Last week, we analyzed Rivera v. Google Inc., 16 C 02714 (N.D. Ill 2016), a decision by the District Court for the Northern District of Illinois which examined the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq.). BIPA, and various laws like it, protect against the unauthorized disclosure of information that is “biologically unique to the individuals” rather than financial or similar data that can be changed if compromised. BIPA recognizes that a person cannot easily change their fingerprint if the print is compromised in the same manner they could change a password. In Rivera, the District Court found allegations that Google stored face-scans taken from pictures taken on Google devices may constitute a violation under BIPA and at least may survive a motion to dismiss. The District Court first held that “face templates” created by Google from pictures submitted to and stored by Google qualified as a biometric identifier under BIPA.
The District Court also found the Plaintiffs survived Google’s motion to dismiss based on the following reasoning:
- Google’s Argument That BIPA Did Not Apply Because Google Did Nothing In Illinois.
In its lengthy decision, the District Court also rejected Google’s second argument “that the Plaintiffs claims cannot proceed because “applying the Privacy Act to Google would result in extraterritorial application of the statute” or, in other words, “this Illinois law applies only in Illinois, and Google is not doing anything in Illinois.” The central question in this analysis is “whether Google’s activities—making face templates of Rivera and Weiss in photographs uploaded automatically from Google Droid devices in Illinois—are extraterritorial (and therefore not-actionable) applications of the Privacy Act.” And, the District Court found no bright line test to determine whether a transaction occurs within Illinois.
In relying on a test applied to the Illinois Consumer Fraud Act, the District Court analyzed whether “the circumstances relating to the transaction occur primarily and substantially” inside Illinois. Here, the difficulty in answering this question is the fact that Google’s conduct took place online or on a “cloud” and was not fixed to one particular location. On this point, the Plaintiffs argued the Act applied because they were Illinois residents, the photographs were taken in Illinois and photos were automatically uploaded in Illinois to the cloud-based Google Photos service.
However, to support its motion to dismiss, Google asserted that the alleged violations of BIPA, the unauthorized face scans, did not occur “primarily and substantially” in Illinois. Google noted that the Complaint was devoid of any allegations concerning the location for the face scanning.
In rejecting Google’s arguments, the District Court found Plaintiffs’ allegations were sufficient to at least deem the asserted violations occurred in Illinois in order to survive the motion to dismiss. The District Court found that Google’s motion to dismiss was appropriately denied under this reasoning because “[d]iscovery is needed to determine whether there are legitimate extraterritoriality concerns.” That is, the District Court wanted additional discovery completed on whether the claimed violations took place on Illinois.
Even though the Plaintiffs survived Google’s motion to dismiss, developing facts to demonstrate Google’s conduct took place in Illinois may be difficult when Google stored the face scans on cloud-based technology. BIPA provides the legislative intent behind this Act as “[t]he use of biometrics is growing” and “[m]ajor national corporations have selected the City of Chicago and other locations in the State as pilot testing sites for new applications of biometric-facilitated financial transactions…” This case demonstrates that Illinois courts are also being tested by this technology when they are called upon to review such novel questions as where activities on the “cloud” take place.