CPW has been following the Clearview Illinois Biometric Information Privacy Act (“BIPA”) litigation for quite some time.  On Friday, Clearview argued to an Illinois federal judge that an injunction should not be issued precluding the company from collecting data.  This included, among other reasons, the argument that Clearview’s business operations are exempt from BIPA and that Clearview’s activities are Constitutionally protected.  Read on to learn more.

As you will recall, in In re: Clearview AI, Inc. Consumer Privacy Litigation, Case No. 1:21-cv-00135 (N.D. Ill), Plaintiffs have asked the court to issue the first-ever injunction under BIPA.  Given the potential impact this case could have on other app-developers and actors in the space, this litigation is a must-watch.

First, some background for the uninitiated.  Clearview collects publicly-available images on the Internet and organizes them into a searchable database, which Clearview’s licensed users can then search by using Clearview’s app.  As described in Clearview’s briefing, the only information that Clearview stores from the photos are: (1) the URL from which the photo was collected; (2) any metadata associated with the image itself; and (3) the facial vectors from the faces that appear in the image.

Accordingly, Clearview asserted to the court it cannot determine whether the individuals in the images it collects live in Illinois.  Instead, this can be ascertained at best only on an ad-hoc basis based on photo metadata.  For this reason, Clearview argued a BIPA injunction would be particularly harmful as the company would likely have to stop using its database outright (without being able to tailor any response on an Illinois-specific basis).

In response to the litigation, Clearview has already implemented changes to its business practices.  First, it purportedly cancelled the accounts of every customer who was not either associated with government agencies or their agents or subcontractors.  Second, Clearview also implemented an opt-out mechanism for Illinois residents to exclude their photos from Clearview’s search engine.  And third, Clearview’s terms of use now require users of the Clearview app to, among other things, agree to use the app only for law enforcement purposes and not to upload photos of Illinois residents.

However, according to Plaintiffs these measures are inadequate as Clearview “cannot be trusted” to maintain these changes.  Additionally, in the litigation Plaintiffs have also pointed to Clearview’s 2020 patent application that Plaintiffs contend “describes a much broader use of [Clearview’s] technology.”  For these reasons, and others, Plaintiffs requested that the court issue a preliminary injunction enjoining Clearview’s business practices.

In order for the court to rule in favor of Plaintiffs, it must find that: “(1) they have a reasonable likelihood of success on the merits; (2) no adequate remedy at law exists; (3) they will suffer irreparable harm, which, absent injunctive relief, outweighs the irreparable harm [Clearview] will suffer if the injunction is granted; and (4) the requested injunction will not harm the public interest.”

Clearview argued in its most recent briefing that Plaintiffs cannot satisfy this standard.  First, Clearview claimed exemption from BIPA.  This is because the statute does not apply “a contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government.”  740 ILCS 14/25(e).

And even if BIPA applied to Clearview (which Clearview argued it does not), Clearview also contended that the record evidence plainly supports Clearview’s other defenses.  This includes, among other reasons, that:

(1) BIPA does not apply to conduct outside of Illinois; and

(2) Clearview’s conduct is protected under the First Amendment.

Notably, Illinois state law recognizes a “rule of construction” that a “statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute.”  Because BIPA lacks such a provision, Clearview argued the statute should not apply here as the “majority of circumstances” giving rise to Plaintiffs’ claims occurred outside of Illinois.  Specifically, Clearview is headquartered in New York, Clearview’s servers are located outside of Illinois; and Clearview does not sell its services or app to anyone in Illinois.

Clearview also argued that its conduct is constitutionally protected, as the U.S. Supreme Court has held that the “creation and dissemination of information are speech within the meaning of the First Amendment.”

How the court will rule on these issues (and on Plaintiffs’ requested injunction) remains to be seen.  The litigation raises interesting questions concerning the impact of state privacy laws on emerging technologies, in addition to novel constitutional issues.  Not to worry, CPW will be there.  Stay tuned.

