Over the last few years, we have seen a number of common themes and concepts run through privacy cases and legislation.  We have seen plaintiffs struggle with surviving motions to dismiss because they failed to properly allege an injury.  Likewise, we have seen courts struggle with how to protect unfamiliar types of data, including biometric information.

On May 31, 2018, the District Court for the Northern District of Illinois provided the latest analysis of what is necessary for a viable claim under the Illinois Biometric Information Privacy Act (“BIPA”). In finding that data collectors can be liable for merely failing to obtain proper consent to use biometric data, we are seeing another step in the trend where no breach is necessary to impose liability.

In Dixon v. The Washington and Jane Smith Community, 17-cv-08033 (May 31, 2018), the plaintiff, Cynthia Dixon (“Dixon”), claimed her former employer, Smith Senior Center (“Smith”)  violated her privacy by requiring her to use fingerprint scanners to punch in and punch out at work.  In particular, Dixon claimed the Senior Center’s use of her biometric information violated her rights in the following manner:

  • “Smith did not inform Dixon of the specific purpose or length of time for which her fingerprint was to be collected, stored and/or used;”
  • “Nor did Smith make available information about its biometric data retention policy (if it had such a policy) or other guidelines regarding the permanent destruction of the biometric information it possessed;”
  • “Smith also neglected to obtain a written release from Dixon authorizing Smith to collect or store her fingerprints.”
  • “Lastly, Dixon alleged that, in addition to collecting and storing her biometric information, Smith also ‘systematically disclosed’ that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric clocks, without informing her that it was doing so.”

Motion To Remand Denied:  The Federal District Court Was The Proper Venue For This Litigation

The District Court’s first order of business was to deny Dixon’s motion to remand the case back to Illinois state court.  In arguing her case should be heard back in state court where she originally filed the action, Dixon took the position that the defendants’ motions to dismiss “effectively asserted that she does not meet the injury-in-fact requirement for Article III standing.”

As stated in many privacy cases before this one, the U.S. Supreme Court has held that a litigant cannot “avail themselves of the federal courts” unless they can show (1) they suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.”  Spokeo Inc. v. Robbins, 136 S. Ct. 1540, 1547 (2016).

After a substantial discussion on civil procedure and the legislative intent behind BIPA, the District Court found it had jurisdiction over this matter because “where privacy rights are concerned, the dissemination to a third party of information in which a person has a right to privacy is a sufficiently concrete injury for standing purposes.”  Of course, in this case, Dixon alleged Smith disseminated her biometric information to Kronos, the third-party vendor.  (“The Court concludes that this alleged violation of the right to privacy in and control over one’s biometric data, despite being an intangible injury, is sufficiently concrete to constitute an injury in fact that supports Article III standing.”)

Given the above, the District Court held it had subject matter jurisdiction over this matter and the case should not be remanded back to the state court.

Motion To Dismiss Denied: Dixon Has A Viable Claim

Both Smith and Kronos argued Dixon failed to assert an actual injury “sufficient to confer a right of action under BIPA.”  Prior to analyzing Dixon’s claim, the District Court provided the following background on BIPA:

“BIPA provides that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The statute further provides that, for each negligent violation of the Act, a prevailing plaintiff may recover ‘liquidated damages of $1,000 or actual damages, whichever is greater,’ in addition ot obtaining other relief such as an injunction.”

Given this statutory framework, the District Court found Dixon could survive the motion to dismiss based on her allegations that “the defendants violated her right to privacy in and control over her personal biometric data.”  Further, the District Court found Dixon’s allegation that Smith “fails to inform its employees that it discloses employees’ fingerprint data to an out-of-state third-party-vendor, Kronos,” to be problematic.  In denying the motions to dismiss, the District Court held:

“BIPA established a right to privacy in such information and that obtaining or disclosing a person’s biometric data without her consent or knowledge necessarily infringes on the right to privacy in that data.  Even though this may not be tangible or pecuniary harm, it is an actual and concrete harm that stems directly from the defendants’ alleged violations of BIPA.” 

This case signals a willingness by a number of courts to acknowledge the significant risk with the storage and disclosure of biometric data. Importantly, there were no allegations of a breach in the classical sense of Dixon’s fingerprint information.  In Dixon, the data collector merely provided biometric data to its vendor and yet the District Court found Dixon’s allegations were sufficient because, “obtaining or disclosing a person’s biometric data without her consent or knowledge constitutes an actual and concrete injury because it infringes on the right to privacy in that data.”

Therefore, data collectors will need to make sure they are obtaining proper consent to store data and to provide it to third parties. A breach of this information is no longer required to impose liability.