Key takeaways and lessons learned from BIPA choice of law dismissal
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
In late October, a global technology conglomerate successfully challenged an Illinois Biometric Information Privacy Act (BIPA) class action lawsuit on choice of law grounds, resulting in the dispositive dismissal of the class action with prejudice. In that case, Baker v. Match Group, Inc., No. 23 CV 2761, 2024 U.S. Dist. LEXIS 196990 (N.D. Tex. Oct. 30, 2024), a Texas federal district court held that the choice of law provision contained in Match Group, Inc.’s (Match Group) terms of use—requiring the application of Texas substantive law—barred users of its online dating apps from stating an Illinois state law BIPA claim upon which relief could be granted.
The Baker decision provides key insight into the contours and nuances of choice of law as a defense in BIPA class action litigation. At the same time, Baker also highlights the significant uncertainty that persists with many of the core defenses available in BIPA class action litigation, underscoring the need for strict compliance with Illinois’s biometrics law to best manage liability exposure stemming from alleged BIPA non-compliance.
The Texas Northern District’s decision
In Baker, five Illinois residents who used dating apps owned by Match Group filed suit in Illinois state court, alleging three causes of action under BIPA. Following removal, an Illinois federal court transferred the case to the U.S. District Court for the Northern District of Texas pursuant to the forum selection provision contained in Match Group’s terms of use. Match Group then moved for dismissal of the action, arguing that Texas law applied under the choice of law provision contained in its terms of use and, because the plaintiffs had only alleged violations of Illinois law, they lacked any plausible basis for relief. The court agreed, holding that Texas law barred the plaintiffs’ BIPA claims as a matter of law.
Texas has adopted the Restatement (Second) Conflict of Laws § 187 framework to govern the enforceability of contractual choice of law provisions. Under the Restatement § 187 approach, a choice of law provision will be enforced unless a different state has a: (1) more significant relationship with the parties and the transaction; (2) materially greater interest in the enforceability of the provision; and (3) fundamental policy that will be contravened by application of the chosen state’s law.
The Baker court focused on the third, “contrary to fundamental policy” prong of the analysis, which requires that the application of the parties’ chosen law would be contrary to “a state policy so fundamental that the courts of the state will refuse to enforce an agreement contrary to that law, despite the parties’ original intentions, and even though the agreement would be enforceable in another state connected with the transaction.”
Applied to the dispute before it, the Baker court held that while BIPA embodied a fundamental policy of Illinois, Texas shared that same fundamental policy interest through the enactment of its own BIPA-like law, the Texas Capture or Use of Biometric Identifiers Act (CUBI). Notably, the court found that differences in the enforcement mechanisms chosen by Texas and Illinois—i.e., CUBI’s enforcement by the Texas attorney general and BIPA’s private right of action—did not alter the analysis. And while CUBI and BIPA differ in other respects, the court ultimately concluded that CUBI offered similar protections vis-à-vis BIPA. As such, CUBI and Texas law did not contravene Illinois’s fundamental policy of safeguarding the biometric data of its residents.
Because the application of Texas law did not run contrary to Illinois policy, Texas law governed the dispute under the parties’ enforceable contractual choice of law provision. Under Texas law, the Baker plaintiffs were precluded as a matter of law from asserting an actionable Illinois state law BIPA cause of action against Match Group, necessitating dismissal of the action with prejudice.
Analysis and takeaways
Navigating choice of law complexities and nuances in BIPA class action Llitigation
To date, the only other BIPA class action to be dismissed on choice of law grounds is Thakkar v. ProctorU, Inc., 642 F. Supp. 3d 1304 (N.D. Ala. 2022). Thakkar, however, involved application of Alabama’s choice of law rules, which do not take into consideration the fundamental policy interests of any state other than its own. Rather, Alabama law provides that contractual choice of law provisions are enforceable unless application of parties’ chosen law would conflict with Alabama public policy. In Thakkar, the choice of law provision at issue specified that Alabama law would govern all disputes. Because application of the parties’ chosen law could not possibly run contrary to Alabama public policy, the choice of law provision was held to be enforceable, resulting in the dispositive dismissal of that BIPA class action with prejudice.
