State regulation of biometric identifiers (such as fingerprints and face scans) is on the rise. Texas and Washington each have some form of a biometrics act. Earlier this year, lawmakers in California and Maryland proposed legislation aimed at regulating the collection of biometric data. The most potent biometrics act in the United States, however, lies just over Wisconsin’s southern border, in Illinois.
It might seem that complying with the Illinois Biometric Information Privacy Act (BIPA or the Act) is not particularly onerous, but the Act can be a trap for the unwitting. BIPA liability can arise with a technical failure to comply with the statute (for example, a failure to obtain informed consent), even if there is no data breach or other mishandling of the data. As a result, one commentary noted in 2019, “BIPA lawsuits have become extremely attractive to plaintiffs’ lawyers given businesses’ widespread collection of biometric information and the potentially enormous statutory damages available under BIPA.”1
As the well of claims dries up within Illinois, however, lawyers and potential plaintiffs have started looking to other states. The first wave of out-of-state defendants comprised obvious targets – technology companies (such as Google, Facebook (now Meta), Amazon, and Shutterfly) and other large corporations (such as Johnson & Johnson, Procter & Gamble, and Estée Lauder). The next wave might target smaller operations, such as Wisconsin-based manufacturers, distributors, healthcare companies, or startups.
Business lawyers should think generally about whether to advise clients on the risks of collecting biometric information. This article, however, focuses primarily on BIPA because it poses the greatest risk to Wisconsin companies.
BIPA Background
Broadly speaking, BIPA “is designed to protect consumers against the threat of irreparable privacy harms, identity theft, and other economic injuries arising from the increasing use of biometric identifiers and information by private entities.”2 BIPA applies to private entities that collect biometric identifiers, defined to include a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”3
Section 15 of the Act outlines the requirements imposed on entities that collect biometric information. Of those requirements, subsections 15(a) and (b) are often litigated. Section 15(a) requires publication of a written policy regarding the company’s retention and destruction of the data.4 Section 15(b) requires entities collecting biometric information to obtain written, informed consent and releases from individuals before collecting their data.5
The Act provides a private cause of action for “[a]ny person aggrieved by a violation” of the Act.6 For each violation, a prevailing party is entitled to liquidated damages of $1,000 (for negligent violations) or $5,000 (for reckless or intentional violations).7 The Act also provides for injunctive relief and attorney fees.8
Adequate Injury Under BIPA
Any lawyer or businessperson attempting to understand BIPA should begin with the question of injury or standing – the point at which a plaintiff can assert a claim under the Act. In the leading BIPA case, Rosenbach v. Six Flags Entertainment Corp., the Illinois Appellate Court held that “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under” BIPA and therefore has no claim.9 But the Illinois Supreme Court reversed.
In so doing, the supreme court cited the Act’s legislative findings to emphasize that
“[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information.”10 Social Security numbers can be changed, but biometrics are “biologically unique” and if they are compromised, “the individual has no recourse.”11 The supreme court concluded that it “would be completely antithetical to the Act’s preventative and deterrent purposes” to require individuals to wait until their biometrics had been compromised.12 After Rosenbach, therefore, a technical failure to comply with BIPA’s requirements gives rise to a claim in state court, even if there is no additional injury.
