Key takeaways from recent BIPA biometric technology vendor decision
Despite the lack of a direct relationship with end users of their technology—making compliance obligations such as providing notice and obtaining consent particularly challenging—the majority of courts to date have held that the Illinois Biometric Information Privacy Act (BIPA) extends to biometric technology vendors, mandating full compliance with Illinois’s biometric privacy statute.
Recently, a Washington federal court rejected a facial recognition identity verification vendor’s bid for dismissal of a BIPA class action in Rivera v. Amazon Web Servs., Inc., No. 22 CV 269, 2023 WL 4761481 (W.D. Wash. July 26, 2023). The Rivera decision illustrates the wide scope of liability exposure faced by vendors for alleged BIPA non-compliance. More than that, the opinion provides several key takeaways that vendors should consider to minimize the legal risks associated with purported BIPA violations.
The Rivera decision
Amazon offers a facial biometrics product, Rekognition, that allows customers to add facial recognition analysis to their applications, products, and services. Among Amazon’s many customers is a company that licenses its online remote test proctoring software for use by students and educational facilities. Two students who took multiple remote tests with the proctoring company’s technology featuring Rekognition filed suit against Amazon, alleging non-compliance with BIPA Sections 15(a) and 15(b).
Amazon moved for dismissal of the class action. The court, however, denied the defendant’s motion to dismiss in its entirety. In so doing, the court concluded that:
- the plaintiffs’ complaint set forth sufficient allegations of “possession” and “collection” on the part of Amazon to avoid dismissal of their Section 15(a) and 15(b) claims for failure to state a claim;
- BIPA extends to govern biometric technology providers and other third-party vendors;
- Amazon’s “attempted compliance” defense—in which the company contended it could not be held liable because it had done everything it could possibly do to comply with BIPA—lacked merit; and
- Amazon’s Section 25(c) financial institution/GLBA exemption argument failed, as the court was unable to determine at the pleading stage whether allowing the plaintiffs’ claims to proceed would impermissibly apply BIPA’s requirements to the colleges in violation of Section 25(c).
Practical takeaways for biometric technology vendors
Continued Trend of Wide Liability Exposure for Biometrics Vendors
The first notable takeaway of the Rivera decision is the court’s rejection of the argument that BIPA should not extend to govern the collection and use of biometric data by vendors that serve solely in a back-end, service provider capacity and have no direct relationship with end users/data subjects.
With respect to the Rivera plaintiffs’ Section 15(b) claim in particular—which requires companies that “collect” biometric data to provide notice and obtain consent—the court rejected Amazon’s reliance on Zellmer v. Facebook, Inc., No. 18 CV 1880, 2022 WL 976981 (N.D. Cal. Mar. 31, 2022)—where the court dismissed a BIPA Section 15(b) claim brought by non-users of Facebook. In Zellmer, the court found that it would be “patently unreasonable to construe BIPA to mean that” companies are “required to provide notice to, and obtain consent from,” end users “who [are] for all practical purposes total strangers” to those organizations.
In Rivera, Amazon argued that Zellmer supported the conclusion that forcing it to comply with BIPA’s notice and consent requirements would be impracticable because the company did not directly interact with end users of its facial biometrics program. The court, however, found Zellmer distinguishable because the Rivera plaintiffs were not “total strangers” to Amazon. Rather, they were connected through Amazon’s customer. Therefore, it was not inconceivable to the court that Amazon could notify them and obtain their consent during the image upload process, making dismissal on these grounds inappropriate.
The Rivera court’s reasoning aligns with other courts that have analyzed this aspect of BIPA compliance in the context of non-users. For example, in Wise v. Ring LLC, No. 20 CV 1298, 2022 WL 3083068 (W.D. Wash. Aug. 3, 2022), the court rejected a defendant’s argument that a class of bystanders with no contractual relationship to the defendant could not maintain a cognizable BIPA claim against it due to the lack of any relationship between the parties. The Wise court reasoned that the lack of any direct relationship was irrelevant to the analysis. Rather, because the defendant maintained systems capable of identifying individuals, the court declined to dismiss the Section 15(a), 15(b), and 15(d) claims asserted in that action.
Attempted, But Unsuccessful, Compliance With BIPA Not a Defense to Class Claims
Another notable takeaway from Rivera is the rejection of Amazon’s argument that it could not be held liable for purported BIPA violations because it had done everything it could possibly do to comply with the statute. Specifically, Amazon argued that under its service terms, all customers that used its facial biometrics program are required to provide legally adequate privacy notices and obtain all necessary consents from end users.
The court found that Amazon’s inclusion of this catch-all provision requiring its customers to comply with the law was generally inadequate to satisfy its legal obligations under BIPA. For example, the court noted, Amazon could program its facial biometrics solution so that it would not run unless and until it provided BIPA-compliant notice and obtained BIPA-compliant consent from end users, either through its customer’s interface or otherwise.