Frequent readers of CPW will recall our coverage of the Clearview MDL currently pending in the Northern District of Illinois.  Plaintiffs, seeking to represent a class of Illinois residents, have filed a class action lawsuit claiming that the defendant, Clearview AI, Inc. has collected the biometric information of Illinois residents and sold that information in a database without the residents’ consent.

During the MDL proceedings, Clearview has represented to the court that it voluntarily changed its business practices to avoid including data from Illinois residents in its database, and to avoid providing its services to non-governmental customers.  Plaintiffs, however, claim that these representations are either inaccurate or misleading, based primarily on Clearview’s recent patent application that would permit it to use its accumulated biometric information in connection with background searches on potential business or personal connections.  Based on this application, along with other evidence that plaintiffs claim shows Clearview’s representations are either inaccurate or dishonest, plaintiffs have a motion asking the court to preliminarily enjoin Clearview from possessing, using, or storing the biometric information of any Illinois resident for any purpose without first obtaining clear written consent under Illinois’ Biometric Information Privacy Act (“BIPA”), and to create certain protections and policies regarding the possession, storing, and use of that information.

This motion is interesting for a few reasons: first, the basis for the injunction isn’t the actions that led the plaintiffs to bring the suit in the first place; the basis is actions the defendant might possibly take in the future that have yet to impact Illinois residents.  Second, the motion effectively asks the court to weigh the credibility of Clearview’s representations regarding its efforts to cease harm to the plaintiffs.  And third, the motion doesn’t ask that the court enjoin the specific act that’s the basis for the request—it asks the court to enjoin global aspects of Clearview’s operations.

We’ll keep an eye on this motion, as the court’s decision could have far-reaching impact on defendants in privacy litigation who continue to pursue other ventures with privacy implications while the litigation is ongoing.

In its latest filing in Thornley v. Clearview AI, No. 20-3249, defendant Clearview AI petitioned the Seventh Circuit to stay the issuance of its mandate in the litigation because it plans to file a petition for writ of certiorari with the Supreme Court.  The Seventh Circuit has not yet issued its mandate following its decision earlier this month to deny rehearing of its decision affirming that Plaintiffs’ putative class action brought under Illinois’ Biometric Information Privacy Act (“BIPA”) should be heard in state court, rather than federal court.

While Clearview has not yet filed its petition for certiorari, its filing with the Seventh Circuit gives a preview of the question it will ask the Supreme Court to clarify: whether, under Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), an allegation of a statutory violation necessarily gives rise to a concrete and particularized injury-in-fact that is necessary for Article III standing.  A plaintiff must have Article III standing to sue in federal court, which requires that the plaintiff prove: (1) an injury in fact; (2) causation of the injury by the defendant; and (3) that the injury is likely to be redressed by the requested relief.  In Spokeo, the Supreme Court found that a statutory violation can be sufficient to constitute an injury in fact, but did not provide analysis of which types of statutory violations necessarily implicate concrete and particularized injuries in fact.

Throughout the procedural history of Thornley, Clearview has consistently alleged that the BIPA violations alleged in Plaintiffs’ complaint are sufficient for Article III standing, because violations of BIPA constitute a concrete and particularized harm given the privacy concerns implicated in the statute.  Plaintiffs had alleged a statutory violation of BIPA, section 15(c), which prevents a private entity from selling or profiting from an individual’s biometric data, on the basis of Clearview selling access to its digital database containing Plaintiffs’ biometric identifiers or information.  Plaintiffs have argued that the action should play out in state court because the complaint intentionally only alleges a procedural violation of BIPA, which is not itself a sufficient injury in fact to confer Article III standing upon Plaintiffs.  The district court previously found, and the Seventh Circuit affirmed, that it was permissible for Plaintiffs to take advantage of the fact that Illinois permits suits under BIPA that only allege procedural violations of the statute, and that Plaintiffs had not alleged a concrete and particularized harm in alleging the specific violations of BIPA they raised.

