Two recent district court opinions addressed issues of personal jurisdiction and standing under the Illinois Biometric Information Privacy Act (BIPA). BIPA imposes a number of requirements on those who obtain a person’s biometric data, including those set forth in Section 15(a), requiring those in possession of biometric data to develop a publicly available written policy regarding the retention and destruction of biometric data in their possession, in Section 15(b), requiring that each person be provided with required disclosures and obtaining that person’s written release prior to acquiring that data, and in Section 15(c), which prohibits those in possession of biometric data from selling or profiting from that data, or disclosing that data to third parties.
In Bray v. Lathem Time Co., Case No. 19-3157 (C.D. Ill.), the court granted defendant third-party technology vendor’s motion to dismiss based on lack of personal jurisdiction. In Figueroa et al. v. Kronos, Inc., No. 19 C 1306 (N.D. Ill.), the court held that plaintiffs had standing to pursue claims against a vendor of biometric time clocks under sections 15(b) and 15(d) of BIPA, but that plaintiffs lacked standing to pursue Section 15(a) claims for defendant’s failure to comply with a retention/destruction policy.
In Bray v. Lathem Tim Co., the district court addressed the question of jurisdiction over a defendant with whom the plaintiff had no dealings. Plaintiff originally filed the action in state court but defendant removed it to federal court. The defendant is a Georgia-based company that designs and sells biometric-based technology systems to employers, including, allegedly, plaintiff’s employer. Plaintiff’s employer required plaintiff and the other employees to submit their fingerprints to check-in and check-out of work. Defendant moved to dismiss plaintiff’s complaint, arguing that the court lacked personal jurisdiction over it because its only “contact” with Illinois occurs when its customers-employers and not end users like Bray, reach out to purchase its products. Plaintiff’s alleged injury arose not from those few contacts with Illinois but rather from the employer’s use of the product, which can take place wherever the employer chooses. The court therefore concluded that it lacked personal jurisdiction over the defendant third-party technology vendor. Bray is pursuing a separate action against his employer in state court.
In Figueroa et al. v. Kronos, Inc., the court addressed the issue of whether a plaintiff has standing to raise a claim for violation of Section 15(a) in federal court. Plaintiffs originally filed this putative class action in the Circuit Court of Cook County, but defendant Kronos removed the case to the U.S. District Court for the Northern District of Illinois pursuant to the Class Action Fairness Act. Kronos then moved to dismiss the complaint, or in the alternative, to strike the class allegations, in part arguing that plaintiff lacked federal standing to assert those claims. The court ultimately held that plaintiff has standing to assert claims under Sections 15(b) and 15(d), but lacked standing to assert claims under Section 15(a). As such, the district court severed the 15(a) claim from the rest of the suit and remanded it to state court.
In reaching this ruling the district court relied on the Seventh Circuit’s recent ruling in Bryant v. Compass Group USA, Inc., 958 F.3d 617 (7th Cir. 2020), where it held that a mere allegation of a violation of Section 15(a) of BIPA, for failing to establish a written retention and destruction policy, was insufficient to establish federal standing. Like the plaintiffs in Bryant, the plaintiffs in Figueroa did not allege that Kronos’s failure to publicize its retention policy injured them. This is because most employees do not know they are interacting with Kronos, a third-party vendor, when they have their biometrics scanned by their employer’s Kronos devices, and therefore would have no reason to seek out its biometrics data policies.
Unlike the plaintiffs in Bryant, the plaintiffs in Figueroa also alleged that defendant violated the additional requirement in Section 15(a) that biometric data be destroyed in compliance with that policy, and argued that this violation was sufficient to establish standing. Although a closer call, the court nonetheless concluded that Kronos’s alleged failure to follow retention and destruction guidelines presented a bare risk of harm which itself was insufficient to establish standing without additional particularized allegations showing that this failure presented a real risk of harm to plaintiffs. Although plaintiffs argued that Kronos’s alleged disclosure of their biometric information to third parties established this particularized harm, the allegations were that the data were only disclosed to data centers hosting the biometric data. Even if such dissemination violated BIPA, and is itself an injury in fact under Section 15(b), the court held that this alone did not present the real risk of further harm required to render the retention of data under Section 15(a) an injury of fact. Plaintiffs failed to explain how Kronos’s dissemination of their biometric information transforms its failure to follow a retention and destruction policy into a concrete injury.
The Seventh Circuit in Bryant only addressed the issue of standing to assert a claim for failing to create a retention/destruction policy; it did not address standing for failing to comply with that policy. The court in Figueroa appears to be the first court addressing that issue. Six days after the court in Figueroa issued its opinion, the Seventh Circuit issued a ruling in the Bryant case amending its opinion by adding two sentences to the section addressing standing under Section 15(a). Those two sentences make it clear that the court was only addressing the issue of failure to create a policy and not addressing any other claim under Section 15(a) – such as failing to comply with that policy. Thus, it is unclear whether the Figueroa court’s reliance on Bryant is wholly justified.