Despite having the potential to impact many data collectors, Illinois’ Biometric Information Protection Act (“BIPA”) has received surprisingly little analysis from state or federal courts. A decision issued on October 17, 2019, by the United States District Court for the Northern District of Illinois may limit the number of BIPA cases reaching the federal courts and, in turn, further, limit the development of law addressing BIPA claims.
In Colon v. Dynacast, LLC, 19-cv-4561 (N.D. Ill. Oct. 17, 2019), the Plaintiff, Colon, filed a motion to remand the matter from the Federal Court back to the Circuit Court of Cook County, Illinois. Next, the defendant, Dynacast filed a motion to dismiss. The motion to dismiss was denied as being moot to the extent Colon’s motion to remand was granted and the matter was moved back to state court. Even though this matter was sent back to the state court, the Colon court still provides an interesting analysis of whether a litigant has standing to bring a BIPA case in federal courts.
As seen with many biometric data cases, the Colon matter arises out of allegations that Dynacast, Colon’s employer, used biometric data for their employee time-keeping system. That is, Colon alleges ‘that “each day’ of her employment (from 2013 until January 2018), she was ‘required to place her hand on a panel to be scanned in order to ‘clock in’ and ‘clock-out’ of work.”
Further, in order to support a class action claim, Colon asserted “[a]t least 200 of Defendant’s employees were required to use this biometric time-keeping system.” Colon also claimed that Dynacast failed to inform Colon, in writing, that her biometric data would be collected and did not provide “the specific purpose and length of term for which [her] biometric” information was collected, stored, and used; or “obtain written releases from Plaintiff…before it collected, used, and/or stored” her fingerprint data.” As typically seen in BIPA cases, Colon did not assert any damage beyond simply not receiving formal written notice that her biodata would be collected and stored.
The vast majority of breach cases involve a defendant arguing an action should be dismissed to the extent the plaintiff lacks standing while the plaintiff argues they have standing since they suffered a concrete injury. The roles were reversed in Colon. Here, while arguing this action should be moved back to the state court, Colon argued she lacked Article III standing to allow the matter to remain in federal court. On the other hand, Dynacast argued: “Plaintiff’s injury is sufficiently concrete to confer Article III standing.” Colon was able to take this position in the federal court because she will most likely argue that the BIPA violation alone gives her a viable cause of action in the state court. That is, Colon may not need to even show she suffered a concrete injury when this matter is litigated in state court.
In finding Colon lacked standing and that the case should be remanded back to the state court, the District Court did not appear to be impressed by a BIPA claim based merely on the alleged failure to provide written notice:
That is, the only purported ‘violation of privacy’ was the failure to explain in writing that biometric data was being collected—something that would have been obvious to any employee subject to a fingerprint or hand-scan. But even if this rhetoric referred to activities that could give rise to concrete injuries, “legal conclusions or bare and conclusory allegations…are insufficient” to plead concrete injury and thus confer Article III standing.
The Colon court takes some shots at Colon’s claims before sending it back to state court. One touchstone of BIPA is the requirement that a data collector provides notice, in writing, that biometric information is being collected and stored. Even though the Colon court finds the failure to provide notice cannot alone give rise to Article III standing, the court does not hold back on Colon’s BIPA’s notification requirement:
The fact that this was not explained in writing does nothing to harm people’s privacy interests because they knew that the data was being collected and did not allege that their data was shared with third parties.
So too here: Defendant obviously collected Plaintiff’s fingerprint when the fingerprint was taken. No one alleges that Defendant snooped around like Nicholas Cage in National Treasure, surreptitiously gathering Plaintiff’s biometric data off discarded goods. Likewise, Defendant obviously stored the prints—otherwise, the entire authentication system would make no sense. [Citation omitted] Defendant had to compare each print taken at the timecard station to a baseline in order to determine if the employee clocking in or out was in fact who they said they were. Because Plaintiff knew that her data was being collected, Defendant’s failure to go through each procedural formality outlined in BIPA did not present any “appreciable risk of harm to the underlying concrete interest” in privacy, and therefore Plaintiff has not suffered any injury in fact. [citation omitted] Similarly, because Plaintiff has not alleged that her data was given to third-parties, her right to privacy in her biometric data was not compromised.
This case indicates that the federal courts may not be friendly to BIPA plaintiffs and, therefore, we can expect more BIPA claims to end up in state courts. This decision is still worthy of consideration in state court actions since the Colon court goes out of its way to beat up Colon’s BIPA claim. While state courts may not need to consider whether a litigant can establish Article III standing, this decision highlights a fundamental flaw in BIPA. That is, where is the harm if a litigant allows an employer to take a template of their fingerprint but does not provide formal written notice?