In a recent decision, the Seventh Circuit Court of Appeals held that a federal district court could hear certain Biometric Information Privacy Act (BIPA) claims. An issue in many BIPA lawsuits specifically, and in many data privacy lawsuits generally, is whether the court has subject matter jurisdiction to hear the case. The issue is usually raised by defendants seeking to dismiss the case; however, in Bryant v. Compass Group USA, Inc. (https://law.justia.com/cases/federal/appellate-courts/ca7/20-1443/20-1443-2020-05-05.html), the Plaintiff claimed that she lacked Article III standing and sought to have the case remanded to state court.
In Bryant, Plaintiff Christine Bryant’s employer installed vending machines owned and operated by Defendant Compass Group. Rather than accept cash, employees had to establish an account using their fingerprint to purchase food from the vending machines. During her orientation, Plaintiff and her co-workers scanned their fingerprints into the vending machine’s system to establish a payment link and create a user account. Bryant claimed that the process of collecting and retaining her fingerprint, and the fingerprints of her co-workers, violated Sections 15(a) and (b) of Illinois’ BIPA. Section 15(a) requires collectors of biometric information make public a retention schedule and guidelines for permanently destroying the biometric information, while Section 15(b) requires that collectors of biometric information obtain informed written consent before biometric information is obtained. Subsequently, Bryant brought a putative class action against Compass in the Circuit Court of Cook County alleging violations of these sections of BIPA.
Compass removed the action to federal court and Bryant moved to remand the action to state court claiming that the district court did not have subject matter jurisdiction because she lacked the concrete injury-in-fact necessary to satisfy the federal requirement for Article III standing. The district court agreed, finding that Compass’s alleged BIPA violations were bare procedural violations that caused no concrete harm to Bryant, and remanded the action to state court.
The Seventh Circuit’s decision reversed the district court, finding that the case was properly removed to federal court. For a plaintiff to have Article III standing, 1) they must have suffered an actual or imminent, concrete and particularized injury-in-fact, 2) there must be a causal connection between the injury and the conduct complained of, and 3) there must be a likelihood that this injury will be redressed by a favorable decision. Only the first prong of this test was at issue in Bryant. In informational injury cases, an injury inflicted by nondisclosure is concrete if the plaintiff establishes that the withholding impaired her ability to use the information in a way the statute envisioned. The Court held that Compass withheld substantive information to which Bryant was entitled and therefore deprived her of the ability to give the informed consent required by Section 15(b). Conversely, the Court held that Bryant had not suffered a concrete and particularized injury as a result of the Section 15(a) violation as this duty to disclose was owed to the public generally and not part of the informed-consent regime.
The Bryant decision provides litigants with the opportunity to decide the most advantageous forum to litigate BIPA claims, as both state and federal court are now available. However, the best strategy continues to be that a collector of biometric information should formulate a plan to comply with BIPA’s requirements prior to the collection of that information. If you have questions regarding litigation or compliance under Illinois’ Biometric Information Privacy Act, or questions regarding privacy and data security generally, contact Tim Hayes at email@example.com
The California Consumer Privacy Act of 2018 (CCPA or “the Act”) is one of the most significant pieces of privacy legislation that we have seen in the United States. Signed into law on June 28, 2018, and effective as of January 1, 2020, the CCPA will force many businesses to change how they manage and sell consumer information.