As previously discussed here, here, and here, 2020 has proven to be a consequential year for biometric privacy litigation in Illinois. In perhaps the most active month of the year thus far, seven Illinois District Court Judges issued rulings related to the Illinois Biometric Information Privacy Act (“BIPA”) in August. The rulings address a variety of issues implicated by BIPA, including subject matter jurisdiction, waiver, the statute of limitations for filing a BIPA claim, personal jurisdiction, and the constitutionality of BIPA.
In Frisby v. Sky Chefs, Inc., Judge Matthew Kennelly of the District Court for the Northern District of Illinois ruled that the court lacked subject matter jurisdiction over the plaintiff’s BIPA claims. In that case, the plaintiff alleged that Sky Chefs, an airline catering business and the plaintiff’s former employer, violated BIPA by collecting his fingerprints without first issuing required disclosures, failing to obtain written consent to acquire the prints, and failing to publish protocols for the retention and destruction of employee fingerprints.
In response, Sky Chefs moved to dismiss, arguing that the court lacked subject matter jurisdiction. Specifically, Sky Chefs contended that the plaintiff’s claim was preempted by the Railway Labor Act (“RLA”). The RLA applies to “common carrier[s] by air” and requires that any dispute regarding the interpretation or application of a collective bargaining agreement must be adjudicated by an adjustment board, not a court. Relying on precedent from the Seventh Circuit Court of Appeals, Judge Kennelly explained that disputes regarding how a common air carrier acquires and uses employee fingerprint information falls within the scope of the RLA. The parties, however, disputed whether Sky Chefs constituted a common air carrier. The court ultimately determined that Sky Chefs’ business activities satisfied the definition of a common air carrier because catering for in-flight food service has consistently been treated as a function traditionally performed by air carriers. In 1988, the National Mediation Board made such a determination specific to Sky Chefs. The court concluded that the plaintiff presented no evidence suggesting that Sky Chefs had changed its business since the 1988 determination. Thus, the court held that the plaintiff’s BIPA claim was preempted by the RLA and that it lacked subject matter jurisdiction.
On August 7th, the Northern District Court addressed the statute of limitations for BIPA claims. In Cothron v. White Castle Sys., the plaintiff, a White Castle employee, alleged that her employer violated BIPA through its practice of collecting employees’ fingerprints. White Castle began collecting the plaintiff’s fingerprints in 2007. Although BIPA was passed in 2008, White Castle continued collecting the plaintiff’s fingerprints but did not provide the plaintiff with the disclosures, or obtain her consent, as required by BIPA. White Castle did not provide her with the necessary disclosures or obtain her consent until October 2018. The plaintiff filed suit against White Castle in December 2018.
White Castle argued that the plaintiff’s claim was untimely. According to White Castle, the plaintiff’s claim accrued in 2008 when BIPA was enacted, as White Castle was allegedly in violation of the Act at the time of its passage. By contrast, the plaintiff argued that at least a portion of her claim did not arise until 2018 because White Castle did not comply with BIPA until that time. The plaintiff’s theory was premised on the “continuing tort” doctrine, which holds that for a tort involving a continuous or repeated injury, the statute of limitations period does not begin to run until the date of the last injury or the date the tortious acts cease. The plaintiff claimed that the statute of limitations did not begin to run until White Castle’s final violation under BIPA (i.e., the last time White Castle collected and disseminated her biometric information without having obtained the plaintiff’s consent or giving her the notice required by the Act).
The court rejected the plaintiff’s argument regarding the continuing tort doctrine. The court reasoned that the continuing tort doctrine applies to claims that arise from a series of acts collectively, while it does not apply to a series of discrete acts, even if those acts form an overall pattern of wrongdoing. As to BIPA, the Illinois Supreme Court has explained that the Act imposes obligations that are violated through discrete individual acts, not accumulated courses of conduct. Stated differently, Illinois courts treat a single violation of BIPA as a concrete injury giving the aggrieved party the right to file suit.
The court next analyzed when the defendant’s alleged violations occurred. According to the court, a party violates BIPA each time it collects a person’s biometric information without obtaining consent or providing the required disclosure. The court explained that this is true the first time an entity collects a person’s fingerprint and with each subsequent scan or collection. Thus, the court concluded that the plaintiff alleged multiple violations of BIPA; namely, each time White Castle collected her fingerprint information after the enactment of BIPA and before it provided the required disclosures and obtained her consent in October 2018. Importantly, however, the court reserved ruling on what constitutes the applicable statute of limitations for a BIPA claim because the defendant requested additional time to brief the issue.
