In David Karling, et. Al. v. Samsara, Inc., a federal court in the Northern District of Illinois has declined to dismiss a class action complaint brought under the Illinois Biometric Information & Privacy Act (“BIPA”), by a truck driver against a maker of facial recognition camera technology. The plaintiff alleged that Samsara was liable because the dash cam installed by his employer took facial scans, and Samsara collected those scans and shared them with the employer without complying with BIPA's requirements. Plaintiff David Karling, on behalf of himself and a putative class, alleges that Defendant Samsara Inc. ("Samsara"), violated BIPA by collecting his information from facial scans without notice or release; disseminating that information to third parties; failing to create, disclose and adhere to a written policy for data retention and destruction; and profiting from these actions.
What is the Case About?
The court describes the facts of the case as follows:
“Samsara provides facial recognition software and sensors to commercial fleets and industrial operations. The Samsara cameras capture the actions of the drivers to monitor for fatigue and distraction. Karling worked in Illinois as a driver for Lily Transportation, a customer of Samsara. In 2021, Lily Transportation installed an AI Dash Camera, provided by Samsara, in Karling’s truck. The AI Dashcam extracted biometric identifiers from Karling’s face while he drove and sent them to the Samsara Cloud Dashboard, where Samsara stored the images. The Samsara Camera includes a feature called Camera ID, which automatically performed facial recognition to identify Karling by extracting biometric identifiers and comparing those to the stored data. Karling never gave permission for the collection and storage of his biometric data. Samsara never provided Karling with a written release, the required statutory disclosures, or a retention and destruction policy. Karling never signed a written release or had an opportunity to prevent this collection and use of his biometric data.”
Samsara moved to dismiss the Complaint on a number of grounds including that federal law governing truck safety technology preempted the state law-based BIPA claims. Samsara also argued that BIPA as applied to it, violated the Dormant Commerce Clause, as BIPA places a great burden on “interstate motor carriers and their technology providers and would substantially interfere with interstate commerce” by unconstitutionally projecting Illinois law onto other states and placing a significant burden on interstate commerce.
Court Rules That Preemption Defense Can’t Be Decided on a Motion to Dismiss on These Facts
Citing Cap. Cities Cable, Inc. v. Crisp, 467 U.S. 691, 699 (1984) the court noted that “[f]ederal law may preempt state law in three situations: when Congress expressly states so, when a federal regulatory scheme implies exclusive congressional legislative power, and in cases of “actual conflict”. Samsara did not argue that BIPA conflicts with a particular federal statute but rather urged “the Court to find “a uniform scheme of federal regulation of truck safety technology” disrupted by BIPA’s Illinois-specific requirements.” But this the court declined to do. Instead, the court reasoned that:
“The scattershot nature of Samsara’s cited agency statements and proposed rulemaking hardly qualifies as a uniform federal scheme to regulate truck safety technology. The Court cannot find “a clear and manifest” Congressional purpose to preempt state regulation of “truck safety technology” from these disparate sources, which range from a law that directed DOT [Department of Transportation] to conduct research and rulemaking on driver monitoring systems to a recent federal initiative to incentivize driver-safety technologies. Although these sources potentially touch on biometrics and privacy concerns, their overwhelming aim is traffic safety, while BIPA targets “disclosure, consent, and recordkeeping requirements” for biometric identifiers.”
The court did not find the preemption issue appropriate for deciding on a motion to dismiss, and denied the motion.
The Court Can’t Decide Whether BIPA Violates the Dormant Commerce Clause on the Motion to Dismiss
Samsara moved to dismiss the complaint under the Dormant Commerce Clause, arguing that:
“BIPA, as applied to it, places a great burden on “interstate motor carriers and their technology providers and would substantially interfere with interstate commerce.” [citation omitted] According to Samsara, BIPA unconstitutionally projects Illinois law onto other states and would place a significant burden on it because it would “require Samsara either to ensure compliance with BIPA everywhere Samsara does business or, absurdly, to prohibit its customers from using Samsara technology while driving in Illinois due to risk of noncompliance.” [citation omitted] Karling argues that, again, the Court should decide this issue on a full factual record. The Court agrees.”
Noting that “courts have repeatedly rejected the argument that the Dormant Commerce Clause prevents BIPA's application to out-of-state defendants at the motion to dismiss stage” and holding that the “issue is more properly addressed on a motion for summary judgment” the court dismissed Samsara’s argument. Instead, the court reasoned that “[w]ithout discovery into Samsara’s processes for scanning, storing, and using biometrics with its dashcam system and the alleged burden of compliance with BIPA, the Court cannot determine whether there is a Dormant Commerce Clause violation.”
The Complaint Adequately Alleged Other BIPA Violations
The court next analyzed whether the Complaint adequately alleged BIPA violations under Sections 15(a) through 15 (d) and found that it did. In making such findings the court rejected arguments that: (1) Samsara’s website adequately provided a written policy regarding retention and destruction of biometric data (Section 15(a); (2) the release requirement applies only to employers (Section 15 (b); (3) Samsara is not liable because it only possessed and did not collect the biometric data (Section 15 (c); and (4) the Complaint inadequately alleged that Samsara profited from the collection of the biometric data (Section 15(d). Finally, the court found that the Complaint adequately alleged facts supporting an award of enhanced damages for Samsara’s intentional or reckless disregard of compliance with the requirements of BIPA.
What Does This Mean For Companies Collecting Biometric Data?
Companies collecting or using biometric data in their businesses need to understand and comply with the requirements of BIPA if they are doing business in Illinois or collecting the biometric data of Illinois consumers. BIPA continues to be a trap for the unwary company, and class actions filed in Illinois under BIPA cannot easily be defeated on a motion to dismiss, but instead will likely require the investment of time and money in expensive and burdensome discovery, and the development of a factual record in order to dispose of the case.
