The Illinois Biometric Information Privacy Act, more commonly known as “BIPA,” was the first statute to protect biometric privacy in the United States when it was passed in 2008. Although Texas and Washington have since passed their own biometric privacy laws,1 and other states have protected biometric information as part of more general data privacy legislation,2 BIPA remains the most powerful such law in the country due to being the only biometric privacy law to contain a private right of action.3 BIPA has also proven to be an important precedent for other states, such as New York, that are currently proposing their own biometric privacy bills.4 Yet despite BIPA’s influential position in privacy law, complicated questions remain, such as when claims accrue,5 how BIPA interacts with the Illinois Workers’ Compensation Act,6 and which statute of limitations applies.7 One such significant question was raised in TransUnion LLC v. Ramirez,8 in which the U.S. Supreme Court provided important guidance on federal standing for data privacy claims that could significantly affect the BIPA landscape and how other, future, biometric privacy laws are drafted and litigated.
I. How BIPA Protects Biometric Data
Under BIPA, a private entity may not collect, capture, purchase, or obtain a person’s biometric identifier or biometric information unless it (1) informs that individual, in writing, of the collection; (2) informs that individual of the purpose for the collection and length of time for which the information will be collected, stored, and used; and (3) receives a written release from the individual.9 A biometric identifier is defined as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” whereas biometric information is defined as any information “based on an individual’s biometric identifier used to identify an individual.”10 In addition to the collection requirements, an entity must also develop a publicly-available written retention schedule establishing a timeline for permanently destroying biometric identifiers and biometric information, either when the initial purpose for collection has been satisfied or within three years, whichever is sooner, and comply with that schedule.11 The entity must also store and protect all biometric identifiers and biometric information using the industry “reasonable standard of care” that is equal to or more protective than the manner in which it stores, transmits, and protects other confidential and sensitive information.12
The transfer of biometric identifiers and biometric information is also strictly regulated by BIPA. An entity cannot sell or otherwise profit from an individuals’ biometric identifier or biometric information.13 Once in its possession, an entity also may not disclose or disseminate biometric identifiers or biometric information unless: (1) the subject consents; (2) the act completes a financial transaction authorized by the subject; (3) it is required by law; or (4) it is required pursuant to a valid warrant or subpoena.14
If any part of BIPA is violated, the harmed individual has a private right of action.15 A successful BIPA suit can result in liquidated damages of $1,000 or actual damages, whichever is greater, for a negligent violation, or $5,000 or actual damages, whichever is greater, for an intentional or reckless violation.16 The plaintiff can also recover attorneys’ fees and costs, as well as other relief, such as an injunction, where appropriate.17
II. The Rise of BIPA
BIPA was originally passed in 2008 to specifically protect Illinois residents’ unique biometric information in response to the growing use of biometrics in businesses and in the security sector.18 The statute, however, was largely ignored until 2015, when a series of class action lawsuits were finally brought alleging the unlawful collection and use of Illinois residents’ biometric data.19 Following these suits, the number of filed BIPA claims started to steadily increase.20
One of the most significant expansions in BIPA litigation was due to the Illinois Supreme Court’s 2019 decision in Rosenbach v. Six Flags.21 In Rosenbach, the court ruled that actual harm is not required to establish standing to use under BIPA.22 Under Illinois law, standing exists when a person is prejudiced or aggrieved, and “a person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.”23 Under this definition, a procedural violation of BIPA is enough for standing in Illinois courts.24
Since 2015, hundreds of BIPA claims have been filed in both state and federal court. Class action lawsuits under BIPA have led to damage awards amounting to as much as $650 million.25 BIPA has become a significant law, which is worth millions to the plaintiffs’ bar and is an important consideration for businesses.26