Other than Baker, every court that has ruled the enforceability of choice of law provisions in BIPA litigation under the Restatement § 187 rubric has held such provisions to be unenforceable, reasoning that application of parties’ chosen law would result in Illinois’s policy of protecting its citizens’ privacy interests in their biometric data being “written out of existence.” See, e.g., In re Facebook Biometric Info. Priv. Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016); Delgado v. Meta Platforms, Inc., 718 F. Supp. 3d 1146 (N.D. Cal. 2024).
Similarly, every court that has ruled on choice of law in BIPA disputes under Illinois’s choice of law rules—which require the balancing of interests between Illinois law and the parties’ chosen law—have also unanimously refused to enforce such provisions. See, e.g., Patterson v. Respondus, Inc., 593 F. Supp. 3d 783 (N.D. Ill. 2022); Hogan v. Amazon.com, Inc., No. 21 CV 3169, 2022 U.S. Dist. LEXIS 58347 (N.D. Ill. Mar. 30, 2022); Kuklinski v. Binance Cap. Mgmt. Co., Ltd., No. 21 CV 1425, 2023 U.S. Dist. LEXIS 59418 (S.D. Ill. Apr. 5, 2023); Hartman v. Meta Platforms, Inc., No. 23 CV 2995, 2024 U.S. Dist. LEXIS 167696 (S.D. Ill. Sept. 17, 2024).
In several BIPA decisions applying Illinois’s balancing test, the parties had contractually selected Washington law—which maintains its own biometrics statute, Wash. Rev. Code § 19.375.010, et seq. (HB 1493)—to govern their disputes. Even though HB 1493 imposes many of the same requirements and restrictions over the collection and use of biometric data that are found in Illinois’s biometrics statute, those courts declined to apply Washington law, reasoning that HB 1493’s lack of a private right of action would thwart plaintiffs’ individual rights to assert claims for the purported misuse of their biometric data, as was granted to them under BIPA’s private right of action.
Conversely, the Baker court held that application of Texas law did not run afoul of Illinois policy, even though CUBI—like HB 1493—contains no private right of action. As explained above, the Baker court reasoned that although differences existed between the Texas and Illinois laws, CUBI ultimately offered a level of protection over biometric data that was on par with BIPA and, as such, applying Texas law would not run contrary to Illinois fundamental policy.
As the above analysis demonstrates, the outcome of choice of law challenges asserted in BIPA class action disputes turn primarily on the forum state’s choice of law rules. Even then, however, litigants are still subject to inconsistent decisions due to the broad discretion afforded to courts in applying the forum’s choice of law rules to the specific facts of a given case.
With that said, Baker and the other BIPA choice of law decisions issued to date provide several key takeaways:
- Companies are most likely to prevail on choice of law challenges in jurisdictions that have adopted a general rule broadly favoring the enforcement of contractual choice of law selections.
- At the opposite end of the spectrum, companies are least likely to prevail on choice of law challenges in class actions venued in Illinois, as the state’s balancing test skews heavily in favor of applying Illinois substantive law, regardless of the state law chosen by the parties to govern their disputes.
- Companies also face uphill battles in prevailing on choice of law challenges in jurisdictions that have adopted the Restatement § 187 approach, particularly where the parties’ chosen law does not offer statutory biometric protections comparable to BIPA.
- While the likelihood of success under the Restatement § 187 framework increases somewhat where the parties’ chosen law does offer biometrics-specific, BIPA-like statutory protections, significant uncertainty nonetheless remains due to the broad latitude maintained by courts in applying the Restatement § 187 rubric to the underlying facts of BIPA disputes.
Continued uncertainty regarding core defenses underlying BIPA disputes
Baker and the other BIPA choice of law decisions discussed above highlight the continued unsettled—and oftentimes conflicting—nature of the law on critical issues underlying BIPA class action disputes. More important, the uncertainties underlying the scope and contours of choice of law as a defense in BIPA class actions pose sizeable risks for companies that develop, supply, or use biometrics, as federal district court decisions are not binding precedent in other judicial districts, the same judicial district, or even upon the same judge in a different case. Ultimately—because they are non-precedential—district court decisions carry no more weight than the force of their reasoning demands.
