Lessons learned from recent BIPA third-party vendor decision
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
On the heels of the Illinois Supreme Court’s opinion in Tims v. Black Horse Carriers, Inc. establishing a five-year limitations period for all claims asserted under the Illinois Biometric Information Privacy Act (BIPA), an Illinois federal court recently followed up with yet another plaintiff-friendly BIPA decision, this time on the issue of third-party vendor liability under Illinois’s biometrics statute.
NCR Corporation (NCR) is a hardware, software, and service solutions vendor that sells an all-in-one, biometric-enabled point-of-sale (POS) system capable of both tracking and managing restaurant industry workers’ time and attendance, as well as inputting orders. Two former Illinois Wingstop restaurant workers filed suit against NCR alleging non-compliance with BIPA in connection with their use of the vendor’s POS system while employed by Wingstop. During their tenure, both individuals were required to scan their fingerprints to track their time worked, and to otherwise access the POS terminal.
NCR sought to have the class action dismissed, arguing (among other things) that the former restaurant workers could not establish a cognizable BIPA claim against the company and, in any event, Illinois’s biometrics law did not extend to govern the activities of third-party vendors like itself. The court denied the motion to dismiss in its entirety. In so doing, the court concluded that the plaintiffs’ complaint set forth sufficient allegations to avoid dismissal of their claims asserted under BIPA Sections 15(a), 15(b), and 15(d). More importantly, the court also reaffirmed the consensus view adopted by other federal and state courts in BIPA class actions to date finding the statute to be wholly applicable to biometrics technology providers and other third-party vendors.
The case is Johnson v. NCR Corp., No. 22 CV 3061, 2023 WL 1779774 (N.D. Ill. Feb. 6, 2023).
Analysis and Takeaways
Third-Party Vendors Continue to Face Wide Potential Liability Exposure For BIPA Missteps
While the issue of the applicable statute of limitations for BIPA claims was resolved with the Illinois Supreme Court’s decision in Tims, many other significant aspects of Illinois’s biometrics statute remain uncertain and unsettled at this time. One of the most significant remaining open-ended issues pertains to the applicability of BIPA to third-party vendors and service providers, such as the developers and manufacturers of biometrics technology.
The Johnson court squarely answered that question in the affirmative, holding that BIPA is plainly applicable to vendors and similar entities that do not directly interface with end users. In its decision, the Johnson court reasoned that “BIPA creates a scenario where each entity’s violation gives rise to a claim; a plaintiff does not incur one, indivisible injury (e.g., a broken leg or lost cargo) caused by multiple defendants, but many individual injuries at the hands of many individual defendants who violated BIPA.” Thus, while compliance with BIPA’s requirements may not be as straightforward for a third-party vendor as it would be for a direct employer, BIPA nonetheless did not exempt third-party vendors from compliance.
This reasoning set forth in Johnson comports with other courts that have analyzed the issue of third-party vendor/service provider liability. For example, in Ronquillo v. Doctor’s Assocs., LLC, 597 F. Supp. 3d 1227, 1232-33 (N.D. Ill. 2022), the court held that nothing in BIPA’s text supported the argument that the statute’s reach did not extend to third-party technology vendors, and that third-party vendors cannot escape liability under BIPA merely because they do not have a direct relationship with those individuals who use their biometrics systems and solutions. In addition, the Ronquillo court further posited that third-party vendors could comply with BIPA by, for example, requiring the vendor’s employer customers, as a precondition to using the vendor’s biometric devices, to agree to comply with BIPA’s mandates in obtaining and retaining biometric data. Id. at 1233.
Likewise, in Figueroa v. Kronos Inc., 454 F. Supp. 3d 772, 787 (N.D. Ill. 2020), the court held that a third-party vendor could be held liable under BIPA “even if [the alleged] violations occurred simultaneously or through use of the same equipment” as those of the plaintiff’s employer. See also Watson v. Legacy Healthcare Fin. Servs., 2021 IL App (1st) 210279 (each statutory violation gives rise to a BIPA claim against each defendant); Boyd v. Lazer Spot, Inc., No. 19 CV 8173, 2022 WL 2863285, at *1 (N.D. Ill. July 20, 2022) (same); Dixon v. Wash. & Jane Smith Cmty.-Beverly, No. 17 CV 8033, 2018 WL 2445292 (N.D. Ill. May 31, 2018) (same).
Boilerplate Data Retention & Destruction Schedules Likely Fail to Suffice BIPA Requirements
Another significant takeaway from Johnson pertains to the court’s discussion of the applicable standard for satisfying the written retention schedule component of BIPA Section 15(a).