In particular, class action lawsuits have exacerbated the potential risks and rewards of BIPA claims. Most BIPA claims are brought in Illinois state court, but defendants often wish to remove them to federal court pursuant to the Class Action Fairness Act (“CAFA”).27 CAFA has relatively low requirements for removal, allowing defendant classes to remove to federal court as long as the case involves at least 100 plaintiffs, one of the plaintiffs is from outside of the defendant’s home state, and the potential liability is at least $5 million.28 Federal courts are seen as more favorable for defendants as they are more experienced applying class action rules.29
III. Standing Pre-TransUnion
Given the favorability of federal forums, BIPA cases proceed in both federal courts and Illinois state court.30 The criteria for standing under BIPA are different under state and federal law.31 While claimants could bring claims based on pure procedural violations in Illinois state court under Rosenbach, the requirement for standing in federal courts was higher than merely being “prejudiced or aggrieved.”32 In Spokeo, Inc. v. Robins, the U.S. Supreme Court explicitly held that Article III standing in federal court required more than just a “bare procedural violation;” instead, it needed both a “particularized” and “concrete” injury.33
The Court of Appeals for the Seventh Circuit has addressed Article III standing in the BIPA context on several occasions. The first case to address this relationship in significant detail was Miller v. Southwest Airlines Co.34 In that case, the Seventh Circuit found that unauthorized fingerprint identification, implicating several provisions of BIPA, could lead to a change in how workers clock in and out, which was sufficient for Article III standing.35
The analysis in Miller was expanded the following year in perhaps the most robust discussion on BIPA standing in federal courts to date. In Bryant v. Compass Group USA, Inc., the Seventh Circuit drew a distinction for standing to sue for an unlawful collection, capture, purchase, or obtaining of a biometric identifier or biometric information (“15(b)”) and making publicly available a written retention schedule (“15(a)”).36 The Bryant court relied on a distinction made by Justice Clarence Thomas in Spokeo: a concrete injury is where the plaintiff is asserting a violation of her own rights, but a violation of the public’s rights is merely a procedural violation.37 Under this standard, the Bryant court held that the plaintiff alleged a concrete injury because she asserted a violation of her own rights—her fingerprints and her private information were implicated rather than those of society.38 Alternatively, the court held that by withholding substantive information to which the plaintiff was entitled, the defendant had deprived her of the ability to give informed consent, as required under 15(b), which also constituted a concrete injury.39 As to the plaintiff’s 15(a) claim, however, she only alleged that the written retention policy was not created, not that it was not followed.40 The duty to create and disclose a retention schedule was a duty to the public and could not lead to a private injury. Therefore, there was no Article III standing for a pure procedural violation of this part of 15(a).41
Building on Bryant, the Seventh Circuit held in Fox v. Dakkota Integrated Systems, LLC that a plaintiff had standing for a 15(a) claim when he or she alleged that the biometric identifier or biometric information was retained after the initial purpose for which the data was collected had elapsed.42 According to the court, an unlawful retention under 15(a), like an unlawful collection under 15(b), conferred Article III standing.43 Finally, in Thornley v. Clearview AI, Inc., the Seventh Circuit held that a bare allegation that the defendant violated BIPA’s prohibition on the sale or profit from an individuals’ biometric identifier or biometric information (“15(c)”), without more, is not particularized or concrete, and therefore fails to establish standing.44
While the Seventh Circuit was gradually developing its rules on standing in these cases, other appellate courts went their own ways. For example, the Ninth Circuit held that because BIPA was created to protect individuals’ “concrete interests in privacy, not merely [their] procedural rights,” they had Article III standing.45 But the Second Circuit held that a BIPA claimant did not have standing, as their allegations did not raise a material risk of harm to their interests.46
IV. BIPA Claims Post-TransUnion
