It is becoming the data privacy version of paint by numbers: a plaintiff files a putative class action against their employer, alleging that the employer collected employees’ biometric information in violation of the Illinois Biometric Information Privacy Act (“BIPA”). Well, in the most recent permutation of the litany of BIPA litigations filed this year, a federal court held that claims under BIPA should not be remanded to state court and also that a complaint met federal pleading standards to withstand a motion to dismiss. Roberson v. Maestro Consulting Servs. Llc, 2020 U.S. Dist. LEXIS 233868 (S.D. Ill. 2020).
Plaintiffs were employed by Defendants, a network of various nursing homes. To track Plaintiffs’ time and attendance, Defendants collected, and Plaintiffs scanned, fingerprints or handprints for time and attendance purposes. Plaintiffs filed suit in state court, asserting that Defendants’ practices violated BIPA. Defendants removed the dispute to federal court, on the arguments that the litigation was preempted by the Labor Management Relations Act (“LMRA”) and Plaintiffs’ BIPA claims had a “common nucleus” of fact with other claims raised in the litigation.
A short detour-as readers of CPW already know (but for you novices out there), BIPA requires, among other things, that:
- A private entity must establish and make publicly available a protocol for retaining and handling biometric data.
- A private entity must first inform the subject in writing about the purpose of collecting the data, how long the data will be kept, and obtain consent of the subject.
- Further, this data must be destroyed: (1) when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or (2) within 3 years of the individual’s last interaction with the private entity (whichever occurs first).
- Sales, leases, trades, or further actions in which a private entity may profit from a person’s biometric information are strictly prohibited while disclosures, redisclosures, or other dissemination of a person’s biometric information are statutorily limited.
- Finally, private entities must protect biometric information from disclosure using “the reasonable standard of care within the private entity’s industry . . . . [and] in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”
Before the court were two motions: (1) Plaintiffs’ motion to remand the case back to state court and (2) Defendants’ motion to dismiss the complaint for failure to plead a cognizable claim. The court addressed both, in turn.
In regards to the motion to remand, the court held that Defendants timely removed the case to federal court. Additionally, relying on the Seventh Circuit Court of Appeals’ rulings in Bryant and Fox, the court also found that Plaintiffs had Article III standing (a prerequisite to federal courts hearing the dispute) in regards to their claims brought under Section 15(b) of BIPA.
Insofar as Plaintiffs’ other BIPA claims were concerned, well, the Seventh Circuit has not yet addressed Article III standing for claims brought under Section 15(d) of BIPA (which requires entities to obtain a person’s consent when disclosing or disseminating an individual’s biometric data). However, the court adopted the reasoning of two district courts in the Seventh Circuit that have found that a plaintiff’s claims under section 15(d) satisfy Article III’s injury-in-fact requirement. The same result was reached as to Plaintiffs’ claims under Section 15(e) of BIPA, for a different reason (“Like their section 15(a) claims, the concrete injury suffered by Plaintiffs was the unlawful retention of their biometric data by Defendants because Defendants allegedly failed to comply with the standard of care within their industry and in a manner that is the same or more protective than the manner in which Defendants store, transmit, and protect other confidential and sensitive information”) (emphasis in original).
For these reasons, and because the district court found federal jurisdiction proper under the Class Action Fairness Act, the court denied Plaintiffs’ motion to remand.
Turning to the motion to dismiss, the court rejected exhibits attached to Defendants’ motion as establishing that Plaintiffs have no claim because each of these Plaintiffs signed a “BIPA Consent Form.” The court explained that, even when these so-called “consent” forms were considered, Defendants have not shown that Plaintiffs were informed and consented before their biometric information was collected. Additionally, even if Defendants offered such proof, that would be dispositive only to some of Plaintiffs’ claims under BIPA (and not result in dismissal of the entire litigation at the pleadings stage).
So there you have it—another BIPA case remains in federal court and also survives the all-important motion to dismiss. As always, CPW will be there to discuss additional developments in this area of data privacy litigation. Stay tuned.