This aspect of Rivera highlights the risks that technology vendors (and other types of companies) face when attempting to rely solely on another party to satisfy their own BIPA compliance obligations. In the event a vendor seeks to push some of these obligations onto the other party, it should seek to ensure that its underlying agreement with the other entity clearly spells out the vendor’s entitlement to full indemnification and reimbursement of all legal costs associated with litigation in the event of the other party’s failure to satisfy all compliance requirements relating to both the other party and the vendor. Vendors should also consider including language in their agreements allowing them to review and approve any biometrics-related language prepared by the other party in order to evaluate its level of compliance with the law prior to the time those materials are put into operation for compliance purposes.
Challenges in Obtaining Dismissal of BIPA Class Actions by Biometrics Vendors Under Section 25(c)’s Financial Institution/GLBA Exemption
The last notable takeaway pertains to the court’s rejection of Amazon’s BIPA Section 25(c) financial institution/GLBA exemption argument. In seeking dismissal of the Rivera action, Amazon argued that because the plaintiffs’ colleges were “financial institutions” under Section 25(c)—which provides that BIPA is not applicable “in any manner” to financial institutions or their affiliates—applying BIPA to Amazon would have the practical effect of applying BIPA to the colleges in violation of Section 25(c). The court found this argument lacked merit, noting potential scenarios where there would be no interference with the colleges’ operations if Amazon was required to provide notice and obtain consent. Ultimately, the court concluded—without the benefit of additional evidence and briefing—it could not resolve whether allowing the plaintiffs’ claims would result in a violation of Section 25(c), prompting the court to dismiss this argument as well.
This reasoning aligns with other courts that have more recently analyzed the applicability of Section 25(c) to the vendors of customers that purportedly meet the GLBA’s definition of a “financial institution” and thus are shielded from liability under Section 25(c). For example, in Davis v. Jumio Corp., No. 22 CV 776, 2023 WL 2019048 (N.D. Ill. Feb. 14, 2023), the court rejected another biometric technology vendor’s bid for dismissal of a BIPA class action through assertion of the Section 25(c) defense. In so doing, the court noted that without further information regarding how the customer’s app functioned and how the vendor’s identity verification software was integrated into the customer’s app, the court could not determine the extent to which requiring the vendor to comply with BIPA would necessitate changes to how the customer did business, such that BIPA might be considered as applying “in any manner” to the customer.
Rivera and Davis demonstrate the complexities and difficulties vendors face in procuring early dismissals from BIPA class actions at the pleading stage—especially as it relates to the Section 25(c) defense—as courts will often conclude that additional evidence not permissible on a motion to dismiss is necessary for the court to make a conclusive determination as to the applicability of the financial institution/GLBA exemption to a specific vendor.
What to do now
At bottom, although it is possible to obtain the dismissal of BIPA disputes through assertion of the law’s financial institution/GLBA exemption, Rivera is illustrative of the significant hurdles biometrics vendors often face in their attempts to extract themselves from BIPA class disputes through utilization of the Section 25(c) exemption at the pleading stage and before proceeding into extremely costly discovery.
With that said, to more fully mitigate BIPA litigation risk, biometrics vendors should consider taking a conservative approach to compliance that ensures all applicable BIPA requirements are satisfied—even where it is not definitively clear that the company’s technology falls under the scope of the Illinois law. Specifically, vendors should strive to maintain flexible, comprehensive biometric privacy programs, which should encompass (among other things) the following:
- set data retention and destruction guidelines and schedules containing a clear and unambiguous description of the event trigger(s) that will prompt the immediate and permanent destruction of biometric data;
- a mechanism for ensuring written notice is supplied to all data subjects before the time biometric data is collected; and
- a separate mechanism for ensuring written consent is obtained allowing the vendor to collect, possess, retain, store, and disseminate biometric data before the time any such data is obtained.
In addition, as discussed above, vendors should ensure that all contractual agreements entered into with customers contain language regarding the use of biometric data that properly allocates the parties’ responsibilities under BIPA and similar biometrics statutes, and which otherwise mitigates applicable legal risks and liability exposure to the greatest extent possible.
About the author
David J. Oberly is Of Counsel in the Washington, D.C. office of Baker Donelson, and a member of the firm’s Biometric Privacy, Artificial Intelligence, and Data Protection, Privacy & Cybersecurity practices. Recognized as “one of the nation’s foremost thought leaders in the biometric privacy space” by LexisNexis, David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. In addition, David has deep experience in litigating bet-the-company BIPA class action disputes. He is also the author of Biometric Data Privacy Compliance & Best Practices—the first and only full-length treatise of its kind to provide a comprehensive compendium of biometric privacy law. He can be reached at email@example.com. You can follow David on X at @DavidJOberly.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.