Illinois Supreme Court Adopts Expansive Interpretation of Standing under Illinois BIPA, Potentially Opening the Flood Gates for Class ActionsIn a much-anticipated ruling, the Illinois Supreme Court recently held that allegations of actual injury are not required to seek damages under Illinois’ Biometric Information Privacy Act (BIPA or the Act). The case is Rosenbach v. Six Flags Entertainment Corporation, and after Rosenbach, “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” This ruling will likely continue the trend of an increasing number of class actions against companies that have failed to strictly comply with BIPA’s requirements.

Passed in 2008, the Illinois BIPA was the first statute of its kind. Under the Act, private entities collecting biometric information, such as retina or iris scans, finger or palm prints, voiceprints, and facial geometry scans, are required to comply with certain written notice, consent, and disclosure requirements. The Act provides a private right of action, allowing “[a]ny person aggrieved by a violation of th[e] Act” to bring suit to recover liquidated or actual damages, attorneys’ fees, litigation expenses and other relief, including injunctive relief.  Although relatively few class actions were filed under BIPA in its early years, the pace has picked up of late. At the risk of an understatement, we expect that trend to continue in the wake of Rosenbach.

In Rosenbach, the plaintiff brought a class action against Six Flags under BIPA on behalf of her 14-year-old son, after Six Flags scanned and collected her son’s fingerprint as part of his application for a season pass to the Chicago-land amusement park. Rosenbach alleged that Six Flags violated BIPA by failing to provide written notice of the purpose of the scan or how long the information would be stored and by failing to obtain written consent from either her or her son. Rosenbach also alleged that “she never would have purchased a season pass for her son” if she had known that his fingerprint would be electronically scanned.

Six Flags argued that Rosenbach could not be considered an “aggrieved” person because she failed to allege an actual injury. Illinois’ intermediate appellate court agreed. It likened the determination of whether or not a person is “aggrieved” under the Act to the determination of injury-in-fact and concluded that to be “aggrieved” a plaintiff must allege actual harm. The court downplayed Rosenbach’s allegations that she never would have bought a season pass for her son had she known about the electronic fingerprint requirement.

The Illinois Supreme Court reversed and adopted a truly expansive view of what it means to be “aggrieved”: a person subjected to any BIPA violation, no matter how slight, is aggrieved under the Act.  Because the Act protects a person’s fundamental right to control his or her biometric information, the court concluded that even technical or procedural violations of the Act “constitute[] an invasion, impairment, or denial” of that fundamental right. Thus, any violation, by itself, creates a “real and significant” injury, regardless of whether or not that violation results in any additional harm to the plaintiff.

We pause here to note that the court did not address Illinois’ constitutional standing, only statutory standing under Illinois’ statute. Illinois courts have historically interpreted Illinois’ constitutional standing requirements consistently with the federal standards. It is hard not to see Rosenbach as a departure from Illinois’ historical constitutional standing jurisprudence. In concluding that any alleged violation of BIPA is sufficient to permit a plaintiff to seek damages under the Act, the Illinois Supreme Court seemingly pivoted away from its own (and the U.S. Supreme Court’s) jurisprudence, which condition standing on proof of a real, concrete injury-in-fact. We caution, however, against over reading Rosenbach in this regard: Six Flags does not appear to have raised the issue of constitutional standing.

Perhaps because constitutional standing was not teed up, the court also failed to engage several federal cases that have dismissed BIPA claims for lack of Article III standing where the plaintiffs failed to allege an injury-in-fact. For example, in Santana v. Take-Two Interactive Software, the Second Circuit applied Spokeo and concluded that mere technical violations of BIPA, such as the failure to strictly comply with the Act’s notice, consent, and disclosure requirements, that do not result in any actual harm are insufficient to confer standing under Article III. Rosenbach’s analysis of what it means to be “aggrieved” under the Act potentially is inconsistent with Santana’s analysis of injury-in-fact.

On the near horizon, expect a flood of new class actions to be filed under BIPA on behalf of consumers, employees, and anyone else whose biometric data was taken without consent or without the statutorily mandated disclosures. Under Rosenbach’s expansive interpretation of what makes someone “aggrieved” under the Act, those actions will almost certainly have statutory standing. But defendants should not necessarily assume that Rosenbach also means that any alleged violation of BIPA is sufficient to confer constitutional standing under the Illinois Constitution, let alone the U.S. Constitution. That issue will have to work its way through the courts.

Turning to practical matters, potential defendants should get ready. Part of getting ready is planning for litigation defense. We expect many defendants will continue to raise constitutional standing arguments in BIPA class actions that are predicated on technical, procedural violations of the statute that resulted in no harm or prejudice, whether proceeding in state or in federal court. But, as these jurisdictional arguments continue to mature, companies need to be examining their use of biometric data and whether their biometric data practices and procedures fully comply with BIPA. Plaintiffs will likely view any biometric data retained or used by a company as an inviting litigation target, and the threat of liquated damages and attorneys’ fees for successful plaintiffs creates a powerful incentive to bring “touch foul” lawsuits.