Clearview’s petition would give the Supreme Court the opportunity to clarify the types of statutory violations that necessarily give rise to Article III standing under Spokeo, and any decision would have a significant impact on the wave of BIPA legislation that has been brought since BIPA became law in 2008.  While the jury is out on whether the Supreme Court will grant certiorari, it already did so earlier this year for a key question of Article III standing under the FCRA.  We’ll have the coverage of how this litigation processes for you here on CPW – stay tuned.

As CPW readers may recall, in December 2020, two notable data privacy multidistrict litigations (“MDLs”) were created:  In re: Clearview AI, Inc., Consumer Privacy Litigation (“Clearview”) and In re Blackbaud, Inc. (“Blackbaud”). Since then, each case has experienced a few developments.  Read our summary of developments below, and be sure to subscribe to CPW to follow our ongoing coverage of these two significant data privacy MDLs.

First, a look at who the defendants are and how we arrived at this point.

Clearview is a facial recognition startup.  Its story began in January 2020, when the New York Times reported on Clearview’s alleged data gathering and use practices.  In a nutshell, reporters alleged that Clearview used facial recognition software to scan images that had been scrapped from the internet for purposes of creating a biometric database of scanned images that could allow persons to be identified.  The reaction was swift:  as CPW previously reported, the first lawsuit against Clearview was filed within three days of the Times’s reporting.  Eventually, 10 cases were consolidated before Judge Sharon Johnson Coleman of the U.S. District Court for the Northern District of Illinois.

Blackbaud is a cloud computing provider, and its story began with a tale more commonly seen elsewhere.  The relevant lawsuits began after an alleged ransomware attack and data security breach of its systems from February 2020 to May 2020 purportedly compromised the personal information of millions of consumers doing business with entities served by Blackbaud’s cloud software and services.  Eventually, 23 cases were consolidated before Judge J. Michelle Childs of the U.S. District Court for the District of South Carolina.

Next, a look at what has happened in each MDL, as well as a preview of upcoming events.

Since consolidation, Clearview has experienced several developments.  As active matters, the court is currently accepting briefing for lead plaintiffs’ counsel and the case was referred to Judge Maria Valdez for discovery supervision.  Previously, the first status hearing was held on February 9, 2021, and recent court filings indicate that an unsuccessful mediation session was held on February 2, 2021.  Two upcoming events include the conclusion of briefing for plaintiffs’ counsel by March 2, 2021 and the next status hearing scheduled for March 12, 2021.

Blackbaud’s docket appears to be progressing quicker than Clearview.  Like Clearview, the Blackbaud court already held one status conference (on January 29, 2021), and a new status conference is scheduled for March 19, 2021.  Unlike Clearview, however, the Blackbaud court has already selected lead plaintiffs’ counsel and, according to a February 3, 2021 order, fact sheets and proposed discovery materials are due this month.  Upcoming, the plaintiffs are expected to file a consolidated complaint no later than the beginning of April and the parties should be submitting a scheduling order for substantive dismissal motions practice as soon as possible.

The Northern District of Illinois recently declined to stay an action for declaratory relief relating to an insurance coverage dispute arising out of the ongoing Clearview litigation.  This was because, the court held, determination of whether an insurance policy applied did not require resolution of facts related to the policy holder’s alleged violations of Illinois’ Biometric Information Privacy Act (“BIPA”).  Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, No. 20 C 3873, 2021 U.S. Dist. LEXIS 15300 (N.D. Ill. Jan. 27, 2021).  The case is a reminder that with the growth in data privacy litigations, there will inevitably be coverage disputes regarding what entity (if any) should cover a defendant’s expenses defending such suits.  Read on below.

In Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, No. 20 C 3873, 2021 U.S. Dist. LEXIS 15300 (N.D. Ill. Jan. 27, 2021), the plaintiff (an insurance company) sought declaratory relief that it has no duty to defend or indemnify defendant Wynndalco in two BIPA class action litigations.  In the BIPA litigations, it was alleged that Wynndalco “operated as Clearview’s Illinois-based agent by purchasing Clearview’s technology and then reselling or licensing it to law enforcement agencies, whether directly or through another intermediary”.  Id. at *9.  Accordingly, Wynndalco purportedly “violated the BIPA by capturing, collecting, receiving, storing, disclosing, and/or using biometric identifiers and biometric information, without complying with the statutory requirements, in the course of its agency relationship with Clearview.”  Id.