While the landscape of federal standing for BIPA claims was beginning to coalesce by mid-2021, the Supreme Court’s recent decision in TransUnion LLC v. Ramirez calls into question those nascent rules. The plaintiffs in TransUnion alleged that the defendant credit reporting agency had failed to implement reasonable procedures to ensure the accuracy of their credit files, which led to their files incorrectly labeling the plaintiffs as potential terrorists.47 In TransUnion, the Supreme Court answered whether alleged harms under the Fair Credit Reporting Act (“FCRA”) were concrete injuries sufficient for Article III standing.48 In Spokeo, the Supreme Court had indicated that courts should look at whether the alleged injury had a “close relationship” to a historical or common law harm recognized by courts.49 Relying on this logic, the Court recognized that the risk of real harm can suffice for standing, but it was unclear where that line was drawn.50 The TransUnion court reinforced the Spokeo ruling, holding that, regardless of what the legislature authorized, “the mere risk of future harm, without more,” cannot qualify as a concrete harm in a suit for damages, and “no concrete harm, no standing.”51 The 1,853 plaintiffs in TransUnion that had their misleading credit reports disclosed had suffered actual harm, but the other 6,332 class members whose misleading reports were not disclosed had not.52
Prior to TransUnion, many BIPA cases were brought as class action lawsuits and removed to federal court. Following the decision in Bryant—which at least established standing for 15(b) claims—the number of federal BIPA cases greatly increased.53 Some plaintiffs, however, started to be strategic and only bring BIPA claims under sections that would not—even prior to TransUnion—meet Article III standing.54 This was what happened in Thornley, for example, where the plaintiff purposefully only brought 15(c) claims and successfully had the case remanded to state court.55 But the question of “whether the risk of disclosure itself [under BIPA] suffices for standing” was left unanswered by the Seventh Circuit.56
Although that question was answered in TransUnion for the FCRA, the implications of that decision will also affect BIPA classes. Members of the class often have different degrees of alleged harm under the statutory rights provided by BIPA.57 The viability of BIPA class actions proceeding in federal court was already somewhat limited based on Seventh Circuit jurisprudence, but TransUnion further curtails the potential for federal BIPA class actions by raising the standard for Article III standing.
In light of TransUnion, the Seventh Circuit and other federal courts will have to revisit their jurisprudence. While the creation of a retention policy under 15(a) and a claim under 15(c) did not qualify for Article III standing before TransUnion, the decisions in Bryant and Fox will need to be re-evaluated to see if 15(a) and 15(b) claims can still be brought in federal court in light of this latest Supreme Court guidance. In particular, federal courts will need to decide whether the unlawful retention, collection, capture, or purchase of biometric identifier or biometric information only poses a mere risk of future harm or a more direct harm that is closely related to a historical cause of action. How future cases are decided, especially by the Seventh Circuit, will dictate the future of BIPA claims in federal court and Illinois state courts’ dockets.
While TransUnion restricts the jurisdiction of federal courts, it does not apply to state courts. In the wake of TransUnion, the number of BIPA cases proceeding in state court will likely continue to rise. Plaintiffs will likely continue to take advantage of BIPA claims that lack Article III standing, such as 15(c), to keep their cases in state court. Depending on how courts interpret TransUnion, other BIPA claims may start being remanded to state court as well. If federal courts find that the injuries under 15(a) and 15(b) do not constitute concrete injuries for Article III standing, plaintiffs could bring a wider panoply of claims under BIPA with confidence that the case will not be successfully removed to federal court.
Courts have recognized this division in state and federal standards for standing. The Thornley court even encouraged plaintiffs that fail to establish federal standing to take advantage of the fact that Illinois law permits bare procedural violations of BIPA.58 In TransUnion, Justice Thomas noted in his dissent that TransUnion’s victory in the case may prove a pyrrhic one: “By declaring that federal courts lack jurisdiction, the Court has thus ensured that state courts will exercise exclusive jurisdiction over these sorts of class actions.”59 But increased state proceedings could be valuable, as Judge Easterbrook of the Seventh Circuit has noted that the federal removal of BIPA cases “makes it very hard for the state to interpret its own statute.”60
TransUnion introduced potential uncertainties into federal BIPA jurisprudence. While the Seventh Circuit and other federal courts may continue to cite to cases such as Miller, Bryant, Fox, and Thornley, those cases may have to be revisited through the more rigid Article III standard from TransUnion. Up until now, BIPA has proven highly influential across the country in protecting individuals’ biometric information. TransUnion’s impact on the forum in which BIPA claims may be brought could affect not only Illinois and BIPA, but may also have a noticeable impact on how other states, such as New York, craft their own biometric privacy laws.
