Illinois Supreme Court Adopts Expansive Interpretation of Standing under Illinois BIPA, Potentially Opening the Flood Gates for Class ActionsIn a much-anticipated ruling, the Illinois Supreme Court recently held that allegations of actual injury are not required to seek damages under Illinois’ Biometric Information Privacy Act (BIPA or the Act). The case is Rosenbach v. Six Flags Entertainment Corporation, and after Rosenbach, “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” This ruling will likely continue the trend of an increasing number of class actions against companies that have failed to strictly comply with BIPA’s requirements.

Passed in 2008, the Illinois BIPA was the first statute of its kind. Under the Act, private entities collecting biometric information, such as retina or iris scans, finger or palm prints, voiceprints, and facial geometry scans, are required to comply with certain written notice, consent, and disclosure requirements. The Act provides a private right of action, allowing “[a]ny person aggrieved by a violation of th[e] Act” to bring suit to recover liquidated or actual damages, attorneys’ fees, litigation expenses and other relief, including injunctive relief.  Although relatively few class actions were filed under BIPA in its early years, the pace has picked up of late. At the risk of an understatement, we expect that trend to continue in the wake of Rosenbach.

In Rosenbach, the plaintiff brought a class action against Six Flags under BIPA on behalf of her 14-year-old son, after Six Flags scanned and collected her son’s fingerprint as part of his application for a season pass to the Chicago-land amusement park. Rosenbach alleged that Six Flags violated BIPA by failing to provide written notice of the purpose of the scan or how long the information would be stored and by failing to obtain written consent from either her or her son. Rosenbach also alleged that “she never would have purchased a season pass for her son” if she had known that his fingerprint would be electronically scanned.

Six Flags argued that Rosenbach could not be considered an “aggrieved” person because she failed to allege an actual injury. Illinois’ intermediate appellate court agreed. It likened the determination of whether or not a person is “aggrieved” under the Act to the determination of injury-in-fact and concluded that to be “aggrieved” a plaintiff must allege actual harm. The court downplayed Rosenbach’s allegations that she never would have bought a season pass for her son had she known about the electronic fingerprint requirement.

The Illinois Supreme Court reversed and adopted a truly expansive view of what it means to be “aggrieved”: a person subjected to any BIPA violation, no matter how slight, is aggrieved under the Act.  Because the Act protects a person’s fundamental right to control his or her biometric information, the court concluded that even technical or procedural violations of the Act “constitute[] an invasion, impairment, or denial” of that fundamental right. Thus, any violation, by itself, creates a “real and significant” injury, regardless of whether or not that violation results in any additional harm to the plaintiff.

We pause here to note that the court did not address Illinois’ constitutional standing, only statutory standing under Illinois’ statute. Illinois courts have historically interpreted Illinois’ constitutional standing requirements consistently with the federal standards. It is hard not to see Rosenbach as a departure from Illinois’ historical constitutional standing jurisprudence. In concluding that any alleged violation of BIPA is sufficient to permit a plaintiff to seek damages under the Act, the Illinois Supreme Court seemingly pivoted away from its own (and the U.S. Supreme Court’s) jurisprudence, which condition standing on proof of a real, concrete injury-in-fact. We caution, however, against over reading Rosenbach in this regard: Six Flags does not appear to have raised the issue of constitutional standing.

Perhaps because constitutional standing was not teed up, the court also failed to engage several federal cases that have dismissed BIPA claims for lack of Article III standing where the plaintiffs failed to allege an injury-in-fact. For example, in Santana v. Take-Two Interactive Software, the Second Circuit applied Spokeo and concluded that mere technical violations of BIPA, such as the failure to strictly comply with the Act’s notice, consent, and disclosure requirements, that do not result in any actual harm are insufficient to confer standing under Article III. Rosenbach’s analysis of what it means to be “aggrieved” under the Act potentially is inconsistent with Santana’s analysis of injury-in-fact.

On the near horizon, expect a flood of new class actions to be filed under BIPA on behalf of consumers, employees, and anyone else whose biometric data was taken without consent or without the statutorily mandated disclosures. Under Rosenbach’s expansive interpretation of what makes someone “aggrieved” under the Act, those actions will almost certainly have statutory standing. But defendants should not necessarily assume that Rosenbach also means that any alleged violation of BIPA is sufficient to confer constitutional standing under the Illinois Constitution, let alone the U.S. Constitution. That issue will have to work its way through the courts.