Citizens subsequently filed a declaratory judgment action, seeking a ruling that that it had no duty to defend or indemnify Wynndalco and the CEO and founder of Wynndalco in the litigations involving Clearview.  Wynndalco, in turn, moved to stay the matter pending resolution of the underlying cases.

Wynndalco’s motion to stay was premised on the principle that “it is generally inappropriate for a court considering a declaratory judgment action to decide issues of ultimate fact that could bind the parties to the underlying litigation.”  Id. at *6.  For purposes of resolving the insurer dispute, Wynndalco argued the court would have to determine two questions of ultimate fact on which the underlying actions hinged: (1) “whether Wynndalco was a government contractor, and therefore exempted under BIPA:; and (2) “whether Wynndalco ‘possessed’ biometric information.”  Id.

The court disagreed.  This was because, it explained, to determine whether Citizens had a duty to defend “the Court need only ask whether the allegations of the [BIPA] complaints, ‘if proven, . . . would establish an injury’ covered by the Policy”.  Id. at *9 (emphasis in original).  Accordingly, it was not necessary to stay the litigation pending resolution of the BIPA class actions.  The court additionally noted that Wynndalco and the Wynndalco executives had conceded as much in their briefs “where they cite multiple precedents for the proposition that the insurer’s ‘duty to defend exists as long as the allegations of the underlying complaint are potentially within the scope of coverage.’”  Id. (emphasis in original).

So there you have it.  This case is a cautionary reminder to defendants in data privacy litigation that insurance coverage for legal fees is not guaranteed merely by the existence of a policy (and there may be challenges to a policy’s scope before the merits of the underlying data privacy litigation are resolved).  For the most update to date news concerning the various issues implicated by the Clearview litigation stay tuned.  CPW will be there to keep you in the loop and informed of other developments regarding data privacy litigation more broadly.

 

Several weeks ago, ConsumerPrivacyWorld reported that the Seventh Circuit had affirmed a district court decision to remand a putative class action brought under Illinois’ Biometric Information Privacy Act (“BIPA”) to Illinois state court.  In Thornley v. Clearview AI, No. 20-3249, 2021 U.S. App. LEXIS 1006 (7th Cir. Jan. 14, 2021), the Seventh Circuit found that the complaint alleged only a statutory violation, and did not allege any particularized injury – which was intentional and a permissible strategic choice, as Plaintiffs preferred to litigate in state court – and the case was remanded for lack of Article III standing to sue in federal court.  Last week, the defendant, Clearview AI, filed a petition for rehearing, claiming that the complaint sufficiently alleges an injury in fact and that the Seventh Circuit’s holding conflicts with existing precedent on BIPA and on Spokeo.

Clearview first claimed that the complaint alleges a concrete and particularized injury in fact, giving Plaintiffs Article III standing.  [As a quick reminder, to establish Article III standing, which is necessary to sue in federal court, plaintiffs must generally show: (1) a concrete injury in fact; (2) that the injury was caused by the defendant; and (3) that the injury would likely be redressed by the requested relief.]  Plaintiffs had alleged a statutory violation of BIPA, section 15(c), which prevents a private entity from selling or profiting from an individual’s biometric data, on the basis of Clearview selling access to its digital database containing Plaintiffs’ biometric identifiers or information. Clearview argued that this allegation is concrete and particularized because the harm posed by having one’s personal information sold is experienced in a unique way, as each person has a private and possessory information in their own biometric data.

