Analyzing BIPA’s newest class action trend: Targeting the use of voice-powered technologies
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
For the better part of 2020, class action lawsuits filed under the Illinois Biometric Information Privacy Act (“BIPA”) focused on the use of fingerprint biometrics for employer time and attendance purposes. As many anticipated, in 2021 a much broader range of biometric technologies have been targeted for BIPA class actions as compared to the prior year.
The first major new wave of BIPA suits in 2021 has focused on the use of facial recognition in connection with virtual try-on technology, which has become extremely popular with online retailers as a result of the Covid-19 pandemic.
Now, companies are in the midst of a second wave of new BIPA filings, this time focused on the use of voice-powered technology. This newest trend in BIPA litigation provides several important takeaways for entities that collect and use voice data in their operations and that are now for the first time finding themselves in the crosshairs of biometric privacy class actions.
BIPA’s application to voice-powered technologies
BIPA regulates the collection, use, and storage of “biometric identifiers,” which includes—among other things—“voiceprints.” However, the term “voiceprint” is not defined in Illinois’ biometric privacy statute. “Voiceprint” is generally defined as a distinctive pattern of curved lines and whorls made by a machine that measures human vocal sounds for the purpose of identifying an individual speaker. It is this hallmark of identifying (or verifying) the identity of an individual that makes voice data a “voiceprint” under BIPA. In this respect, courts have noted that voice biometrics, also known as voiceprinting, is the use of biological characteristics—one’s voice—to verify an individual’s identity.
Thus, a critical distinction exists between general voice data, which is not covered by BIPA, and voiceprints, which fall under the scope of Illinois’ biometric privacy statute—with the important dividing line being the identifying quality of the data. Fortunately, courts have recognized this distinction in BIPA litigation, noting the difference between the mere capture of voice data and an actual “voiceprint.” Specifically, courts have noted that if an entity simply captures a person’s voice without generating a voiceprint for the specific purpose of identifying or verifying the identity of an individual, then there is no violation of BIPA.
Application to today’s current wave of BIPA voice data class action lawsuits
As discussed above, BIPA applies only to the use of true voice biometrics—which involves the creation and use of voiceprints for the purpose of identifying or verifying the identity of individuals. In many instances, however, companies that are targeted with BIPA class action lawsuits over their connection to voice data merely offer or utilize technology that—at the most—recognizes an individual’s voice so that it can respond to that voice’s commands. Here, such technology does not function to identify or verify an individual’s identity. In such instances, the technology at issue falls outside the scope of BIPA and, in turn, an actionable claim under Illinois’ biometric privacy statute cannot be established against the target defendant.
Takeaways from recent class actions filed in connection with voice-powered technologies
Despite the fact that BIPA only regulates the collection and use of voiceprints, many companies that merely use voice data for purposes other than identifying or verifying individuals’ identities are still finding themselves being targeted with BIPA class action complaints. The recent wave of BIPA filings against companies that utilize more basic voice data—as opposed to voiceprints—provides several key takeaways for entities that currently use (or are contemplating the use of) voice-based services as part of their product offerings or their day-to-day business activities.
Minimizing potential BIPA liability exposure
First, these suits illustrate that despite falling completely outside the scope of BIPA, entities that offer voice-powered applications or products, as well as those that use voice-powered solutions in their operations, may still nonetheless be targeted with class action suits alleging violations of Illinois’ biometric privacy law due to the mere fact that they collect and/or use voice data. Thus, even where compliance is not required, companies that are involved with voice data should not operate under the assumption that no possibility exists of being named as a defendant in a BIPA complaint—as the recent suits targeting voice data shows that a reasonable likelihood exists of being ensnared in a BIPA class action—even where the technology at issue clearly falls outside the scope of BIPA.
There are, however, several action steps that companies can take to signal to plaintiff’s attorneys that filing suit against the business would be a futile endeavor—thus minimizing the likelihood of being targeted as a defendant in a BIPA suit.
First, and most importantly, companies that do not use voice biometrics should make that fact crystal clear on their public-facing webpages. Companies can do so by clearly explaining how the technology at issue works and, more importantly, how it does not: (1) use any form of voice biometrics; (2) create or use any type of voiceprint; or (3) identify or verify the identity of individuals.
Second, companies can consider satisfying the requirements of BIPA to the greatest extent possible where it is feasible and nor burdensome for the business to do so.
