinois, and the defendant can demonstrate that it did not purposefully direct its biometric practices specifically at Illinois residents.

Combined—as the Gullen decision illustrates—if defendants can establish the lack of both general and specific personal jurisdiction, they can then seek to obtain an early dismissal from BIPA litigation.


A third potential defense relates to extraterritoriality. Illinois has a long-standing rule of construction that a statute is without extraterritorial effect unless a clear intent appears from the express provisions of the statute. Importantly, nothing in the BIPA provides for such intent. Thus, to be actionable, a BIPA violation must take place within the borders of Illinois, as the BIPA does not apply extraterritorially.

Under Illinois law, the test for extraterritoriality is whether “the circumstances relating to the challenged conduct [did or] did not occur ‘primarily and substantially within’ Illinois.” In other words, “the majority of circumstances relating to the alleged violation of the [statute]” must have occurred in the state. Significantly, a lawsuit will fail this test if a “necessary element of liability did not take place in Illinois.”

In the context of BIPA litigation, many companies faced with BIPA actions are incorporated outside of Illinois (principally, Delaware), and are headquartered outside the state as well. In addition, the biometric-related actions taken by a defendant—for example, the actual scan of a plaintiff’s face geometry—also commonly takes place outside Illinois. Similarly, the storage of biometric data also routinely occurs outside of Illinois. As the district court noted in Monroy v. Shutterfly, Inc., No. 1:16-cv-10984 (N.D. Ill. Sept. 15, 2017), all these issues are significant factors that could establish a valid extraterritoriality argument. Thus, if users’ biometric information was collected and then stored outside Illinois, and all the relevant activities took place outside of Illinois, a defendant may have a potentially viable extraterritoriality defense to a BIPA suit.

Statute of limitations.

Finally, the statute of limitations can also be raised as a potential defense.

BIPA does not provide a specific limitations period. In the absence of any express statute of limitations, Illinois courts look to existing Illinois limitations periods and apply the most specific one. Accordingly, an argument can be made in favor of imposing a one-year limitations period set forth for privacy claims under 735 ILCS 5/13-201, which pertains to actions for “slander, libel, or for the publication of matter violating the right of privacy.” Importantly, in Patel v. Facebook, Inc., No. 18-15982 (9th Cir. Aug. 8, 2019), the Ninth Circuit Court of Appeals held that a BIPA violation is analogous to an invasion of privacy, which provides strong support for the argument that 735 ILCS 5/13-201’s tight one-year statute of limitations period should be applied to BIPA causes of action.

Alternatively, even if Section 13-201’s one-year limitations period was inapplicable, at most, BIPA claims should be subject to a two-year limitations period under 735 ILCS 5/13-202, which applies to claims for statutory penalties and personal injuries. A statute is remedial where it imposes liability only when actual damage results from a violation, and where liability is contingent upon damage being proven by the plaintiff; whereas a statute is properly characterized as penal when it imposes automatic liability and sets forth a predetermined amount of damages regardless of actual damages. Here, BIPA is a statutory penalty statute, as the Illinois Supreme Court in Rosenbach plainly held that an individual need not allege any actual injury beyond a violation of his or her rights to seek damages. As the clear majority of plaintiffs in BIPA litigation do not plead or seek actual damages, but rather, liquidated damages in the form of the BIPA’s $1,000 and $5,000 statutory damages figures, most—if not all—BIPA actions will assert statutory penalty claims that should be subject to a two-year statute of limitations.

By successfully arguing for a limited one (or even two) year limitations period, BIPA defendants can reduce the size of a proposed class as well as the potential amount of damages.

The final word.

Following Rosenbach, companies that collect and use biometric data can expect flurry of BIPA class action lawsuits for the foreseeable future. While Rosenbach greatly increased the scope of potential exposure, several potentially applicable, robust BIPA defenses exist that can be deployed in certain circumstances to defeat, or limit, a broad assortment of BIPA actions. As such, BIPA defendants and their legal counsel are well advised to add the above defenses to their litigation toolbelt and should contact experienced counsel about utilizing these potentially game-changing defenses whenever possible.

About the authors

Ana Tagvoryan is a partner at Blank Rome LLP and serves as chair of the Firm’s Privacy Class Action Defense group and vice chair of the Corporate Litigation group. Jeffrey N. Rosenthal is a partner at Blank Rome LLP. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. David J. Oberly is an associate at Blank Rome LLP and is also a member of the Firm’s Cybersecurity & Data Privacy group.

DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News


Microsoft teases easy video deepfake tool, declines to release it

Microsoft is the latest tech giant to tease an AI product so good at producing deepfake humans that it poses…


Proposed UK data protection law hit by criticism

The UK’s prospective data protection law is facing criticism from lawmakers and rights groups over plans to introduce bank account…


Paris Olympics: Second AI surveillance test completed

In preparation for the Olympics, Paris has tested its AI surveillance systems deploying crowd surveillance technology during two large events….


LinkedIn introduces biometric IDV in Singapore with Persona

LinkedIn is rolling out identity verification using biometric passports in Singapore. The feature is provided by San Francisco-based selfie biometrics…


Apple to placate EU by opening developer access to NFC scanning, Face ID

Apple’s tap-and-go mobile payments system, ID scanning and biometric capabilities should be available to rivals soon, with a report from…


Biometric payment cards launching in Bangladesh, approved by Mastercard

Idex Biometrics is supplying fingerprint biometric technology for payment cards to Bangladesh-based Mutual Trust Bank, as the biometrics provider expands…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read From This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events