The petition also claims that the Seventh Circuit’s holding is inconsistent with existing precedent on BIPA and on Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Supreme Court case that found that Article III standing requires allegations of an injury in fact even where only a statutory violation has been alleged.  Clearview claimed that, contrary to the Seventh Circuit’s finding, an alleged violation of BIPA section 15(c) is a type of statutory violation that necessarily gives rise to an injury in fact, given the risk of harm to the concrete privacy interest an individual has in their own biometric information.  It pointed to other Seventh Circuit decisions that had interpreted different provisions of BIPA and found that the nature of the statutory violations alleged also alleged a concrete and particularized harm.  With respect to Spokeo, Clearview pointed out the wide variety of case law interpreting the injury in fact requirement differently, as highlighted in Judge Hamilton’s concurrence in Thornley.  It asked for rehearing or en banc review to clarify the law on what constitutes an injury in fact when a statutory violation is alleged.

We’ll keep an eye on how this one develops for you.

Yesterday, the Seventh Circuit weighed in on the critical issue of whether a plaintiff bringing a data privacy action – this time, under Illinois’ Biometric Information Privacy Act (“BIPA”) – has Article III standing to sue in federal court.  In a twist that civil procedure buffs will love, Plaintiffs claimed that they did not have standing (because they preferred to litigate in state court), while defendant claimed the Plaintiffs had valid standing.  Ultimately, Plaintiffs won the day, and the Seventh Circuit affirmed the district court’s remand to Illinois state court.[1]

In Thornley v. Clearview AI, No. 20-3249, 2021 U.S. App. LEXIS 1006 (7th Cir. Jan. 14, 2021), Plaintiffs initially filed suit in Illinois state court against Clearview, alleging violations of BIPA §§ 14/15(a), (b), and (c).  Clearview removed the case to federal court, and Plaintiffs voluntarily dismissed, only to bring another claim against Clearview in Illinois state court.  This time, Plaintiffs alleged only a violation of BIPA § 15(c), with a narrower proposed class definition.  When Clearview promptly removed to federal court again, Plaintiffs filed a motion to remand, alleging (under Spokeo) that the BIPA violation alleged in the complaint was a “bare procedural violation, divorced from any concrete harm” that did not support Article III standing.  In general, a plaintiff must show that three things are true to establish Article III standing, which is necessary for suit in a federal court: (1) that he or she suffered an injury in fact that is concrete, particularized, and actual or imminent, (2) that the injury was caused by the defendant, and (3) that the injury would likely be redressed by the requested judicial relief.  The Thornley court focused only on the first factor (the “injury in fact requirement”).

The Thornley court first turned to relevant Seventh Circuit precedent in which it had already examined the issue of Article III standing under BIPA, pointing back to its decisions in Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019); Bryant v. Compass Group USA, Inc., 958 F.3d 617 (7th Cir. 2020); and Fox v. Dakkota Integrated Systems, LLC, 980 F.3d 1146 (7th Cir. 2020).  It did so to underscore two points: first, that “allegations matter,” specifically the particular allegations that each plaintiff brings, even in cases that are factually similar or brought under the same statutory provision; and second, that Article III must be satisfied regardless of the type of violation that is alleged (procedural or substantive).

The Thornley complaint alleged a violation of BIPA § 15(c), which specifies that companies may not profit from individuals’ biometric information, and conceded that no class member suffered any injury aside from that statutory violation (the inclusion of their biometric information in Clearview’s database).  In evaluating the removal to federal court, the district court found that these particular allegations did not show concrete or particularized harm.  The Seventh Circuit agreed, noting that its decision would be different if the allegations had been different – for example, if the named plaintiff had alleged that, by selling her data, defendant had amplified an invasion of privacy, or deprived her of her own opportunity to profit from her data, that could have potentially satisfied Article III standing.  As the complaint was written, though, it did not allege any particularized injury.

The Thornley court also considered whether the fact that Plaintiffs had brought a class action – in which class members might potentially have suffered more particularized harm – would defeat the remand to state court.  It distinguished Thornley from Standard Fire Insurance Co. v. Knowles, 568 U.S. 588 (2013), a case in which a plaintiff sought remand to state court with a stipulation that he and the class would not seek more than $5,000,000 in damages; the Supreme Court found that such a stipulation could not be binding on class members.  Thornley differed because the issue turned on Plaintiffs’ class definition, and because “the plaintiff controls her own case,” Plaintiffs had the right to file a complaint with a narrower class definition than they could have otherwise sought.  The Seventh Circuit noted that other putative plaintiffs were free to bring their own class actions against Clearview with broader class definitions.

