California Federal Court to Decide Whether the Absence of a Public Facing Retention Policy Constitute a Single Violation of BIPA or Whether Multiple Violations Are Possible

Unique among state laws, the Illinois Biometric Information Privacy Act (“BIPA”) creates a private right of action for "any person aggrieved" by a violation of the statute and provides for statutory damages of $1,000 for a negligent violation to $5,000 for an intentional or reckless violation, in addition to reasonable attorneys' fees and costs. Liquidated damages can also be awarded under the statute. The potential to aggregate these penalties on a class-wide basis and the availability of attorneys' fees has made BIPA an attractive statute for the plaintiffs' class action bar. Because of this recovery scheme, BIPA has made Illinois a national litigation magnet.  

However, BIPA cases are not just limited to Illinois.  Instead, Plaintiffs have filed several BIPA related consumer class action cases in the Northern District of California, and have targeted tech companies, including Facebook in particular, and its photo tagging technology, which Facebook has since discontinued using.  One of those cases, In re Facebook Biometric Info. Priv. Litig.., 185 F. Supp. 3d 1155 (N.D. Cal. 2016), affirmed by Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), addressed directly whether BIPA covers the method Facebook used in its photo "Tag Suggestions" program.  Judge Donato ruled it did and certified the class.  Facebook appealed and the Ninth Circuit affirmed Judge Donato’s ruling.  Facebook later settled that case for $650 million, after the U.S. Supreme Court declined to grant certiorari. 

Now another consumer class action case, Zellmer v. Facebook Inc., case number 3:18-cv-01880, is again before Judge Donato.  However, unlike the previous case, Zellmer consists of a class of non-Facebook users who had their photos uploaded to Facebook by other Facebook users.  In an April 2022 ruling, Judge Donato found that it would be "patently unreasonable" to hold Facebook liable for claims that it failed to inform nonusers in Illinois who were strangers to Facebook, about its collection and storage of their facial scans, and ruled against Plaintiffs on their Section 15(b) claim requiring notice and consent.  However, the court allowed the claims under Section 15(a) to proceed, finding that factual issues abounded as to whether Facebook had a “written policy, made available to the public” that established data retention policies and related practices for biometric identifiers or information as required by 740 Ill. Comp. Stat. 14/15(a). 

What is BIPA? 

BIPA passed by the Illinois state legislature in 2008, protects biometric identifiers and biometric information of human beings. Biometric identifiers are defined as a "retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry," and "do not include writing samples, written signatures, [or] photographs."  Biometric information is considered "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier," but "does not include information derived from items or procedures excluded under the definition of biometric identifiers."   

Under BIPA, an organization may not "collect, capture, purchase, receive through trade, or otherwise obtain" biometric identifiers or information (collectively, biometric data) unless it first:  

• Provides written notice stating: 

• that biometric data is being collected or stored; and  
• the specific purpose and length of term for which biometric data is being collected, stored, and used. 
• Receives a written consent that is executed by either the individual whose biometric data is to be collected or the individual's legally authorized representative. (740 Ill. Comp. Stat. 14/15(b).) 

The organization must store, transmit, and protect from disclosure any collected biometric data using the reasonable standard of care within the applicable industry, and in a manner that is at least as protective as the means used to protect other confidential and sensitive information (740 Ill. Comp. Stat. 14/15(e)). Additionally, any organization that possesses biometric data must: 

• Not disclose that data unless:  
• the organization obtains appropriate consent; 
• the disclosure completes a financial transaction requested or authorized by the individual; or 
• the disclosure is required by law or pursuant to a valid warrant or subpoena. (740 Ill. Comp. Stat. 14/15(d).)  

• Not sell, lease, trade, or otherwise profit from the collected biometric data (740 Ill. Comp. Stat. 14/15(c)). 
• Develop and make publicly available a written retention policy that provides for the permanent destruction of biometric data on the earlier of: 
• the date when "the initial purpose for collecting or obtaining such identifiers or information has been satisfied"; or  
• within three years of the individual's last interaction with the organization. (740 Ill. Comp. Stat. 14/15(a).) 

Does the Absence of a Public Retention Policy Constitute a Single Violation of the Statute or Can There Be More? 

Recently Judge Donato asked the parties to analyze and submit 5-page briefs on whether the absence of a public retention policy as required by Illinois law is a single violation of Section 15(a) that can be remedied by a single liquidated damages award or whether there can be multiple violations.  740 Ill. Comp. Stat. 14/15(a). 

For its part Facebook argues that “BIPA’s text establishes that the failure to publicly post a retention policy constitutes a single violation of BIPA and that the only authorized remedy for such a violation is a single award of actual or liquidated damages.”  Facebook reasons that an entity cannot fail to publish something more than once.  Facebook also argues that Section 20 of BIPA “limits recovery to those “aggrieved” by a violation” of the statute and that “BIPA does not extend a legal right to every member of the public in all situations.”  Noting that Illinois courts require that “aggrieved” persons have a “direct, immediate and substantial interest rather than a speculative, theoretical, inconsequential or remote interest,” Facebook argues that no such showing can be made on these facts.  They argue that Plaintiffs as non-users could not possibly have benefited from Facebook’s decision to post a retention policy and thus do not have the direct, immediate and substantial interest needed to meet the “aggrieved” requirement under BIPA. 

Mr. Zellmer argues the opposite and focuses on the number of times Facebook scanned Plaintiff’s face to argue that the policy was violated multiple times.  According to his brief: 

“Here, each time Facebook scanned Plaintiff’s face, it used the scan to compare it to other faces stored in Facebook’s facial recognition system.  Facebook scanned Plaintiff’s face on at least four separate occasions, each time without having a public policy containing the disclosures mandated by Section 15(a). On each such date Facebook owed Plaintiff a written policy. In addition, once the comparisons were completed, the purpose for which Facebook collected Plaintiff’s face scan ended. Facebook thus violated Section 15(a) by failing to timely delete Plaintiff’s biometric data.” 

Plaintiff also argues that the statute provides for the award of liquidated damages in the absence of showing the existence of actual damages. 

“Under Section 20, Plaintiff is entitled to liquidated damages of $5,000.00 for each of Facebook’s intentional and reckless violations of Section 15(a) or, alternatively, liquidated damages of $1,000.00 for each violation if the jury finds that Facebook was negligent in its failure develop a public policy or comply with Section 15(a)’s data destruction requirements. Plaintiff is entitled to liquidated damages in the absence of any showing of actual damages.”  

How can this analysis help your organization? 

At BD Emerson, we have helped companies of all sizes and complexity build privacy programs and implement reasonable security measures in order to comply with various regulations, including BIPA.  We have also worked with HIPAA, GDPR, CCPA, CDPA and other new and emerging data privacy and information security regulations.  Our company is uniquely situated - we have privacy, security, legal, technology, and compliance experts who can assist companies to implement programs holistically, including supporting the design and development of technical solutions that have the same capabilities and product features as using biometrics, but without running afoul of regulatory concerns.