VTO tool liability defense rejection underscores uncertainty and risk in BIPA litigation
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
For almost four years now, online retailers that utilize virtual try-on (“VTO”) tools have faced a barrage of class action litigation alleging non-compliance with the Illinois Biometric Information Privacy Act (“BIPA”) stemming from the use of this increasingly-popular “try-before-you-buy” technology. During this period, a powerful defense had seemingly emerged for the targets of VTO suits, and online eyewear brands in particular—BIPA’s Section 10 general health care exemption.
Recently, however, in Marino v. Gunnar Optiks LLC, 2024 IL App (1st) 231826, an Illinois appellate court rejected this defense as applied to VTO tools when used to virtually “try on” non-prescription eyewear—creating a significant split of authority as to the scope of this key BIPA defense. More than that, Marino illustrates the continuing uncertainty that persists with respect to many of the core issues underlying BIPA class action disputes, while also emphasizing the need for strict compliance with the statutory requirements of Illinois’s biometrics law to manage the outsized liability exposure that exists for mere technical BIPA non-compliance.
Background
BIPA Section 10 sets forth two distinct health care-related exemptions from the definition of “biometric identifiers.” The first, referred to as the “general health care exemption,” exempts “information captured from a patient in a health care setting.” The second, referred to as the “HIPAA exemption,” exempts “information collected, used, or stored for health care treatment, payment or operations under the federal Health Insurance Portability and Accountability Act of 1996 [(“HIPAA”)].”
Gunnar Optiks LLC (“Gunnar”)—which sells eyeglasses and other optical wear online—offers a VTO tool on its website that allows shoppers to virtually try on eyewear frames by digitally placing the frames on the shopper’s face to see how they might look on them prior to making a purchase.
Plaintiff Macaire Marino filed suit against Gunnar for alleged BIPA violations arising from the company’s purported collection of facial geometry scans through the VTO tool. Gunnar moved to dismiss the complaint, arguing that BIPA’s general health care exemption served as a complete defense to liability. An Illinois circuit court granted the motion with respect to claims pertaining to prescription eyewear, but denied the motion with respect to claims relating to non-prescription eyewear. Gunnar appealed.
Illinois appellate court rejects application of BIPA general health care exemption to non-prescription eyewear
On appeal, the court was tasked with answering the following question: Pursuant to BIPA’s general health care exemption, i.e., “information captured from a patient in a health care setting,” is an individual who tries on non-prescription eyewear utilizing a VTO tool that captures certain biometric data considered a patient in a health care setting? The court answered this question in the negative.
The Marino court began its analysis by noting that BIPA does not define the terms “patient” or “health care setting.” As such, pursuant to Illinois’s rules of statutory construction, the court looked to the dictionary definitions of these terms to ascertain their meaning.
Based on the dictionary definitions of “patient” and “medical,” the court concluded that a “patient” is someone who is presently awaiting or receiving care and treatment from a medical professional. Turning to the remainder of the exemption, the court explained that “health care” is defined as “efforts made to maintain, restore, or promote someone’s physical, mental, or emotional well-being[,] especially when performed by trained and licensed professionals,” and that “setting” is defined as “the time, place, and circumstances in which something occurs or develops.”
Reading the entire phrase together, the Marino court held that BIPA’s general health care exemption applies “where what would otherwise be biometric identifiers are taken from an individual who is presently awaiting or receiving medical care in a time, place, or circumstance where efforts are being made to maintain, restore, or promote that individual’s well-being, especially as performed by trained and licensed professionals.” The court further explained that while the setting itself might be almost anywhere, the definition is “limited by the requirement that the individual is awaiting or receiving medical care and the information is being collected as part of an effort to maintain[,] restore[,] or promote that person’s well-being.”
Applied to the VTO tool context, the court held that “an individual who uses software to try on non-prescription sunglasses is not a patient in a health care setting because they are not presently awaiting or receiving medical care.” As such, the Marino court explained, an individual who is trying on non-prescription sunglasses—unconnected to any specific medical advice, prescription, or need—does not fall within the scope of this statutory exclusion. Finally, applied to the dispute before it, the Marino court held that this exemption was inapplicable to bar the BIPA claims asserted against Gunnar as they pertained to non-prescription eyewear.
Continued uncertainty regarding core issues underlying BIPA class disputes
Importantly, Marino demonstrates the continued unsettled—and oftentimes conflicting—nature of the law on critical issues underlying BIPA class action disputes. Prior to Marino, all three decisions analyzing this issue had held that BIPA claims arising from the use of VTO tools in the context of non-prescription eyewear were barred by the statute’s general health care exemption. See Vo v. VSP Retail Dev. Holding, Inc., No. 19 CV 7187, 2020 U.S. Dist. LEXIS 53916 (N.D. Ill. Mar. 25, 2020), Svoboda v. Frames for Am., Inc., No. 21 CV 5509, 2022 U.S. Dist. LEXIS 162077 (N.D. Ill. Sept. 8, 2022), and Warmack-Stillwell v. Christian Dior, Inc., 655 F. Supp. 3d 742 (N.D. Ill. 2023). The Marino court held the opposite, without clearly articulating any distinguishing factors from those opinions that had found the exemption to be applicable to bar BIPA claims under similar factual circumstances.