Third, the inclusion of a strong arbitration agreement and class action waiver in the company’s online terms and conditions is another strategy that can be utilized to further disincentivize enterprising plaintiff’s attorneys from targeting the entity for purported BIPA violations. Importantly, most plaintiff’s attorneys will turn their attention to other, more vulnerable targets when they learn they will likely be forced to arbitrate a BIPA suit if an entity is pursued for purported BIPA violations with the filing of a class action complaint, as the prospect of arbitration drastically reduces the likelihood of a large payday for counsel—which can only come about through a class-wide settlement.
Pursue dismissal of meritless class actions through early motion practice
In the event a company finds itself named as a defendant in a BIPA class action, the business and its biometric privacy counsel should thoroughly review the underlying technology that is the focus of the lawsuit to determine whether it falls under the purview of Illinois’ biometric privacy statute.
If it does not, the first, immediate course of action that should be taken by the company’s biometric privacy legal team is to reach out to opposing counsel to inform them that the target defendant’s technology falls outside the scope of Illinois’ biometric privacy law. At the same time, defense counsel should also impress on opposing counsel the necessity of dismissing the suit to the categorical inability to establish liability against the defendant in connection with its use of voice data, which does not involve the collection or possession of voiceprints. This is often an effective strategy that can achieve the desired end result of obtaining a dismissal from the litigation in a much more efficient and cost-effective manner vis-à-vis simply charging full steam ahead with motion practice right out of the gate after suit is filed.
In the event this informal approach does not facilitate a dismissal of the action, if it has not already done so, the defendant should immediately remove the suit to federal court. While removal does not change the substantive law to be applied, defendants nonetheless benefit from litigating BIPA disputes in federal court, which is generally a less plaintiff-friendly venue than most state courts.
Once removal is complete, the defendant should promptly proceed with the filing of a dispositive motion to secure a definitive dismissal of the complaint in its entirety. Based on the specific facts alleged in the complaint, a defendant will most likely first have an opportunity to file a Rule 12(b)(6) motion to dismiss, at which time several defenses can be raised to dispose of the complaint, such as the failure to satisfy the federal pleading standards of Civil Rules 8(a) and 12(b)(6), personal jurisdiction, extraterritoriality, as well as several other fact-specific defenses, many of which will dispose of the matter in its entirety if successful.
In the event one or more of the plaintiff’s claims survives a Rule 12(b)(6) motion, the defendant and its counsel should then proceed with the filing of a motion for judgment on the pleadings to assert its strongest defense—that the plaintiff is precluded from establishing liability under BIPA due to the absence of any “collection” or “possession” of biometric identifiers or biometric information—namely, voiceprints—by the defendant in connection with the use of its voice-powered technology.
It should be noted that this particular defense cannot be asserted in a Rule 12(b)(6) motion due to the need for a supporting affidavit or declaration establishing that the defendant’s technology does not involve voice biometrics—which goes beyond the four corners of the complaint. In this regard, the only documents that can be attached to a motion to dismiss are limited to those that are referenced in the plaintiff’s complaint and are central to the plaintiff’s claim; however, a motion for judgment on the pleadings expressly permits the use of supporting affidavit and declaration evidence.
If successful, the defendant’s motion for judgment on the pleadings would also require dismissal of the plaintiff’s complaint with prejudice and, in turn, would dispose of the litigation in its entirety.
As many expected, BIPA litigation in 2021 has seen a marked broadening of the scope of technologies targeted for purported violations of Illinois biometric privacy law. As the recent wave of BIPA suits focused on voice-powered technology demonstrates, entities that utilize voice data but do not create or use voiceprints may be hit with BIPA class action litigation, even when it is clear that liability cannot be established against the target defendant.
Proactive measures, including BIPA compliance where feasible, can significantly reduce the likelihood that those companies that use voice data—but not voiceprints—will be hauled into court for allegedly running afoul of Illinois’ strict biometric privacy regulation.
And in the event a business that does not use voice biometrics is named in a BIPA class action suit, many defenses—including the lack of collection or possession of voiceprints—should be available to allow the defendant to extricate itself from the class litigation in an expeditious fashion soon after suit is filed.
About the author
David J. Oberly is an attorney in the Cincinnati office of Squire Patton Boggs LLP and is a member of the firm’s global Data Privacy, Cybersecurity, and Digital Assets Practice. David serves as the go-to legal advisor for companies that utilize biometrics in their operations—counseling clients on the full range of legal and regulatory compliance obligations applicable today and helping companies navigate the ever-evolving biometric privacy legal landscape to ensure compliance and mitigate risk. David also has extensive experience and expertise in defending companies across all industries in high-stakes, high-exposure biometric privacy class action litigation—and BIPA class actions in particular. In addition, David also advises companies on a broad range of other privacy, security, and data protection issues that arise while operating in today’s highly-digital world. He can be reached at firstname.lastname@example.org.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.