Here, the court noted in dicta that the vendor’s statement contained in its privacy policy that it keeps biometric data “only for so long as it is necessary to support the overall purpose(s) for which NCR collected such information” did not constitute a written retention schedule that complied with Section 15(a). This observation is similar to the one made in Karling v. Samsara Inc., No. 22 CV 295, 2022 WL 2663513, at *5 (N.D. Ill. July 11, 2022), in which the court also noted in dicta that language stating that a company “keeps facial recognition information for a customer no longer than is necessary to provide its Camera ID service to that customer” also failed to satisfy Section 15(a)’s written retention schedule requirements.
Taken together, vendors (as well as all other organizations that are required to comply with BIPA) should take note of the guidance offered by the Johnson and Karling courts on the sufficiency of biometric data retention schedules. Specifically, vendors and other private entities should avoid using boilerplate “for no longer than is necessary” language and, instead, clearly and unambiguously describe the event-based trigger(s) — such as the closing of an account or the expiration of a contract — that will prompt the immediate and permanent destruction of an individual’s biometric data.
Allegations (Not Facts) Matter
Lastly, Johnson serves as a cautionary tale regarding the crosshairs companies put themselves in by taking the position that they do not “collect” or “possess” biometric data or, alternatively, that certain data is not governed by BIPA because it does not meet the definition of a “biometric identifier” or “biometric information.”
In Johnson, the court flatly rejected the argument dismissal of the vendor was appropriate because the plaintiffs’ complaint only suggested that their employer, and not the vendor, collected and possessed and biometric data. The court reasoned that the complaint’s allegations discussing the defendant’s role relative to the plaintiffs’ biometric information — by itself — was sufficient for the plaintiffs to avoid dismissal of their BIPA claims.
More than that, the court also highlighted that fact that it was “leav[ing] the question of whether Plaintiffs will actually be able to prove NCR’s role in collecting and obtaining their biometric information for another day.” Johnson, 2023 WL 1779775, at *4. Similarly, in Smith v. Signature Sys., Inc., No. 21 CV 2025, 2022 WL 595707, at *5 (N.D. Ill. Feb. 28, 2022), the court noted that “[w]hile a defendant ‘may ultimately prevail’ through discovery or trial on the point that it is the employer, not the defendant, that stores users’ biometric information on their own systems and servers, the plaintiff ‘is not required to prove the merits of his claims at the pleadings stage.’”
Johnson and Smith demonstrate the significant complexities and difficulties in procuring early dismissals from BIPA class actions at the pleading stage, as courts will typically base their rulings on motions to dismiss solely on the allegations contained in the complaint, while refusing to give any consideration to the actual factual circumstances underlying a vendor’s technology or its role in collecting and/or possessing biometric data. Further, courts have maintained a consistent track record in BIPA disputes to date of setting an extremely low bar for the specificity of allegations needed to avoid dismissal for failure to state a claim—dismissing only those complaints that contain the most cursory of allegations.
As such, even where certain arguments may exist for a vendor that BIPA does not govern its biometrics-related activities, to avoid the significant risks that accompany a strategy of this nature, vendors should consider taking a more conservative approach to compliance—one that ensures all applicable BIPA requirements are satisfied—even where it is not definitively clear that the company’s biometric system/solution falls under the scope of Illinois’s biometrics statute.
What to Do Now
Johnson illustrates the outsized BIPA class action liability risks that third-party biometrics vendors face at this time — risks that are on par with those entities that maintain a direct relationship with biometric data subjects. As such, vendors must address and fully mitigate these potential pitfalls if they have not done so already.
Specifically, vendors should ensure they maintain flexible, comprehensive biometric privacy compliance programs, which should include (among other things) the following:
- a publicly-available, biometrics-specific privacy policy;
- set data retention and destruction guidelines and schedules containing a clear and unambiguous description of the event trigger(s) that will prompt the immediate and permanent destruction of an individual’s biometric data;
- a mechanism for ensuring written notice is supplied to all data subjects before the time biometric data is collected; and
- a separate mechanism for ensuring written consent is obtained allowing the vendor to collect, possess, retain, store, and disseminate biometric data before the time any such data is obtained.
In addition, vendors should ensure that all contractual agreements entered into with customers contain language regarding the use of biometric data that properly allocates the parties’ responsibilities under BIPA and similar biometrics statutes, and which otherwise mitigates applicable legal risks and liability exposure to the greatest extent possible.
About the Author
David J. Oberly is an attorney in the Cincinnati office of Squire Patton Boggs LLP and a member of the firm’s global Data Privacy, Cybersecurity & Digital Assets practice. David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. He can be reached at david.oberly@squirepb.com. You can also follow David on Twitter at @DavidJOberly.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
Article Topics
biometric data | biometric identifiers | Biometric Information Privacy Act (BIPA) | biometrics | data collection | David Oberly | lawsuits | legislation
Comments