The analysis for federal court – where most Wisconsin businesses would litigate, based on diversity – is more complicated. A federal-court plaintiff must establish standing under Article III of the U.S. Constitution, while state-court standing requirements are more lenient.13 In Bryant v. Compass Group USA Inc., the plaintiff’s workplace breakroom contained a vending machine (owned by Compass) that required customers to create a fingerprint-enabled account, rather than accepting cash.14 The case was similar to Rosenbach, in the sense that the plaintiff alleged failure to comply with BIPA and nothing more. On appeal, the U.S. Court of Appeals for the Seventh Circuit addressed whether the district court had jurisdiction. Specifically, under Article III, the Seventh Circuit analyzed whether the plaintiff “suffered an actual or imminent, concrete and particularized injury-in-fact” rather than some sort of hypothetical harm.15
The court noted that Rosenbach was helpful but was not conclusive on the heightened Article III standing question. Still, technical violation of some of BIPA’s requirements, without additional injury, can itself give rise to a claim.16 Subsequent opinions have addressed BIPA’s other requirements, continuing to flesh out the question of when a plaintiff has a particularized injury sufficient to confer standing.17
BIPA Litigation Examples
The majority of BIPA litigation involves time-tracking systems, which require fingerprints or facial scans for employees to clock in. However, BIPA violations can occur in any part of a private entity’s operations. BIPA lawsuits have arisen in the following contexts (among others):
Trucking company: used locking mechanism that required a handprint scan to access different facilities.
Fast food restaurant: required employees to use fingerprints to access work computers.
Fast food restaurant:recorded customers’ voice prints in drive-through lanes.
Higher education institution:required students to use face-scanning software to take exams remotely.
Airline: recorded passenger’s voiceprint when calling a customer service hotline.
Medical facility: required nurses to scan a handprint to dispense medication.
Tanning salon: allowed customers to scan fingerprint to access different locations.
Social media site: mapped faces uploaded to the site.
Rental lockers in public spaces: required a finger scan to open and close.
Online retailer: scanned consumers’ facial geometry as part of a service allowing customers to virtually try on eyeglasses.
Blood donation center: used fingerprints to track donors.
Amusement park:used fingerprints for ticketing and admission.
Employer breakroom:vending machine required fingerprint scan for purchases.
BIPA Risks for Wisconsin Companies
On its face, BIPA applies to all “private entit[ies],” meaning “any individual, partnership, corporation, limited liability company, association, or other group, however organized.”18 The statute is not limited to private entities based or organized in Illinois. Thus, the initial question for Wisconsin-based companies is whether BIPA has an “extraterritorial effect.” “Under Illinois law, a statute does not have extraterritorial effect unless the Assembly expressly intended it.”19 BIPA does not apply extraterritorially because there is no indication that the Illinois Legislature intended it to so apply.20 Therefore, the “BIPA violations must have taken place in Illinois.”21
However, the violation need not occur exclusivelyin Illinois. It is enough that the violation occur “primarily and substantially” within Illinois.22 “Circumstances will vary in every case,” and there is “no single formula or bright line test for determining whether a transaction occurs within” Illinois.23 Instead, Illinois courts will look to factors such as the residency of the plaintiff, the location of the harm, communications between the parties, and where the company policy is carried out.24
Alongside the extraterritoriality defense, out-of-state defendants also often assert a defense based on the Dormant Commerce Clause of the U.S. Constitution. That clause “precludes the application of a state statute to commerce that takes place wholly outside of the State’s borders, whether or not the commerce has effects within the State.”25 An early case addressing this question found “no basis for concluding that applying BIPA in this case would entail control over out-of-state conduct in a way that would run afoul of the dormant commerce clause.”26 However, the Commerce Clause remains a potentially viable defense, depending on the facts of the case.27
It might seem that BIPA poses few risks to many Wisconsin companies. However, an artful lawyer can put together a class of Illinois plaintiffs that might satisfy the extraterritoriality concerns.28 Moreover, courts presiding over BIPA claims have routinely refused to resolve extraterritoriality and Dormant Commerce Clause questions on motions to dismiss.29
A 2022 opinion serves as an example of this risk. In In re Clearview AI Inc., Consumer Privacy Litigation, the defendant – which allegedly scraped billions of face prints online from its New York offices – asserted extraterritoriality and the Dormant Commerce Clause defenses on a motion to dismiss.30 The defendant asserted that “Illinois residences make up only a small percentage of its database.”31 The district court predictably refused to consider the argument on a motion to dismiss. Instead, the court looked only to the complaint, took those allegations as true, and construed all reasonable inferences in favor of the plaintiff. Doing so, the court denied the motion to dismiss based on extraterritoriality and the Dormant Commerce Clause.32
Minimizing Potential Liability
Companies with operations in Illinois or other states that regulate biometrics should review their operations to ensure that they comply with BIPA. Lawyers can use the list of BIPA litigation examples in this article to familiarize themselves with the types of operations that can give rise to a biometrics claim. If a client is collecting biometric information, lawyers should ask whether that collection is necessary. If the collection is not necessary, lawyers should consider advising the client to stop collecting the data. Clients that want to continue collecting the data should put in place appropriate systems to obtain informed consent and otherwise comply with BIPA or the applicable biometrics act.