Turning to practical matters, potential defendants should get ready. Part of getting ready is planning for litigation defense. We expect many defendants will continue to raise constitutional standing arguments in BIPA class actions that are predicated on technical, procedural violations of the statute that resulted in no harm or prejudice, whether proceeding in state or in federal court. But, as these jurisdictional arguments continue to mature, companies need to be examining their use of biometric data and whether their biometric data practices and procedures fully comply with BIPA. Plaintiffs will likely view any biometric data retained or used by a company as an inviting litigation target, and the threat of liquated damages and attorneys’ fees for successful plaintiffs creates a powerful incentive to bring “touch foul” lawsuits.

Companies should also keep an eye on other states. With BIPA in the headlines, other states’ legislatures may decide to adopt similar laws. There is also the possibility of increased regulatory activity in states with existing biometric privacy laws that do not provide for a private right of action, such as Texas and Washington.

Lastly, companies will increasingly be forced to ask whether the business case for biometrics is worth the risk. Biometrics exist and have flourished because they are easy to use. If litigation drastically increases the risk of creating practical biometric systems, companies have to reevaluate the costs and benefits of implementing such a system in the first place.

Standing in Data Breach Cases Likely Heading Back to the Supreme CourtData breach plaintiffs often have a very difficult time stating a concrete injury, and courts have wrestled with whether these plaintiffs can file suit in federal court. We have been watching this issue and writing about it frequently. The issue is whether plaintiffs have suffered an “injury in fact” that gives them Article III standing. The Supreme Court’s 2016 decision in Spokeo v. Robins took a narrow view of Article III standing where the plaintiffs alleged that their federal statutory rights were violated, but did not allege that they suffered any factual injury beyond the statutory violation. Spokeo gave defendants strong arguments to dismiss data-breach cases for lack of standing, but results have been mixed—perhaps because Spokeo addressed federal claims and not state-law negligence claims that are most commonly asserted after data breaches. Spokeo has proven to be a mixed blessing.

Now the issue looks to be heading back to the Supreme Court in Zappos.com, Inc. v. Stevens. That case highlights how the various circuits have taken divergent views on standing in data breach cases. The Supreme Court has not granted certiorari yet, but court watchers have singled this case out as a likely grant. We are monitoring the case closely, as any ruling from the Supreme Court in the data-breach context would have far-reaching effects on this rapidly developing area of the law.

Stay tuned.

First Circuit Restricts Class Certification of Classes Containing Uninjured PersonsIn recent years, courts have reached divergent conclusions about the circumstances in which a damages class containing uninjured persons can be certified. Although there is some room to debate what constitutes injury, it is well established that individual litigants who have not suffered any injury at all should not recover; after all, injury in fact is a bedrock element of standing, and it is well-settled that the purely procedural class action device cannot be used to expand existing substantive rights or create new substantive rights that did not otherwise exist. However, in class cases, there is considerable dispute among circuit courts as to when courts should deal with the presence of uninjured persons in the putative class, and how uninjured persons should factor into the class certification decision.

On the one hand, the Seventh and Ninth Circuits have held that the presence of some—but not “a great many”—uninjured persons in the putative class is not a bar to class certification. Instead, these courts have sanctioned the use of the post-judgment claims administration process to identify and remove uninjured class members. Neither court has yet attempted to explain exactly how many uninjured members constitute “a great many,” nor have they provided much clarity on exactly how to sort it all out at the end.

On the other hand, the majority of courts to consider the issue, including the Second, Fifth, Eighth, and D.C. Circuits, have broadly held that “no class may be certified that contains members lacking Article III standing,” and required that classes “be defined in such a way that anyone within it would have standing.” These courts have placed the burden squarely on plaintiffs to show that “they can prove, through common evidence, that all class members were in fact injured” by the alleged misconduct.

Previously, the First Circuit had attempted to carve out somewhat of a middle ground. In In re Nexium Antitrust Litigation, the court acknowledged that each absent class member must have suffered an injury in fact to recover, but nevertheless affirmed certification of a class that “probably” contained “a de minimis number of uninjured parties.” The court reasoned that defendants’ mere speculation that a few members of the class may have been uninjured was insufficient to rebut the plaintiffs’ showing that for the vast majority of class members, injury in fact could be proven by class-wide proof. The defendants also failed to show that it would be difficult to identify the handful of hypothetically uninjured persons.

Last month, however, the First Circuit came more in line with the majority view. In In re Asacol Antitrust Litigation, the court reversed certification of a consumer class that included a significant number (approximately 10 percent) of uninjured persons. In Asacol, the defendant manufacturer of a drug used to treat ulcerative colitis was accused of violating the Sherman Act by pulling Asacol from the market shortly before the drug’s patent was set to expire and replacing it with two similar, patent-protected drugs. The theory of liability was that by prematurely pulling Asacol from the market, the defendant had precluded entry of lower-cost, generic alternatives in the treatment of ulcerative colitis. The plaintiff class in Asacol comprised consumers who had purchased Asacol before it was taken off the market and who then had purchased at least one of the two replacement drugs after Asacol was taken off the market.