Marino also illustrates the significant risks associated with reliance on federal district court opinions construing and interpreting BIPA’s statutory text. As a general rule, the decisions of federal district courts and circuit courts of appeal are not binding on Illinois courts and, therefore, state courts are not required by law to follow the decisions of lower federal courts. In Marino, the Illinois appellate court opined that Vo, Svoboda, and Warmack-Stillwell all failed to interpret BIPA’s general health care exemption in a manner that was consistent with its plain language and the intent of the Illinois legislature. Because it found these non-binding decisions unpersuasive, the Marino court declined to follow them in whole or in part.
Moreover, federal district court decisions are not binding precedent in a different federal judicial district, the same judicial district, or even upon the same judge in a different case. Because they are non-precedential, district court decisions carry no more weight than the force of their reasoning demands.
Taken together, the lack of consensus and consistency in decisions regarding issues central to BIPA class action litigation, combined with the mere persuasive effect of federal district court decisions on other BIPA disputes, makes it imperative that companies maintain ongoing, strict compliance with BIPA’s statutory requirements—which remains the only sure-fire method to avoid being on the receiving end of a rogue or otherwise questionable interpretation of the law in class action litigation involving alleged violations of Illinois’s biometrics statute.
What to do now
Challenging a BIPA class dispute through the assertion of Section 10’s general health care exemption is a particularly powerful tool that can be utilized at the pleading stage by companies that utilize VTO tools to procure early dismissals from costly, bet-the-company class action litigation. Importantly, however, as Marino demonstrates, some courts may not construe this exemption as a broad, categorical bar against all BIPA claims arising in connection with VTO technology. As such, entities that rely on these biometric tools, as well as the technology vendors that supply them, should complete an assessment to ascertain whether the exemption at issue in Marino may provide protection from potential BIPA liability exposure. To do so, companies should consult with experienced outside biometrics counsel, who can assist in evaluating the likelihood of success in asserting a defense to BIPA class claims based on Section 10’s general health care exemption, as applied to the organization’s specific operations and other unique nuances.
Importantly, however—even where certain arguments may exist that the general health care exemption should serve as a complete bar to BIPA liability—to avoid the significant risks that accompany a strategy of relying solely on this exemption to excuse any instances of non-compliance, companies should consider taking a conservative approach to compliance and ensure all applicable BIPA statutory requirements are satisfied, even when it is not definitively clear that the organization’s biometrics-related activities fall under the scope of the statute. Companies are well-advised to work with experienced outside biometrics counsel to review and audit their compliance programs and remediate any identified gaps necessary to achieve strict compliance with the law, as doing so can significantly reduce the prospect of having to defend against bet-the-company BIPA class claims in the first instance.
In particular, companies should ensure they maintain flexible, enterprise-wide biometrics compliance programs that include, at a minimum, the following:
- publicly-available privacy policies setting forth biometric data retention and destruction guidelines and schedules, including a description of the events that will trigger the immediate and permanent deletion of biometric data by the organization;
- mechanisms for supplying written notice to all data subjects prior to the time biometric data is collected; and
- separate mechanisms for obtaining written consent from all data subjects prior to the time biometric data is collected, and which permits collection by both the organization itself and any other, related entities implicated in the operation of the biometric system or solution (such as customers or vendors, as applicable).
Lastly, companies should ensure that their contractual agreements contain clear, robust language regarding the use of biometric data that properly allocates the parties’ responsibilities under BIPA and similar biometrics laws, and which otherwise mitigates relevant legal risks and liability exposure to the greatest extent reasonably feasible.
About the author
David J. Oberly is Of Counsel in the Washington, D.C. office of Baker Donelson, and leads the firm’s dedicated Biometrics practice. Recognized as “one of the nation’s foremost thought leaders in the biometric privacy space” by LexisNexis, David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. In addition, David has deep experience in litigating bet-the-company BIPA class action disputes. He is also the author of Biometric Data Privacy Compliance & Best Practices—the first and only full-length treatise of its kind to provide a comprehensive compendium of biometric privacy law. He can be reached at doberly@bakerdonelson.com. You can also follow David on X at @DavidJOberly.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
Article Topics
biometric data | biometric identifiers | Biometric Information Privacy Act (BIPA) | biometrics | data privacy | lawsuits
Comments