Companies should also keep an eye on other states. With BIPA in the headlines, other states’ legislatures may decide to adopt similar laws. There is also the possibility of increased regulatory activity in states with existing biometric privacy laws that do not provide for a private right of action, such as Texas and Washington.

Lastly, companies will increasingly be forced to ask whether the business case for biometrics is worth the risk. Biometrics exist and have flourished because they are easy to use. If litigation drastically increases the risk of creating practical biometric systems, companies have to reevaluate the costs and benefits of implementing such a system in the first place.

Courts are still going both ways on applying Bristol-Myers Squibb to class actions. Two recent decisions highlight this split.

<i>Bristol-Myers Squibb</i> Continues to Be a Mixed Bag in the Class Action ContextThe first—and we’ll always start with the good news—comes out of the District of Massachusetts in Roy v. FedEx Ground Package System, Inc. There, the court held that Bristol-Myers Squibb applies to collective actions under the Fair Labor Standards Act (FLSA) and limited opt-in notices to drivers who worked in the forum state. In doing so, the court rejected the idea that FLSA actions are materially different from the mass tort action in Bristol-Myers Squibb. Although the court hedged a bit on whether Bristol-Myer would apply in every context, it quoted Chavez v. Church & Dwight Co. for the proposition that “[n]othing in Bristol-Myers suggests that its basic holding is inapplicable to class actions.”

Apart from its narrow (but important) application in the FLSA context, Roy aligns with the view that Bristol-Myers Squibb does not announce a limited rule, but rather defines what due process means in the context of personal jurisdiction. It joins these other 2018 decisions:

But not all courts are in agreement. In Jones v. Depuy Synthes Products, Inc., one judge in the Northern District of Alabama declined to apply Bristol-Myers Squibb to a class action at the motion-to-strike stage. While the court in Jones disagreed with many of the arguments class-action plaintiffs have used to avoid Bristol-Myers Squibb (such as the assertion that Bristol-Myers Squibb does not apply to federal courts sitting in diversity), it ultimately concluded that, at least at the early stage of the case, Rule 23 provided adequate procedural safeguards for defendants’ due process rights.

Jones joins with two other cases refusing to apply Bristol-Myers Squibb in the class context:

From these cases, we see a new trend emerging: Many lower courts are taking a “wait and see” approach in addressing the applicability of Bristol-Myers Squibb. That approach was followed in Jones and also in In re Samsung Galaxy Smartphone Marketing and Sales Practices Litigation, where the court dismissed one plaintiff’s claims but also observed, “given that the law is still evolving in this area, the Court is willing to consider any developments that take place during the pendency of the stay [the court was ordering].” Thus, while defendants can and should continue to make early attacks on overbroad, multi-state putative classes, they should also recognize that courts may be more willing to apply Bristol-Myers Squibb to narrow the class at the class certification stage, rather than on the pleadings at the outset. Until the courts of appeal or the U.S. Supreme Court settle this issue, defendants should definitely continue to assert and preserve personal jurisdiction arguments, even if district courts defer consideration of those arguments at the pleading stage.

In the meantime, the battle over applying Bristol-Myers Squibb will shift to the courts of appeal, where we are watching for the first decisions to be handed down. Molock v. Whole Foods Market, currently on interlocutory appeal in the D.C. Circuit, is a likely early candidate. We continue to monitor these developments closely.

Standing in Data Breach Cases Likely Heading Back to the Supreme CourtData breach plaintiffs often have a very difficult time stating a concrete injury, and courts have wrestled with whether these plaintiffs can file suit in federal court. We have been watching this issue and writing about it frequently. The issue is whether plaintiffs have suffered an “injury in fact” that gives them Article III standing. The Supreme Court’s 2016 decision in Spokeo v. Robins took a narrow view of Article III standing where the plaintiffs alleged that their federal statutory rights were violated, but did not allege that they suffered any factual injury beyond the statutory violation. Spokeo gave defendants strong arguments to dismiss data-breach cases for lack of standing, but results have been mixed—perhaps because Spokeo addressed federal claims and not state-law negligence claims that are most commonly asserted after data breaches. Spokeo has proven to be a mixed blessing.

Now the issue looks to be heading back to the Supreme Court in, Inc. v. Stevens. That case highlights how the various circuits have taken divergent views on standing in data breach cases. The Supreme Court has not granted certiorari yet, but court watchers have singled this case out as a likely grant. We are monitoring the case closely, as any ruling from the Supreme Court in the data-breach context would have far-reaching effects on this rapidly developing area of the law.

Stay tuned.