Ultimately, the Seventh Circuit acknowledged that it was “no secret” that Plaintiffs had taken care with their allegations and proposed class definition to “steer clear of federal court,” but noted that, “in general, plaintiffs may do this.”  Plaintiffs were permitted to “take advantage” of the fact that BIPA permits suit for solely statutory violations.

In a concurrence, Judge David Hamilton opined on the different outcomes of Seventh Circuit decisions on standing for private plaintiffs bringing suit under consumer protection statutes, observing, “I confess that I have not yet been able to extract from these different lines of cases a consistently predictable rule or standard.”  Judge Hamilton noted that Spokeo may have “raised more questions than it answered” in its finding that standing requires concrete injury, but that intangible injuries may sometimes be considered concrete.  As a result, he observed that some Seventh Circuit decisions may have “take[n] Spokeo too far” in denying standing for private plaintiffs alleging substantive violations of consumer protections statutes.

Thornley is the latest in a slate of federal court decisions on Article III standing in the context of data breach litigation, but is a win for class action plaintiffs looking to litigate BIPA claims in Illinois state courts.  Defendants seeking removal to federal court in data privacy actions should take special notice of the specific allegations they are contesting.  As Thornley demonstrates, those allegations can make or break your removal case.

[1] As many CPW readers know, BIPA regulates the storage and sale of biometric data, and offers consumers protections of that data, including the right to sue a business that fails to comply with BIPA’s requirements.  CPW readers will also be familiar with Clearview AI, a manufacturer of software that “scrapes” pictures from social media sites and sells access to a database of these pictures to clients, many of whom are law enforcement agencies.

This week the Judicial Panel on Multidistrict Litigation (“JPML”) ordered the creation of two massive data privacy multidistrict litigations (“MDLs”), in a move that will have significant impact on the data privacy litigation landscape in 2021.  The litigations, concerning claims brought against Clearview AI and Blackbaud Inc., are now headed to federal courts in Illinois and South Carolina for consolidated proceedings.  In re Blackbaud, Inc., 2020 U.S. Dist. LEXIS 236057 (JPML Dec. 15, 2020); In re Clearview AI Inc., 2020 U.S. Dist. LEXIS 236053 (JPML Dec. 15, 2020).

MDLs are a way of handling multiple civil actions at once, and can be formed when separate actions in different federal district courts share a common question of fact.  28 U.S.C. Section 1407(a).  On a motion filed by either party, those separate actions can be flagged to the JPML.  The JPML then decides whether the litigations should be consolidated and transferred into one federal court for consolidated pretrial proceedings.  [Note: Don’t assume that just because a party requests formation of a MDL it will happen.  The JPML denies the majority of such motions, although data breach MDLs are becoming increasingly common].  MDLs are generally formed to address complex legal matters.  They differ from class actions because while a class action is one lawsuit brought on behalf of a group of plaintiffs; the cases that are part of a MDL remain separate lawsuits that are handled together for efficiency.

CPW readers are already well familiar with the Clearview litigations.  In regards to the various claims that had been brought against Clearview, the JPML found that “[t]hese actions share factual questions arising from allegations that the Clearview defendants improperly collected, captured, obtained, distributed, and profited off of citizens’ biometric data.”  As such, the JPML held that “centralization will eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary.”  Consistent with the JPML’s order, these cases will now proceed in Illinois federal court for consolidated proceedings.

