Facing a Flood of BIPA LawsuitsJune 15, 2020 |
As New York continues the process of reopening and individuals, families, and businesses, as well as the courts, adjust to the “new normal” of living in a world still fighting the coronavirus, internet- and technology-related privacy and security issues are at the top of many lawyers’ and corporate executives’ minds.
Certainly privacy and security breach legislation, litigation, and actions taken by companies in response are not new. Indeed, this year’s sea change to work-from-home in reaction to the COVID-19 pandemic helped to emphasize – and to exacerbate – many well-known privacy and security issues.
If anything, they will grow only more significant as time goes on. One example illustrating this trend is the many class action lawsuits filed around the country under Illinois’ Biometric Information Privacy Act (BIPA). An early case against Facebook alleging that it improperly collected users’ biometric information in violation of BIPA recently resulted in a multimillion-dollar settlement. See, e.g., Thomas Germain, “Facebook Settles $550 Million Facial Recognition Lawsuit,” Consumer Reports (Jan. 30, 2020), available at https://www.consumerreports.org/lawsuits-settlements/facebook-settles-facial-recognition-lawsuit/.
Although BIPA is an Illinois statute, it is widely depended on as a predicate for class actions concerning assertions of privacy rights filed in New York and elsewhere. Many of these class actions not only include New York residents as members of their putative class but have been brought or transferred to the Southern District of New York. As such, BIPA and the lessons that can be learned about privacy litigation have great importance beyond Illinois’ borders.
BIPA governs the collection, storage, and dissemination by private entities of individuals’ “biometric identifiers” and “biometric information.” BIPA defines a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” and defines “biometric information” as information based on “biometric identifiers.”
BIPA requires that a private entity in possession of biometrics release a publicly accessible written policy describing its practices for retaining and destroying those biometrics, see 740 I.L.C.S. § 14/15(a). The statute forbids a private entity from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining biometrics from a subject without first informing the subject that his or her biometrics are being collected and stored, informing the subject of the purpose of collecting the biometrics and the length of time for which they will be stored, and receiving a written release from the subject, see 740 I.L.C.S. 14/15(b). In addition, BIPA prohibits a private entity from disclosing or disseminating biometrics of a subject without the subject’s consent, see 740 I.L.C.S. 14/15(d)(1).
As the Supreme Court of Illinois noted in Rosenbach v. Six Flags Entertainment Corp., 129 N.E.3d 1197 (Ill. 2019), BIPA provides that any person “aggrieved” by a violation of its provisions “shall have a right of action . . . against an offending party” and “may recover for each violation” the greater of liquidated damages or actual damages, reasonable attorneys’ fees and costs, and any other relief, including an injunction, that the court deems appropriate.
The statute’s creation of a private right of action, and the ability to recover attorneys’ fees, has made plaintiffs’ attorneys eager to bring lawsuits. Notably, in a recent BIPA decision in the Southern District of New York, Chief District Judge Colleen McMahon wrote that she was “under no illusion” that the cases at issue were “anything other than attorney-driven class actions.” Calderon v. Clearview, AI, Inc., 2020 U.S. Dist. Lexis 94926 (S.D.N.Y. May 29, 2020).
The Calderon decision also is interesting for the wide range of actions it discusses that have been brought during only a few months this year against one single corporate defendant: Clearview AI, Inc. The suits were filed after an article published in The New York Times on January 18, 2020, entitled “The Secretive Company That Might End Privacy as We Know It” described Clearview’s creation of a facial recognition app “that could end your ability to walk down the street anonymously.” See, https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html. Clearview, a Delaware corporation with its headquarters and principal place of business in New York, collects images on the internet and organizes them into a searchable database, which then can be searched on an online app by its licensed users. Clearview hosts its data on servers located in New York and New Jersey.
After the Times article was published, eight federal class action lawsuits were filed against Clearview and its two principals. Two cases were filed in Chicago, Illinois; one in Alexandria, Virginia; one in San Diego, California; and the rest in the Southern District of New York.
The first of these lawsuits was filed in Illinois, alleging violations of BIPA as well as federal constitutional claims under 42 U.S.C. § 1983 (on the theory that Clearview AI qualified as a state actor). The plaintiff also asserted a claim for unjust enrichment. The claims were asserted on behalf of a nationwide class and an Illinois subclass.
Thereafter, several other plaintiffs filed similar, but not identical, putative class actions against Clearview.
On February 3, 2020, a complaint was filed in the Eastern District of Virginia, alleging violations of Virginia law; the case subsequently was transferred to the Southern District of New York.