Taken together, the lack of consensus and consistency in the law and the mere persuasive effect of federal district court decisions in BIPA disputes make it imperative for companies to maintain ongoing, strict compliance with BIPA’s statutory requirements—as this remains the only sure-fire way to avoid being the victim of a rogue or otherwise questionable interpretation of the law in high-stakes class action litigation involving alleged non-compliance with Illinois’s biometrics statute.
What to do now
As illustrated by Baker, challenging BIPA class actions on choice of law grounds is a powerful tool that can be leveraged at the pleading stage to procure early dismissals from costly, bet-the-company class action disputes. With that said, the conflicting conclusions drawn by courts as to the enforceability of choice of law provisions under substantially similar fact patterns creates substantial uncertainty as to whether a given choice of law challenge will ultimately prove successful in definitively disposing of BIPA class action claims.
To address these risks, companies that use biometrics in their operations—as well as the technology vendors that develop and supply biometric tools—should ensure all contractual agreements contain robust, enforceable choice of law provisions that can withstand scrutiny if challenged in court. Because most BIPA complaints are filed in Illinois, companies should also ensure their contracts contain enforceable forum selection provisions to enable the transfer of BIPA class suits to a more favorable district court located outside of the Prairie State.
Importantly, due to the myriad of nuances and potential pitfalls that exist in connection with contractual choice of law clauses, companies should consult with experienced outside biometrics counsel, who can assist in drafting, reviewing, evaluating, and updating choice of law language in a manner that maximizes the likelihood of prevailing on a choice of law challenge in the event they are targeted with a BIPA class action complaint.
Moreover, to head off the significant hurdles that companies often face in attempting to extract themselves from BIPA class disputes before proceeding into extremely costly discovery, companies should also strongly consider taking a conservative approach to compliance and ensure all applicable BIPA legal obligations are strictly satisfied. Again, companies are well-advised to work closely with experienced outside biometrics counsel, who can assist in reviewing and auditing organizational biometrics compliance programs and remediating all identified gaps to achieve full compliance with the law—which significantly reduces the prospect of having to defend against bet-the-company BIPA class claims in the first instance.
Companies should ensure they maintain flexible, enterprise-wide biometrics compliance programs that encompass, at a minimum, the following:
- A publicly available, biometrics-specific privacy notice.
- Set data retention and destruction guidelines and schedules that clearly describe the specific events that trigger the immediate and permanent deletion of biometric data.
- Effective mechanisms to ensure written notice is supplied to all data subjects prior to the time biometric data is initially collected.
- Separate, effective mechanisms for ensuring written consent is obtained prior to the time biometric data is initially collected, and which permits the company to both collect and disclose biometric data for all purposes identified by the company at or before the time of collection.
- Clear and precise language in all contracts with customers, partners, vendors, and similarly situated third parties regarding the collection and use of biometric data, allocation of responsibilities between the parties for compliance with BIPA and similar biometrics laws, and any additional provisions needed to mitigate applicable legal risks and liability exposure to the greatest extent possible.
About the author
David J. Oberly is Of Counsel in the Washington, D.C. office of Baker Donelson, and leads the firm’s dedicated Biometrics practice. Recognized as “one of the nation’s foremost thought leaders in the biometric privacy space” by LexisNexis, David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. In addition, David has deep experience in litigating bet-the-company BIPA class action disputes. He is also the author of Biometric Data Privacy Compliance & Best Practices—the first and only full-length treatise of its kind to provide a comprehensive compendium of biometric privacy law. He can be reached at doberly@bakerdonelson.com. You can also follow David on X at @DavidJOberly.
Article Topics
biometric data | biometric identifiers | Biometric Information Privacy Act (BIPA) | biometrics | data protection | lawsuits | Texas
Comments