Illinois’ Biometric Information Protection Act (“BIPA”) requires entities collecting, using, and storing biometric data (such as face scans, retina scans, and fingerprint scans) to, among other things, inform and obtain consent from the owners of the data. Private entities storing an individual’s biometric information must also use a “reasonable standard of care” and treat the information in the same manner as they treat other confidential and sensitive information.
In past articles, we identified a trend involving Article III standing in cases brought under BIPA. Courts were drawing lines between cases where the plaintiff willingly submitted her biometric information (despite the defendant’s technical violation of BIPA), see, e.g., Santana v. Take-Two Interactive Software, No. 17-303, 2017 U.S. App. LEXIS 23446 (2d Cir. Nov. 21, 2017), and cases where the plaintiff’s biometric information was not given knowingly, see, e.g., Patel v. Facebook Inc., No. 3:15-cv-03747-JD, 2018 U.S. Dist. LEXIS 30727 (N.D. Cal. Feb. 26, 2018). Most courts were finding Article III standing only in the latter category of cases. This created a hurdle for plaintiff-employees suing their employers for BIPA violations based on the collection of their biometric information for time-keeping purposes (a common activity for employers) because in such situations, employees provide their biometric information willingly.
However, a creative way has been found to clear the Article III hurdle. In Dixon v. Washington & Jane Smith Cmty., No. 17-cv-8033, 2018 U.S. Dist. LEXIS 90344 (N.D. Ill. May 31, 2018), the court found Article III standing because the complaint included allegations that plaintiff Cynthia Nixon’s employer disclosed her fingerprint information to Kronos, a third-party biometric timeclock vendor, without her notice or consent. “The allegation that [the employer] disclosed [the employee’s] fingerprint data to Kronos without informing her distinguishes this case from others in which alleged violations of BIPA were determined insufficiently concrete to constitute an injury in fact for standing purposes.” The court added, “this alleged violation of the right to privacy in and control over one’s biometric data, despite being an intangible injury, is sufficiently concrete to constitute an injury in fact that supports Article III standing.” The court employed the same logic to deny the defendants’ motions to dismiss under Fed. R. Civ. P. 12(b)(6). “Even though this may not be a tangible or pecuniary harm, it is an actual and concrete harm that stems directly from the defendants’ alleged violations of BIPA.”
Employees are apparently gaining insight from Dixon, as some have begun to amend their complaints to add allegations that their biometric information was disclosed to third parties, often the company supplying and maintaining the employer’s fingerprint scanner, as in Barnes v. Arytza, No. 2017-CH-11312, Cameron v. Polar Tech Indus., Inc. (co-defendant ADP Inc.), No. 2018-CH-10001, Edmond v. DPI Specialty Foods, Inc. et al. (co-defendant Ceridian HCM Holding Inc.), No. 2018-CH-9573, and Battles v. Southwest Airlines Co. (co-defendant Kronos Inc.), No. 2018-CH-9376, all filed in the Chancery Division of the Circuit Court of Cook County.
It will be interesting to see if these additional allegations of third-party disclosure are enough to avoid dismissal in Illinois state courts for a lack of standing. Third parties, like Kronos or ADP, may not necessarily have accessed, or even had the ability to access, employees’ biometric data, but instead likely merely host the servers that retain the data. We have yet to see any actions alleging the selling or theft of biometric data, but at least in Dixon, the mere allegation of third-party disclosure, however minor, was enough to find Article III standing.