And in regards to Blackbaud, there was an alleged ransomware attack and data security breach of Blackbaud’s systems from about February 2020 through May 2020 that purportedly compromised the personal information of millions of consumers doing business with entities served by Blackbaud’s cloud software and services.  Plaintiffs, whose information was allegedly disclosed in the breach, filed putative class action litigation against Blackbaud.  While their allegations varied, the JPML found all litigations raised certain common factual questions regarding (1) Blackbaud’s data security practices and whether the practices met industry standards; (2) how the unauthorized access occurred; (3) the extent of personal information affected by the breach; (4) when Blackbaud knew or should have known of the breach; (5) the investigation into the breach; and (5) the alleged delay in disclosure of the breach to Blackbaud clients and affected consumers.  As such, the JPML ruled (as with the Clearview cases) that “centralization of the litigations in South Carolina would eliminate duplicative discovery; prevent inconsistent pretrial rulings, including with respect to class certification; and conserve the resources of the parties, their counsel, and the judiciary.”

These MDLs are poised to shape data privacy litigation to come – particularly with respect to Clearview, which is one of the first MDLs formed to address the handling of biometric data.  We’ll keep our eyes on Illinois and South Carolina for you to let you know how things turn out.  Stay tuned!

As most of you already know, the Illinois Biometric Information Privacy Act (“BIPA”) regulates the storage and sale of biometric data.  Following a New York Times expose earlier in the year, ten lawsuits were filed against Clearview AI which alleged, among other things, that Clearview’s practices violated BIPA.  Why?  Well, according to complaints filed in these cases, Clearview extracted faceprints from three billion photographs of people’s faces from social media platforms and other websites and created a database.  That database was then provided to Clearview’s clients, which purportedly includes national law enforcement agencies and government bodies.  Unsurprising, public and media scrutiny of Clearview’s practices followed.

This development has rocked the tech world, which responded in a variety of fashions.  Several of the tech giants sent cease and desist letters to Clearview after they learned Clearview’s database was compiled by scraping images from their platforms.  Other name brand companies, which previously had been engaged in developing facial recognition technologies, announced they were stopping such activities altogether.

What was Clearview’s response?  In contrast with these other approaches, it claimed that the company had a First Amendment right to access public information (including images from online platforms).  This assertion was followed in October with a motion to dismiss a complaint filed against it by the American Civil Liberties Union (“ACLU”), where Clearview asserted that the ACLU’s claims were barred under the First Amendment and the Illinois constitution.  Clearview claimed that its use of publically-available images was permissible because its collection and organization of images was essentially the creation and dissemination of information, which is protected by the First Amendment.

Clearview also argued that the activities of search engines like its own have historically been entitled to First Amendment protections.  Because the information that it used was publically available online, Clearview argued that the individuals featured in those photos had no reasonable expectation of privacy.  Clearview further claimed that BIPA violated the First Amendment as a content-based restriction on speech that cannot survive strict scrutiny.  Pointing to BIPA’s definition of “biometric identifiers,” Clearview argued that the way that BIPA targets the information included in that definition limits Clearview’s effectiveness and ability to use public information, and therefore burdens its speech.  Clearview also moved to dismiss the ACLU’s complaint for lack of jurisdiction, among other grounds.

Well, as this issue is sorted out by an Illinois court (where the litigation is pending), last week an amicus brief was filed on behalf of the Electronic Frontier Foundation (“EFF”) that addresses Clearview’s First Amendment argument head on.  As summarized in EFF’s brief, the applicable First Amendment test is not strict scrutiny but “intermediate judicial review,” which requires “a close fit between a speech limit and a substantial government interest.”  This is because, according to EFF’s brief, the speech Clearview seeks to protect is commercial speech that does not concern a public issue.  Instead, the speech is solely in the interest of Clearview and its business audience, as its faceprinting is offered as a proprietary and confidential service for paying customers.  Although Clearview sells its service to law enforcement agencies, EFF argued that this does not make collecting personal data a matter of public concern.

EFF’s brief argued that the application of BIPA to Clearview satisfies intermediate scrutiny as “Illinois has substantial interests in protecting privacy, and the free speech and information security that depends on privacy, from the special hazards posed by faceprinting” and “BIPA’s requirement of opt-in consent to collect faceprints is narrowly drawn to these interests.”  EFF’s brief highlighted that BIPA’s opt-in consent measure does not burden more speech than is necessary, even though businesses have argued that opt-in consent is more burdensome than opt-out consent, because opt-out is only marginally less intrusive than opt-in.  EFF’s brief further argued that opt-out could be ineffective for consumers who may not know that a business collected their faceprint.