On February 5, 2020, a second complaint was filed against the Clearview Defendants in the Northern District of Illinois. The complaint alleged violations of BIPA, the Illinois Consumer Fraud and Deceptive Business Practices Act, as well as common law conversion.
About one week later, a complaint was filed in the Southern District of New York alleging violations of BIPA on behalf of a putative Illinois class.
Then, later in February, a complaint in the Southern District of California was filed, alleging violations of California law, unjust enrichment, and a violation of BIPA on behalf of putative Illinois and California sub-classes. This case, too, was transferred to the Southern District of New York.
On March 12, yet another complaint was filed in the Southern District of New York, alleging violations of BIPA and claims for unjust enrichment, again on behalf of a putative Illinois class.
In mid-April, a new complaint in the Southern District of New York was filed, alleging violations of BIPA and claims for unjust enrichment on behalf of a putative nationwide class.
Finally, on May 4, 2020, a complaint in the Southern District of New York was filed, asserting claims under multiple states’ laws, including BIPA, as well as common law claims for intentional interference with contractual relations and unjust enrichment. These claims were asserted on behalf of a putative nationwide class and three state sub-classes: Illinois, California, and New York.
Thus, as of the time of the Clearview decision, there were six actions pending in the Southern District of New York. There also was a motion pending to transfer the two cases pending in the Northern District of Illinois to the Southern District of New York. Significantly, Chief Judge McMahon stated that she “intend[s] to consolidate the cases and proceed with case management.”
Article III Standing
Generally speaking, for a plaintiff to have Article III standing, three requirements must be satisfied: (1) the plaintiff must have suffered an actual or imminent, concrete and particularized injury-in-fact; (2) there must be a causal connection between the plaintiff’s injury and the conduct complained of; and (3) there must be a likelihood that this injury will be redressed by a favorable decision. See, e.g., Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992).
In Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the U.S. Supreme Court explained that a “concrete” injury actually must exist but that it need not be tangible. The Court stated, however, that a “bare procedural violation, divorced from any concrete harm,” does not “satisfy the injury-in-fact requirement of Article III.” Instead, the Court said, a plaintiff must show that the statutory violation presented an “appreciable risk of harm” to the underlying concrete interest that [the legislature] sought to protect by enacting the statute.”
In many BIPA cases, defendants move to dismiss on the ground that the plaintiffs allege only a procedural violation of the law and do not allege that they suffered actual harm. Therefore, the defendants contend, the plaintiffs have not demonstrated Article III standing.
The circuit courts of appeals have issued conflicting decisions on standing in cases where defendants assert that plaintiffs allege only a procedural violation of BIPA.
The Second Circuit addressed that standing issue in a BIPA case in Santana v. Take-Two Interactive Software, Inc., 717 F.App’x 12 (2d Cir. 2017). There, the Second Circuit concluded that a plaintiff bringing BIPA claims against a video game company lacked Article III standing because none of the alleged procedural violations raised “a material risk of harm” to the plaintiff’s interest in “prevent[ing] the unauthorized use, collection, or disclosure of an individual’s biometric data.” The allegations showed that the plaintiff had already given consent by agreeing to the scan of his face, sitting still for 15 minutes while the scan took place, and creating his game avatar for use in online games. All that was left was a bare procedural violation, according to the Second Circuit.
In Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), the Ninth Circuit held that plaintiffs alleged a sufficiently concrete injury for Article III standing purposes when they claimed that Facebook’s use of facial recognition technology without users’ informed consent violated BIPA. The Ninth Circuit concluded that the common law right to privacy supplied a concrete interest that was infringed by an “invasion of an individual’s biometric privacy rights.”
More recently, in Bryant v. Compass Group USA, Inc., 958 F.3d 617 (7th Cir. 2020), alleging a violation of BIPA’s disclosure and informed consent obligations, the Seventh Circuit found standing. It concluded that a defendant’s alleged failure to follow Section 15(b) of BIPA led to an invasion of personal rights that was both concrete and particularized.
Standing is only one of the most preliminary issues to be resolved in litigation. It will be interesting to see how courts, including in the Second Circuit, resolve standing and all of the additional issues that concern BIPA class actions.
Technology is bringing great benefits to those who are able to access it in their personal or professional lives. Companies that develop, market, and use these products should make sure, however, that they comply with all applicable privacy laws. One of the challenges will be to determine which privacy laws are, in fact, applicable to the business and its online practices. As the lawsuits and court decisions discussed here suggest, failure to consider governing law can lead to costly litigation, including a growing number of biometric lawsuits under BIPA.
Reprinted with permission from the June 2020 issue of the New York Law Journal. © ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.