Locke Lord QuickStudy: Second Circuit Delivers Limited Victory to Defendant Under Illinois Biometric Information Privacy Act and Spokeo.

Locke Lord LLP
November 22, 2017
On November 21, 2017, the U.S. Court of Appeals for the Second Circuit affirmed the dismissal of a case under Illinois’s Biometric Information Privacy Act (“BIPA”), finding that none of the alleged violations created a material risk of harm, so there was no federal subject-matter jurisdiction under the Supreme Court’s 2016 Spokeo decision. Vigil v. Take-Two Interactive, 2017 WL 5592589 (2nd Cir. Nov. 21, 2017). Although the decision was an unpublished and non-precedential summary order, the affirmed dismissal will help defendants utilize a Spokeo argument to attack BIPA cases filed in federal court. The decision’s impact in state court (where Spokeo is not binding) is less clear, but should help defendants there as well.

Plaintiffs have filed a wave of BIPA litigation regarding the use of biometric information.

BIPA governs the collection, storage, and use of biometric information, as defined by the statute, requiring notice and written consent before a person’s biometric information is collected. 740 ILCS 14/15(a), (b). BIPA also prohibits private entities from selling biometric information, restricts the disclosure thereof, and requires reasonable care be taken in storing or transmitting biometric identifiers/ information. BIPA allows any “person aggrieved” by a statutory violation to sue for the greater of either actual damages or “liquidated damages” of $1,000 for a negligent violation or $5,000 for an intentional or reckless violation. 740 ILCS 14/20. Reasonable attorneys’ fees and injunctive relief are also available. Id.

The availability of “liquidated damages”, perhaps even without actual damages, has recently triggered scores of putative class-action filings in Illinois courts alleging BIPA violations. More than two dozen putative class actions have been filed in Illinois courts, almost all of which are against employers alleging BIPA violations in connection with fingerprint scans used for time-keeping purposes. No industry is immune; recent class actions name retailers, a fast-food franchise, a trucking company, a nursing home, an airline cargo handling company, major U.S. airlines, a hotel chain, an ambulance company, a food manufacturer, and a supermarket chain.

Second Circuit: BIPA violations don’t necessarily satisfy standing under Spokeo.

In Take-Two, defendants made a video game that scanned players’ faces to create a personalized in-game avatar. Although plaintiffs knew their faces were being scanned, they did not receive the specific notice or provide the written release required by BIPA. The district court dismissed their case, finding the court lacked subject-matter jurisdiction under the U.S. Supreme Court’s decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016). Spokeo held that federal courts lack subject-matter jurisdiction in cases where the plaintiff alleged a statutory violation but did not allege facts showing any concrete harm or material risk of harm. The district court also held plaintiffs were not “aggrieved” under BIPA—because any violations caused no harm—so plaintiffs also lacked a cause of action under the statute.

The Second Circuit affirmed the district court’s conclusion that plaintiffs’ allegations did not show harm or a material risk of harm and thus the district court lacked subject-matter jurisdiction under Spokeo. The court assumed without deciding that “BIPA’s purpose is to prevent the unauthorized use, collection, or disclosure of an individual’s biometric data”, and concluded that none of the allegations “raise a material risk of harm to this interest.” Take-Two, 2017 WL 5592589, at * 2. The court focused on the fact that plaintiffs knew their faces were being scanned and specifically consented to the scan. Id., at * 3. The court acknowledged that plaintiffs had alleged statutory violations—Take-Two did not disclose how long the information would be held, did not obtain a written release, and did not properly secure plaintiffs’ biometric information—but found no standing under Spokeo because there was “no material risk that Take-Two’s procedural violations have resulted in plaintiffs’ biometric data being used or disclosed without their consent.” Id.

The most difficult issue for the court was Take-Two’s alleged failure to properly secure plaintiff’s biometric information by transmitting it unencrypted over the internet. Id. The court left open the possibility that failing to provide the security required by the statute could support standing under Spokeo even if no actual theft of the data occurred, but held that plaintiffs had not alleged facts showing an increased “material risk that their biometric data will be improperly accessed by third parties.” Id., at * 4.

The Take-Two decision will help in federal court, but its impact in state court is less clear.

The Second Circuit affirmed the dismissal under Spokeo, which only limits the subject-matter jurisdiction in federal courts. State courts are not bound by Spokeo and often have broader subject-matter jurisdiction than federal courts. Thus, a BIPA plaintiff whose case is dismissed from federal court under Spokeo is free to re-file in state court; the Second Circuit in Take-Two held that the dismissal was without prejudice to plaintiffs doing just that. Id., at * 5.

BIPA defendants facing cases in state court can still use the Take-Two decision when facing plaintiffs who fail to allege any discernible injury. First (depending on the state), defendants can argue the state court lacks subject-matter jurisdiction based on the lack of injury and use Spokeo and Take-Two as persuasive (but not binding) authority. Some state courts take a Spokeo-like approach to limiting subject-matter jurisdiction. Illinois is such a state. See, e.g., Maglio v. Advocate Health and Hosp. Corp., 40 N.E.3d 746, 753 (Ill. 2d Dist. 2015) (finding no standing for data breach under the Illinois Consumer Fraud and Deceptive Business Practices Act and Personal Information Privacy Act because plaintiff’s stolen data was not improperly used).

Second, a BIPA defendant can use Take-Two’s discussion of plaintiffs’ lack of injury to support the argument that a plaintiff without injury is not a “person aggrieved” under the statute. Even if a state court has subject-matter jurisdiction, BIPA only authorized a “person aggrieved” by a statutory violation to sue, and some defendants have argued that this requires an actual injury. The Second Circuit concluded that purely technical violations of BIPA do not cause harm unless the violation increases the risk of unauthorized collection, use, or disclosure of the plaintiff’s biometric information. A BIPA defendant in state or federal court could thus argue that a plaintiff who alleges no resulting injury from an alleged violation has no cause of action under the statute.