On October 17, a U.S. District Court for the Western District of Washington issued an order and judgment, ending two related putative class actions alleging tech companies violated Illinois’ Biometric Information Privacy Act (BIPA) by using datasets containing geometric scans of their faces without their permission. The court granted summary judgment in favor of the tech companies, holding that BIPA does not apply extraterritorially to conduct outside of Illinois, and the plaintiffs had not met their burden to establish the relevant conduct occurred “primarily and substantially” in Illinois.

For background, the plaintiffs were Illinois residents who uploaded digital photographs of themselves to the photo-sharing website Flickr. In 2014, Yahoo!, Flickr’s then-parent company, publicly released a dataset of about 100 million photographs that had been uploaded to the site. One million of these photographs were ultimately offered free of charge and for research purposes only to researchers at the two tech companies. The researchers were working to end an “industry-wide problem with many facial recognition systems’ ability to accurately characterize individuals who were not male and did not have light colored skin tones.” The plaintiffs alleged the tech companies violated BIPA by: (1) collecting and obtaining their biometric data without providing required information or obtaining written releases, and (2) unlawfully profiting from their biometric data.

The court held as an initial matter that under Illinois law, a statute is without extraterritorial effect unless the statute expressly states otherwise. “Because BIPA does not contain such an express provision, it does not apply extraterritorially to conduct outside of Illinois.” Therefore, under Illinois’ extraterritoriality doctrine, for BIPA to apply to the tech companies’ activities, the plaintiffs had to demonstrate that the activities “occurred primarily and substantially in Illinois.”

The plaintiffs argued that BIPA applied because the conduct at issue took place in Illinois. Specifically, (1) the plaintiffs resided in Illinois; (2) their photos were taken in Illinois and uploaded to the internet in Illinois; and (3) their injuries occurred in Illinois. The court found, however, that the relevant conduct — downloading, reviewing, and evaluating the dataset — took place in Washington and New York, and thus, the extraterritoriality doctrine did indeed bar the plaintiffs’ claims.

The court also dismissed the plaintiffs’ unjust enrichment claims, finding they did not meet their burden to show the tech companies obtained a benefit from the dataset. Both tech companies submitted evidence that their researchers viewed, but ultimately decided not to use, the dataset. The court found that the plaintiffs presented no counterevidence establishing a genuine issue of fact on that issue.

Our Take

This decision was the first to limit BIPA’s reach in this way and made for a welcomed development for parties defending BIPA claims out of state. While the decision was heavily fact-dependent, its effect on future BIPA cases will be significant. Its reach will not end with BIPA lawsuits, however. The decision can arguably be applied to lawsuits brought under other privacy laws as well. In our connected world, privacy violations are increasingly occurring as a result of conduct occurring over the internet where the violator is not necessarily in the state where the personal information was collected or stored. Extraterritoriality is thus likely to play a more prominent role in privacy cases going forward.