The case is David Karling et al. v. Samsara Inc., case number 1:22-cv-00295, in the U.S. District Court for the Northern District of Illinois. Tactical Law will continue to monitor the case. Please check back for updates.
California Federal Court to Decide Whether the Absence of a Public Facing Retention Policy Constitutes a Single Violation of BIPA or Whether Multiple Violations Are Possible.
By Pam Fulmer
Unique among state laws, the Illinois Biometric Information Privacy Act (“BIPA”) creates a private right of action for "any person aggrieved" by a violation of the statute and provides for statutory damages of $1,000 for a negligent violation to $5,000 for an intentional or reckless violation, in addition to reasonable attorneys' fees and costs. Liquidated damages can also be awarded under the statute. The potential to aggregate these penalties on a class-wide basis and the availability of attorneys' fees has made BIPA an attractive statute for the plaintiffs' class action bar. Because of this recovery scheme, BIPA has made Illinois a national litigation magnet.
However, BIPA cases are not just limited to Illinois. Instead, Plaintiffs have filed several BIPA related consumer class action cases in the Northern District of California, and have targeted tech companies, including Facebook in particular, and its photo tagging technology, which Facebook has since discontinued using. One of those cases, In re Facebook Biometric Info. Priv. Litig.., 185 F. Supp. 3d 1155 (N.D. Cal. 2016), affirmed by Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), addressed directly whether BIPA covers the method Facebook used in its photo "Tag Suggestions" program. Judge Donato ruled it did and certified the class. Facebook appealed and the Ninth Circuit affirmed Judge Donato’s ruling. Facebook later settled that case for $650 million, after the U.S. Supreme Court declined to grant certiorari.
Now another consumer class action case, Zellmer v. Facebook Inc., case number 3:18-cv-01880, is again before Judge Donato. However, unlike the previous case, Zellmer consists of a class of non-Facebook users who had their photos uploaded to Facebook by other Facebook users. In an April 2022 ruling, Judge Donato found that it would be "patently unreasonable" to hold Facebook liable for claims that it failed to inform nonusers in Illinois who were strangers to Facebook, about its collection and storage of their facial scans, and ruled against Plaintiffs on their Section 15(b) claim requiring notice and consent. However, the court allowed the claims under Section 15(a) to proceed, finding that factual issues abounded as to whether Facebook had a “written policy, made available to the public” that established data retention policies and related practices for biometric identifiers or information as required by 740 Ill. Comp. Stat. 14/15(a).
What is BIPA?
BIPA passed by the Illinois state legislature in 2008, protects biometric identifiers and biometric information of human beings. Biometric identifiers are defined as a "retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry," and "do not include writing samples, written signatures, [or] photographs." Biometric information is considered "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier," but "does not include information derived from items or procedures excluded under the definition of biometric identifiers."
Under BIPA, an organization may not "collect, capture, purchase, receive through trade, or otherwise obtain" biometric identifiers or information (collectively, biometric data) unless it first:
The organization must store, transmit, and protect from disclosure any collected biometric data using the reasonable standard of care within the applicable industry, and in a manner that is at least as protective as the means used to protect other confidential and sensitive information (740 Ill. Comp. Stat. 14/15(e)). Additionally, any organization that possesses biometric data must:
Does the Absence of a Public Retention Policy Constitute a Single Violation of the Statute or Can There Be More?
Recently Judge Donato asked the parties to analyze and submit 5-page briefs on whether the absence of a public retention policy as required by Illinois law is a single violation of Section 15(a) that can be remedied by a single liquidated damages award or whether there can be multiple violations. 740 Ill. Comp. Stat. 14/15(a).
For its part Facebook argues that “BIPA’s text establishes that the failure to publicly post a retention policy constitutes a single violation of BIPA and that the only authorized remedy for such a violation is a single award of actual or liquidated damages.” Facebook reasons that an entity cannot fail to publish something more than once. Facebook also argues that Section 20 of BIPA “limits recovery to those “aggrieved” by a violation” of the statute and that “BIPA does not extend a legal right to every member of the public in all situations.” Noting that Illinois courts require that “aggrieved” persons have a “direct, immediate and substantial interest rather than a speculative, theoretical, inconsequential or remote interest,” Facebook argues that no such showing can be made on these facts. Facebook asserts that Plaintiffs as non-users could not possibly have benefited from Facebook’s decision to post a retention policy and thus do not have the direct, immediate and substantial interest needed to meet the “aggrieved” requirement under BIPA.
Mr. Zellmer argues the opposite and focuses on the number of times Facebook scanned Plaintiff’s face to argue that the policy was violated multiple times. According to his brief:
“Here, each time Facebook scanned Plaintiff’s face, it used the scan to compare it to other faces stored in Facebook’s facial recognition system. Facebook scanned Plaintiff’s face on at least four separate occasions, each time without having a public policy containing the disclosures mandated by Section 15(a). On each such date Facebook owed Plaintiff a written policy. In addition, once the comparisons were completed, the purpose for which Facebook collected Plaintiff’s face scan ended. Facebook thus violated Section 15(a) by failing to timely delete Plaintiff’s biometric data.”
Plaintiff also argues that the statute provides for the award of liquidated damages in the absence of showing the existence of actual damages.
“Under Section 20, Plaintiff is entitled to liquidated damages of $5,000.00 for each of Facebook’s intentional and reckless violations of Section 15(a) or, alternatively, liquidated damages of $1,000.00 for each violation if the jury finds that Facebook was negligent in its failure develop a public policy or comply with Section 15(a)’s data destruction requirements. Plaintiff is entitled to liquidated damages in the absence of any showing of actual damages.”
Tactical Law will continue to monitor the case and report back on further developments, including Judge Donato's ruling.