Lawyers might also look for means to shift BIPA risks away from their clients. Providers of tools that collect biometric information (such as time clocks for which employees must present their fingerprints) might attempt to shift potential liability to employers that use the product. When vetting providers, employers might seek to negotiate this provision or otherwise use it in evaluating competing options. There has also been growing insurance-coverage litigation related to BIPA claims. Businesses with operations in Illinois can consult with their insurance brokers and explicitly ask for BIPA coverage.
A Broader Trend
To date, BIPA has been the most heavily litigated biometrics statute – and is the statute most likely to have effects in Wisconsin – but Illinois is not alone in protecting biometric information.For example, Texas has a statute, the Capture and Use of Biometric Information Act (CUBI),33 which contains requirements similar to BIPA’s but provides no private right of action. Only the Texas Attorney General can enforce CUBI.34 That office never attempted to enforce CUBI in the first 20 years after the statute went into effect. In 2022, however, the Texas Attorney General filed suit against Meta, alleging billions of violations of CUBI.35
More biometrics statutes are likely on the way. California’s Consumer Privacy Act already protects biometric information under some circumstances, but on Feb. 17, 2022, a California state senator introduced a bill to create an analogous BIPA statute in California.36 The same week, after a failed attempt in 2021, Maryland legislators filed a similar bill.37
In light of these developments, protection of biometric information is a topic Wisconsin lawyers should be evaluating and discussing with their clients.
Meet Our Contributors
What piqued your interest in Illinois’ Biometric Information Privacy Act as applied to your Wisconsin clients?
Wisconsin and Illinois are so intertwined. I have bounced back and forth across the border – as has my family, for nearly 100 years. I think often about the interplay between the states and their respective laws.
The obvious Biometric Information Privacy Act (BIPA) targets in Illinois have largely dried up. Sooner or later, all that will remain are out-of-state companies. While a lot of ink has already been spilled on BIPA litigation, I felt I had something to add and think it is important for Wisconsin lawyers to recognize the emerging risk.
David P. Hollander, Stafford Rosenbaum LLP, Madison
Become a contributor! Are you working on an interesting case? Have a practice tip to share? There are several ways to contribute to Wisconsin Lawyer. To discuss a topic idea, contact Managing Editor Karlé Lester at klester@wisbar.org. Check out our writing and submission guidelines.
Endnotes
1 31 Intell. Prop. & Tech. L.J. 22, 23 (2019) (Laura Foggan, Jeffrey L. Poston, Nathanial J. Wood, Brandon C. Ge).
2 Bryantv. Compass Grp. USA Inc., 958 F.3d 617, 619 (7th Cir. 2020).
3 740 Ill. Comp. Stat. 14/10.
4 740 Ill. Comp. Stat. 14/15(a).
5 740 Ill. Comp. Stat. 14/15(b).
6 740 Ill. Comp. Stat. 14/20.
7 740 Ill. Comp. Stat. 14/20(1), (2).
8 740 Ill. Comp. Stat. 14/20(1), (2).
9 Rosenbach v. Six Flags Ent. Corp., 2017 IL App (2d) 170317, ¶ 23, rev’d, 129 N.E.3d 1197.
10 Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197, 1206 (quoting 740 Ill. Comp. Stat. 14/5(c)).