What does this all mean?  Well for now, it is unclear as the court at least in this specific Clearview suit has yet to rule on the issue.  Given the proliferation of the collection and use of biometric information – including but not limited to employers in the wage and hour industries using biometric information for timekeeping purposes – this case and others are of particular interest.  Stay tuned as CPW will continue to cover these developments as they occur.

BIPA is a frequently litigated data privacy statute, and as readers of CPW know, we’ve been covering BIPA litigations for some time (for some of our prior coverage, check out here, here and here).  Often these claims are brought in the context of a preexisting employee-employer relationship, where employees allege that their employer improperly collected their data in violation of BIPA for timekeeping purposes.  A recent BIPA lawsuit against McDonalds filed on behalf of customers alleging that the fast food chain utilized drive-thru voice assistants in Illinois which captured and stored customers’ biometric voiceprint identifiers without their written consent breaks with this trend.  Carpenter v. McDonald’s Corporation, Case No. 1:21-cv-02906 (N.D. Ill.).  Read on to learn more.

First, a quick recap. The Illinois Biometric Information Privacy Act (“BIPA”) was enacted in 2008 and has standards regarding  the retaining and handling of the biometric data of Illinois residents.  At its core, BIPA protects the “biometric information” of Illinois residents, which is any information based on “biometric identifiers” that identifies a specific personregardless of how it is captured, converted, stored, or shared.  740 ILCS 14/10.  Biometric identifiers are, “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Id. (collectively, with “biometric information,” “biometric data”).

The Carpenter complaint, which was initially filed in Illinois state court, alleges that “[i]n an effort to reduce costs and staff, beginning sometime in 2020 McDonald’s implemented an artificial intelligence (AI) voice assistant in the drive through of various McDonald’s restaurants across the nation, including in Illinois.”  Compl. ¶ 6.  The crux of Plaintiff’s claim is that “McDonald’s AI voice assistant’s voice recognition technology collects customers’ voiceprint biometrics in order to be able to correctly interpret customer orders and to identify repeat customers to provide a tailored experience.”  However, “McDonald’s has failed to comply with BIPA’s regulations and does not notify its customers that when they interact with McDonald’s AI voice assistant their voiceprint biometric information is used and collected, nor does McDonald’s obtain their consent to do so.”  Compl. ¶¶ 8-9.

Plaintiffs proposed class includes “[a]ll individuals whose voiceprint biometric identifiers or biometric information were collected, captured, stored, transmitted, disseminated, or otherwise used by or on behalf of Defendant within the state of Illinois any time within the applicable limitations period and for whom Defendant did not have any written record of consent to do so.”

While disputing Plaintiff’s allegations, McDonald’s had the case removed to federal court last week under the federal Class Action Fairness Act (“CAFA”).  There, the court will address whether Plaintiff’s Complaint should make it past the pleading stage and enter discovery, assuming McDonald’s moves to dismiss.  Ultimate questions of liability will depend largely on McDonald’s business practices, and whether it was simply collecting voiceprints to understand customers’ orders or alternatively if it was “connecting the dots” to ascertain customers’ exact identities.

For instance, the Complaint alleges that, “McDonald’s AI voice assistant goes beyond real-time voiceprint analysis and recognition and also incorporates ‘machine-learning routines’, that utilize voiceprint recognition in combination with license plate scanning technology to identify unique customers regardless of which location they visit and present them certain menu items based on their past visits.”  Of course, whether that allegation is well-founded based upon McDonald’s actual practices remains to be seen.

For more on this litigation, stay tuned.  As more states continue to enact biometric laws with a private right of action, more entities will find themselves named in similar litigation.  CPW will be there to keep you in the loop.  Stay tuned.