a. Michael P. Goodyear is an associate at Weil, Gotshal & Manges LLP in the firm’s Complex Commercial Litigation and Intellectual Property & Media practices.
1. Tex. Bus. & Com. Code Ann. § 503.001 (2017); Wash. Rev. Code § 19.375.010 (2021).
2. See, e.g., Cal. Civ. Code § 1798.100 (Deering 2018) (California Consumer Privacy Act, defining biometric information and including it under covered “personal information”); N.Y. Gen. Bus Law § 899-aa (2019) (SHIELD Act, defining biometric information and including it under covered “private information”); Ark. Code Ann. § 4-110-103 (2019) (data breach law defining biometric data and including it under protected “personal information”).
3. 740 Ill. Comp. Stat. 14/20 (2021).
4. See, e.g., New York Biometric Privacy Act, A.B. 27, 2021–2022 Assemb. Reg. Sess. (N.Y. 2021).
5. See Cothron v. White Castle Sys. Inc., 20 F.4th 1156 (7th Cir. 2021).
6. See McDonald v. Symphony Bronzeville Park LLC, No. 126511, 2022 WL 318649 (Ill. Feb. 3, 2022).
7. See Tims v. Black Horse Carriers Inc., No. 1-20-0563, WL 4243310 (Ill. App. Ct. Sept. 17, 2021); Marion v. Ring Container Techs. LLC, No. 3-20-0184 (Ill. App. Ct. 2021) (stayed pending the Illinois Supreme Court’s decision in McDonald v. Symphony Bronzeville Park LLC).
8. 141 S. Ct. 2190 (2021).
9. 740 Ill. Comp. Stat. 14/15(b) (2021).
10. 740 Ill. Comp. Stat. 14/10 (2021).
11. 740 Ill. Comp. Stat. 14/15(a) (2021).
12. 740 Ill. Comp. Stat. 14/15(e) (2021).
13. 740 Ill. Comp. Stat. 14/15(c) (2021).
14. 740 Ill. Comp. Stat. 14/15(d) (2021).
15. 740 Ill. Comp. Stat. 14/20 (2021).
16. Id.
17. Id.
18. 740 Ill. Comp. Stat. 14/5 (2021); S.B. 2400, 95th Gen. Assemb. (Ill. 2008).
19. See Anna L. Metzger, The Litigation Rollercoaster of BIPA: A Comment on the Protection of Individuals from Violations of Biometric information Privacy, 50 Loy. Univ. Chi. L.J. 1051, 1055 (2019).
20. See id.
21. Rosenbach v. Six Flags, 129 N.E.3d 1197 (Ill. 2019).
22. Id. at 1207.
23. Id. at 1205 (quoting Glos v. Illinois, 102 N.E. 763, 766 (Ill. 1913)).
24. Id. at 1206.
25. See, e.g., In re Facebook Biometric Information Privacy Litig., No. 3:15-cv-03747, 2020 WL 4818608, at *2 (N.D. Cal. Aug. 19, 2020).
26. See Kathryn E. Deal, Meredith C. Slawe, Natasha G. Kohne & Michelle A. Reed, Rosenbach v. Six Flags — Illinois Supreme Court Takes Expansive View of Statutory Standing Under the Biometric Information Privacy Act, 31 Intell. Prop. & Tech. L.J. 1, 3 (Apr. 2019).