At the class certification stage, the evidence showed that approximately 10 percent of the putative class members would not have switched from Asacol to a generic even if the defendant had not adopted its allegedly anticompetitive strategy and generic versions of Asacol had been available. The district court concluded that persons who would not have switched to a generic did not suffer any injury from the alleged anticompetitive conduct. Yet, the district court certified a class containing those uninjured persons anyway, reasoning that the uninjured class members could be removed post-judgment during the claims administration process and that the total amount of the damages award could be reduced to account for the removal of uninjured class members.

In reversing certification, the First Circuit rejected the district court’s position that it would be appropriate to remove uninjured class members post-judgment during the claims administration process. As the court explained, to move the adjudication of injury-in-fact to the claims administration process would deprive the defendant of its fundamental Seventh Amendment right to a trial by jury on all of the elements of the plaintiffs’ causes of action. Moreover, the defendant had introduced substantial evidence showing that identifying the uninjured class members would require precisely the sort of individualized inquiries antithetical to both the predominance and superiority requirements of Rule 23(b)(3). As a result, the court reasoned that class certification would be inappropriate. The court distinguished its Nexium decision for two reasons: (1) unlike in Nexium, in Asacol a more than “de minimis” number of class members were uninjured; and (2) unlike in Nexium, in Asacol the defendant came forward with substantial evidence both of the number of uninjured persons and the difficulty of proving injury on a class-wide basis – and made clear that it intended to present that evidence at trial.

There are several important takeaways for class action defendants in courts that follow the Asacol rationale:

1. Asacol’s impact will likely be broader than antitrust cases. Although there is some language in the Asacol opinion that purports to limit its holding to antitrust or similar claims, in which “injury in fact” is an affirmative element of the cause of action, Asacol will likely have a much broader application. That is because Article III itself requires that every federal plaintiff have suffered an “injury in fact” to have standing to recover in federal court, and it is unlikely that the current Supreme Court will allow Rule 23 to serve as an end-run on that constitutional requirement.

2. Defendants should introduce evidence at class certification concerning the number of uninjured class members and the difficulty of identifying them. Asacol reinforces the importance to class action defendants to introduce substantial evidence at the class certification stage of the number of uninjured absent class members and the difficulties in proving injury on a class-wide basis. Although plaintiffs bear the burden of proving that the requirements of Rule 23 have been met, as a practical matter, defendants will likely have to level a genuine challenge to allegations of injury in fact and to the plaintiffs’ ability to prove injury on a class-wide basis to defeat class certification because of the presence of uninjured class members. Speculation or unsubstantiated theories that the class may contain uninjured persons probably won’t cut it. Expert testimony will often be required to meet this practical burden.

3. Consider challenging certification even where the number of uninjured class members seems de minimis. One of the stated bases for the court’s decision in Asacol was the fact that the number of uninjured class members was not de minimis. As the court explained, it would have had far fewer concerns if the class had contained just a few uninjured members who could have easily been “picked off” by the defendant “in a manageable, individualized process at or before trial.” This seems to us to be a point of internal inconsistency in the court’s rationale. The Seventh Amendment does not have a “de minimis number of litigants” exception, yet the First Circuit’s approach arguably still seems to.

Assuming the de minimis exception continues to survive to some degree, this does not necessarily mean that defendants should not challenge certification where it appears that only a de minimis number of class members were uninjured. Most importantly, to the extent a court adopts a procedure that contemplates identifying and removing the de minimis number of uninjured class members post-judgment, we believe, as the First Circuit seemed to also conclude, that such a procedure would violate the Seventh Amendment, the Rules Enabling Act, and Article III, none of which have a de minimis exception. We think it likely that the Supreme Court will soon make that clear, perhaps even in a petition for certiorari in this very case should one be filed.  Therefore, we recommend persistently raising and preserving the argument that certification of a damages class is inappropriate unless each and every class member has suffered injury. Unless a class defendant makes that argument, it may be deemed to have forfeited its Seventh Amendment rights, given that those rights can always be waived.

In addition, even if the court attempts to mitigate Seventh Amendment concerns by adopting a process that would allow the jury to identify the uninjured persons at trial, that still does not necessarily mean that class certification would be appropriate. On the contrary, if the process by which uninjured persons are identified would require highly individualized—and likely unmanageable—factual inquiries, then Rule 23(b)(3)’s predominance and superiority requirements might be defeated. That arguably was the case in Asacol, where injury turned on an individualized, subjective inquiry of each putative class member’s purchasing decisions.