California Federal Court To Decide Whether The Absence Of A Public Facing Retention Policy Constitutes A Single Violation Of BIPA Or Whether Multiple Violations Are Possible. – Class Actions

Unique among state laws, the Illinois Biometric Information
Privacy Act (“BIPA”) creates a private right of action
for “any person aggrieved” by a violation of the statute
and provides for statutory damages of $1,000 for a negligent
violation to $5,000 for an intentional or reckless violation, in
addition to reasonable attorneys’ fees and costs. Liquidated
damages can also be awarded under the statute. The potential to
aggregate these penalties on a class-wide basis and the
availability of attorneys’ fees has made BIPA an attractive
statute for the plaintiffs’ class action bar. Because of this
recovery scheme, BIPA has made Illinois a national
litigation magnet.  

However, BIPA cases are not just limited to
Illinois.  Instead, Plaintiffs have filed several BIPA
related consumer class action cases in the Northern District of
California, and have targeted tech companies, including Facebook in
particular, and its photo tagging technology, which Facebook has
since discontinued using.  One of those
cases, In re Facebook Biometric Info. Priv. Litig..,
185 F. Supp. 3d 1155 (N.D. Cal. 2016), affirmed by Patel
v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), addressed
directly whether BIPA covers the method Facebook used in its photo
“Tag Suggestions” program.  Judge Donato ruled
it did and certified the class.  Facebook appealed and
the Ninth Circuit affirmed Judge Donato’s
ruling.  Facebook later settled that case for $650
million, after the U.S. Supreme Court declined to grant
certiorari.

Now another consumer class action case, Zellmer v.
Facebook Inc., case number 3:18-cv-01880, is again before
Judge Donato.  However, unlike the previous
case, Zellmer consists of a class of
non-Facebook users who had their photos uploaded to Facebook by
other Facebook users.  In an April 2022 ruling, Judge Donato found that
it would be “patently unreasonable” to hold Facebook
liable for claims that it failed to inform nonusers in Illinois who
were strangers to Facebook, about its collection and storage of
their facial scans, and ruled against Plaintiffs on their Section
15(b) claim requiring notice and consent.  However, the
court allowed the claims under Section 15(a) to proceed, finding
that factual issues abounded as to whether Facebook had a
“written policy, made available to the public” that
established data retention policies and related practices for
biometric identifiers or information as required by 740 Ill. Comp.
Stat. 14/15(a).

What is BIPA?

BIPA passed by the Illinois state legislature in 2008,
protects biometric identifiers
and biometric information of human
beings. Biometric identifiers are defined as a
“retina or iris scan, fingerprint, voiceprint, or scan of hand
or face geometry,” and “do not include writing samples,
written signatures, [or] photographs.”
 Biometric information is considered “any
information, regardless of how it is captured, converted, stored,
or shared, based on an
individual’s biometric identifier,” but
“does not include information derived from items or procedures
excluded under the definition
of biometric identifiers.”  

Under BIPA, an organization may not “collect, capture,
purchase, receive through trade, or otherwise obtain”
biometric identifiers or information (collectively, biometric data)
unless it first: 

• Provides written notice stating:
  

  • that biometric data is being collected or stored;
    and 

  
  

  • the specific purpose and length of term for which biometric
    data is being collected, stored, and used.




• Receives a written consent that is executed by either the
  individual whose biometric data is to be collected or the
  individual’s legally authorized representative. (740 Ill. Comp.
  Stat. 14/15(b).)

The organization must store, transmit, and protect from
disclosure any collected biometric data using the reasonable
standard of care within the applicable industry, and in a manner
that is at least as protective as the means used to protect other
confidential and sensitive information (740 Ill. Comp. Stat.
14/15(e)). Additionally, any organization that possesses biometric
data must:

• Not disclose that data unless: 
  

  • the organization obtains appropriate consent;

  
  

  • the disclosure completes a financial transaction requested or
    authorized by the individual; or

  
  

  • the disclosure is required by law or pursuant to a valid
    warrant or subpoena. (740 Ill. Comp. Stat.
    14/15(d).) 




• Not sell, lease, trade, or otherwise profit from the collected
  biometric data (740 Ill. Comp. Stat. 14/15(c)).




• Develop and make publicly available a written retention policy
  that provides for the permanent destruction of biometric data on
  the earlier of:
  

  • the date when “the initial purpose for collecting or
    obtaining such identifiers or information has been satisfied”;
    or 

  
  

  • within three years of the individual’s last interaction
    with the organization. (740 Ill. Comp. Stat. 14/15(a).)

Does the Absence of a Public Retention Policy Constitute a
Single Violation of the Statute or Can There Be More?

Recently Judge Donato asked the parties to analyze and submit
5-page briefs on whether the absence of a public retention policy
as required by Illinois law is a single violation of Section 15(a)
that can be remedied by a single liquidated damages award or
whether there can be multiple violations.  740 Ill. Comp.
Stat. 14/15(a).

For its part Facebook argues that “BIPA’s text
establishes that the failure to publicly post a retention policy
constitutes a single violation of BIPA and that
the only authorized remedy for such a violation is
a single award of actual or liquidated
damages.”  Facebook reasons that an entity cannot
fail to publish something more than once.  Facebook also
argues that Section 20 of BIPA “limits recovery to those
“aggrieved” by a violation” of the statute and
that “BIPA does not extend a legal right to every member of
the public in all situations.”  Noting that
Illinois courts require that “aggrieved” persons have a
“direct, immediate and substantial interest rather than a
speculative, theoretical, inconsequential or remote
interest,” Facebook argues that no such showing can be made
on these facts.  Facebook asserts that Plaintiffs as non-users
could not possibly have benefited from Facebook’s decision to
post a retention policy and thus do not have the direct, immediate
and substantial interest needed to meet the “aggrieved”
requirement under BIPA.

Mr. Zellmer argues the opposite and focuses on the number of
times Facebook scanned Plaintiff’s face to argue that the
policy was violated multiple times.  According to his
brief:

“Here, each time Facebook scanned Plaintiff’s
face, it used the scan to compare it to other faces stored in
Facebook’s facial recognition system.  Facebook
scanned Plaintiff’s face on at least four separate occasions,
each time without having a public policy containing the disclosures
mandated by Section 15(a). On each such date Facebook owed
Plaintiff a written policy. In addition, once the comparisons were
completed, the purpose for which Facebook collected
Plaintiff’s face scan ended. Facebook thus violated Section
15(a) by failing to timely delete Plaintiff’s biometric
data.”

Plaintiff also argues that the statute provides for the award of
liquidated damages in the absence of showing the existence of
actual damages.

“Under Section 20, Plaintiff is entitled to liquidated
damages of $5,000.00 for each of Facebook’s intentional and
reckless violations of Section 15(a) or, alternatively, liquidated
damages of $1,000.00 for each violation if the jury finds that
Facebook was negligent in its failure develop a public policy or
comply with Section 15(a)’s data destruction requirements.
Plaintiff is entitled to liquidated damages in the absence of any
showing of actual damages.” 

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Litigation, Mediation & Arbitration from United States