27. See Alison Frankel, 7th Circuit Won’t Stay Remand in BIPA Class Action, Offering Road Map to State Court, Reuters (Mar. 10, 2021, 7:56 PM), https://www.reuters.com/article/legal-us-otc-bipa/7th-circuit-wont-stay-remand-in-bipa-class-action-offering-road-map-to-state-court-idUSKBN2B22N6 [https://perma.cc/8PWP-MC5N].
28. 28 U.S.C. § 1332(d).
29. See Frankel, supra note 27.
30. See, e.g., Cothron v. White Castle Sys., Inc., 467 F. Supp. 3d 604 (N.D. Ill. 2020); Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019); McDonald v. Symphony Bronzeville Park LLC, No. 126511, 2022 WL 318649 (Ill. Feb. 3, 2022)
31. Bryant v. Compass Grp. USA, Inc., 958 F.3d 617, 621 (7th Cir. 2020).
32. Rosenbach v. Six Flags, 129 N.E.3d 1197 (Ill. 2019).
33. Spokeo, Inc. v. Robins, 578 U.S. 330, 339, 341 (2016).
34. Miller v. Sw. Airlines Co., 926 F.3d 898 (7th Cir. 2019).
35. Id. at 902.
36. 958 F.3d 617, 626 (7th Cir. 2020).
37. Id. at 624 (citing Spokeo, 136 S. Ct. at 1551–52 (Thomas, J., concurring)).
38. Id.
39. Id. at 626.
40. Id. at 619.
41. Id. at 626.
42. Fox v. Dakkota Integrated Systems, LLC, 980 F.3d 1146, 1154–55 (7th Cir. 2020).
43. Id.
44. Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1248 (7th Cir. 2021).
45. Patel v. Facebook, Inc., 932 F.3d 1264, 1274 (9th Cir. 2019).
46. Santana v. Take-Two Interactive Software, 717 F. App’x 12, 15 (2d Cir. 2017).
47. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2208 (2021).
48. Id. at 2200.
49. Spokeo, Inc. v. Robins, 578 U.S. 330, 340–41 (2016).
50. Id. at 341–343
51. TransUnion, 141 S. Ct. at 2200, 2211.
52. Id. at 2211–13.
53. Jennifer Marsh, ANALYSIS: Biometrics Privacy Class Actions Increase This Year, Bloomberg L. (Nov. 6, 2020, 3:18 AM), https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-biometrics-privacy-class-actions-increase-this-year [https://perma.cc/N65U-5EBF].
54. BIPA And Article III Standing: Where Are We Now?, 12 Nat’l L. Rev. (Mar. 4, 2021), https://www.natlawreview.com/article/bipa-and-article-iii-standing-where-are-we-now [https://perma.cc/Y8VZ-RZCC].
55. Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1249 (7th Cir. 2021).
56. Miller v. Sw. Airlines Co., 926 F.3d 898, 903 (7th Cir. 2019) (declining to answer the question).
57. See Robert Cattanach, Melonie Jordan & Kent Schmidt, “No Concrete Harm, No Standing” – Supreme Court’s TransUnion v. Ramirez Decision Clarifies Federal Court Standing Requirements for CCPA and BIPA Class Actions, Dorsey & Whitney LLP (June 30, 2021), https://www.dorsey.com/newsresources/publications/client-alerts/2021/06/supreme-courts-transunion-v-ramirez-decision [https://perma.cc/5Z9Y-U685].
58. Thornley, 984 F.3d at 1248–49.
59. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2224 n.9 (2021) (Thomas, J., dissenting).
60. Lauraann Wood, 7th Cir. Weighs Asking Ill. Justices to Tackle BIPA Accrual, Law360 (Sept. 14, 2021, 7:05 PM), https://www.law360.com/cybersecurity-privacy/articles/1421677?cn_pk=c24e85fc-c5ce-4cd1-b891-7e7fa0a16e72 [https://perma.cc/4GVJ-NBWZ].
The full text of this Article is available to download as a PDF.