Growing clarity in Illinois’ biometric privacy law shows possible defenses for third-party vendors
Suits brought under Illinois’ Biometric Information Privacy Act (BIPA) against biometrics providers as third party vendors face hurdles which have only increased with a pair of recent decisions relating to jurisdiction and standing, according to an expert analysis for Law360 by attorneys from Porter Wright Morris & Arthur LLP.
Karen M. Borg and Al Fowerbaugh write that the difference in standing between state and federal court, with the latter requiring an injury, where the former can proceed based on a procedural violation, creates a barrier for plaintiffs to make claims against third parties under BIPA’s Section 15(a), which requires publicly available policies for the retention and destruction of biometric data.
A lack of connections between biometric providers and the state of Illinois can also place biometrics providers outside of state or federal court jurisdiction for BIPA violations. Vendors only fall within the jurisdiction of BIPA if they have continuous and systematic contacts with Illinois (general jurisdiction), or if the claim is related to direct contacts with Illinois (specific jurisdiction). In the case of a dismissed case against Lathem Time, neither were found to apply.
Illinois law also does not apply to actions taken outside of the state unless the specific statute in question says so, which BIPA does not, providing out-of-state vendors with another possible defense.
Instagram, White Castle and Little Caesars each lose bids to dismiss suits
Instagram collects, stores, and profits from the facial biometric data of its 100 million users, including those in Illinois, without their knowledge or consent, in violation of the Biometric Information Privacy Act (BIPA), according to the allegations. The suit Whalen v. Facebook was filed in California state court, and states that the company began notifying Instagram users that it was collecting biometric data at the beginning of 2020, but had done so previously.
White Castle has been stymied in another attempt to have a BIPA suit brought against it by a former manager thrown out, as a federal judge rejected the chain’s argument that all of the plaintiff’s claims exceeded the statute of limitations because the alleged practice started too long ago, according to a separate Law360 article.
The burger chain had argued that interpreting the Act as applying the statute of limitations anew to each alleged violation is absurd, and would lead to crippling damages, but Judge John J. Tharp Jr. denied this, and criticized the company for not offering an alternative interpretation. He also noted the possibility that White Castle will appeal the decision.
The suit was brought in 2018 in response to a practice of requiring biometric verification for access to pay stubs which White Castle put in place in 2007. The number of timely alleged violations is set to be determined at a future hearing. The manager Latrina Cothron signed a consent form in 2018, but White Castle’s argument that by doing so Cothron waived her right to action under BIPA, and instead was governed by the Illinois Workers’ Compensation Act was rejected in June.
A suit against Little Caesar Enterprises will likewise go forward after a federal court judge ruled that the consent provided by two former employees after their biometrics were already collected does not apply to the collection retroactively, Bloomberg Law writes.
The chain made a similar argument last year to one put forward by White Castle, which was also rejected.