Also on August 7th, Judge Robert Dow of the Northern District Court denied a motion to dismiss a BIPA suit. In Lenoir v. Little Caesar Enters., the plaintiffs filed suit against their former employer, Little Caesars, alleging that it violated BIPA through a fingerprint collection system. The defendant argued that one of the plaintiffs waived her right to file suit because six months after she began working for Little Caesars, she allegedly consented to the “past, present and future collection, use, and storage of [her] fingerprint data” by registering her fingerprint scan in a program called Caesar Vision. The court rejected Little Caesars’ argument, noting that the plaintiff’s consent made no mention of BIPA or any other right to sue, nor did it acknowledge that Little Caesars had already collected the plaintiff’s biometric information. Since BIPA requires an entity to obtain consent before collecting a person’s biometric data, the court did not believe it was appropriate to dismiss the case based on the plaintiff’s generalized consent to Little Caesars’ past collection of her biometric information. Finally, consistent with prior opinions, the court rejected Little Caesars’ argument that the plaintiffs’ BIPA claims were barred by the exclusive remedy provision of the Illinois Workers’ Compensation Act because an injury under BIPA is not considered a “compensable injury” under the Workers’ Compensation Act.
On August 12th, the Northern District Court examined whether it could exercise personal jurisdiction over a defendant in a BIPA suit. In Mutnick v. Clearview AI, the plaintiffs filed suit against Clearview and the two founders of Clearview. The defendants argued that they were not subject to personal jurisdiction because they never targeted businesses in Illinois or travelled to Illinois. In determining that the defendants were subject to personal jurisdiction, the court first noted that whether or not the defendants had ever travelled to Illinois was largely irrelevant, as it “is an inescapable fact of modern commercial life that a substantial amount of business is transacted solely by mail and wire communications across state lines.”
The court also found unavailing Clearview’s argument that it did not exclusively target Illinois because it collected the biometric information of millions of other Americans from different states. According to the court, it was not necessary that Clearview exclusively target Illinois residents. Instead, the defendants must have maintained contacts with Illinois that gave rise or directly related to the cause of action. The court determined that the defendants maintained such contacts by entering into hundreds of agreements with Illinois entities allowing defendants to collect the biometric information of Illinois citizens, marketing its biometric collection technology to the Illinois Secretary of State, and selling licenses for the use of the biometric information to entities located in Illinois.
Finally, on August 19th, the District Court for the Southern District of Illinois addressed the constitutionality of BIPA. Specifically, in Stauffer v. Innovative Heights Fairview Heights, LLC, one of the defendants argued that BIPA is unconstitutional because it amounts to “special legislation” in that it imposes strict compliance requirements on some employers, but then “arbitrarily” exempts the financial industry and state and local government contractors. The Illinois Constitution prohibits a “special or local law” when a general law is or can be made applicable. This provision prohibits the Illinois General Assembly from conferring a special benefit or privilege upon one person or group and excluding others that are similarly situated.
Regarding BIPA’s exemption for financial institutions, the court explained that the exemption applies only to those institutions subject to Title V of the Gram-Leach Bliley Act of 1999. Thus, the exemption does not apply to all financial institutions. Moreover, the financial institutions that are exempt from BIPA are subject to similarly stringent reporting requirements under federal law. The court also noted failing to exempt those institutions might have resulted in federal preemption of BIPA. Accordingly, the court did not find the financial institution distinction to be “artificially narrow” such that it amounted to unconstitutional special legislation.
As to the defendant’s argument that the BIPA exemption for government employers, the court accepted the plaintiff’s argument that BIPA was enacted to regulate the private sector, not government entities. Additionally, the court found it important that in the nearly 12 years since BIPA’s enactment, no court has found the Act unconstitutional. For those reasons, the court determined that the plaintiff alleged sufficient facts to conclude that BIPA is not special legislation and, therefore, not unconstitutional.
With the increase in BIPA lawsuit filings since early 2019, we should expect courts to continue providing guidance on the scope of BIPA, the merits of both plaintiff and defense theories in these cases, and when dismissal or summary judgment are appropriate in these cases. As always, we at Baker Sterchi will continue monitoring for developments related to BIPA and how those developments might impact our clients.