11 Id.
12 Id. ¶ 37.
13 Bryant, 958 F.3d at 622.
14 Id. at 619.
15 Id. at 620.
16 Id.
17 See Thornley v. Clearview AI Inc., 984 F.3d 1241, 1246 (7th Cir. 2021) (addressing standing to bring claims under section 15(c), relating to sale of biometric information); Cothron v. White Castle Sys. Inc., 20 F.4th 1156, 1161 (7th Cir. 2021) (addressing standing to bring claims under section 15(d), relating to disclosure of biometric data without consent).
18 740 Ill. Comp. Stat. 14/10.
19 Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1100 (N.D. Ill. 2017).
20 Id.
21 In re Clearview AI Inc., Consumer Priv. Litig., No. 21-CV-0135, 2022 WL 444135, at *4 (N.D. Ill. Feb. 14, 2022).
22 Id.
23 Rivera, 238 F. Supp. 3d at 1101 (internal quotations omitted).
24 Id.; In re Clearview AI Inc., 2022 WL 444135, at *4.
25 Healy v. Beer Inst. Inc., 491 U.S. 324, 336 (1989).
26 Monroy v. Shutterfly Inc., No. 16 C 10984, 2017 WL 4099846, at *8 (N.D. Ill. Sept. 15, 2017) (unpublished).
27 See Karling v. Samsara Inc., No. 22 C 295, 2022 WL 2663513, at *5 (N.D. Ill. July 11, 2022); Vance v. Microsoft Corp., 525 F. Supp. 3d 1287, 1294 (W.D. Wash. 2021); Vance v. International Bus. Machs. Corp., No. 20 C 577, 2020 WL 5530134, at *4 (N.D. Ill. Sept. 15, 2020)(slip copy); Vance v. Amazon.com Inc., 525 F. Supp. 3d 1301, 1310 (W.D. Wash. 2021).
28 See Monroy, 2017 WL 4099846, at *7 (“Monroy’s suit, as well as his proposed class, is confined to individuals whose biometric data was obtained from photographs uploaded to Shutterfly in Illinois. Applying BIPA in this case would not entail any regulation of Shutterfly’s gathering and storage of biometric data obtained outside of Illinois.”); In re Clearview AI Inc., 2022 WL 444135, at *4 (denying motion to dismiss because plaintiffs asserted an “Illinois subclass” of “Illinois residents” with “private domains in Illinois”).
29 In re Clearview AI Inc., 2022 WL 444135, at *4 (“the application of the extraterritoriality doctrine is a fact intense inquiry that is best left for summary judgment once the parties have completed discovery.”); Karling, 2022 WL 2663513, at *5 (“Without discovery into […] the alleged burden of compliance with BIPA, the Court cannot determine whether there is a dormant Commerce Clause violation.”); see also Monroy, 2017 WL 4099846, at *7; Vance, 525 F. Supp. 3d at 1294; Vance, 2020 WL 5530134, at *4.
30 In re Clearview AI Inc., 2022 WL 444135, at *4.
31 Id.
32 Id.
33 Tex. Bus. & Com. Code § 503.001.
34 Tex. Bus. & Com. Code § 503.001(d).
35 See Texas v. Meta Platforms Inc., No. 22-0121 (Harrison Cnty. Texas) (filed Feb. 14, 2022), https://tinyurl.com/48ztf8ys.
36 S.B. 1189, 2021-22 Reg. Sess. The California Senate bill can be viewed at Cal. Legis. Info., https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220SB1189 (April 7, 2022).
37 House Bill 0259, 2022 Reg. Sess., cross filed as S.B. 0335, 2022 Reg. Sess. More information about the Maryland bill is at Md. Gen. Assemb., https://mgaleg.maryland.gov/mgawebsite/Legislation/Details/HB0259?ys=2022RS) (last updated July 8, 2022).
» Cite this article: 95 Wis. Law. 16-20 (November 2022).