California Federal Court to Decide Whether the Absence of a Public Facing Retention Policy Constitutes a Single Violation of BIPA or Whether Multiple Violations Are Possible.
By Pam Fulmer
Unique among state laws, the Illinois Biometric Information Privacy Act (“BIPA”) creates a private right of action for "any person aggrieved" by a violation of the statute and provides for statutory damages of $1,000 for a negligent violation to $5,000 for an intentional or reckless violation, in addition to reasonable attorneys' fees and costs. Liquidated damages can also be awarded under the statute. The potential to aggregate these penalties on a class-wide basis and the availability of attorneys' fees has made BIPA an attractive statute for the plaintiffs' class action bar. Because of this recovery scheme, BIPA has made Illinois a national litigation magnet.
However, BIPA cases are not just limited to Illinois. Instead, Plaintiffs have filed several BIPA related consumer class action cases in the Northern District of California, and have targeted tech companies, including Facebook in particular, and its photo tagging technology, which Facebook has since discontinued using. One of those cases, In re Facebook Biometric Info. Priv. Litig.., 185 F. Supp. 3d 1155 (N.D. Cal. 2016), affirmed by Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), addressed directly whether BIPA covers the method Facebook used in its photo "Tag Suggestions" program. Judge Donato ruled it did and certified the class. Facebook appealed and the Ninth Circuit affirmed Judge Donato’s ruling. Facebook later settled that case for $650 million, after the U.S. Supreme Court declined to grant certiorari.
Now another consumer class action case, Zellmer v. Facebook Inc., case number 3:18-cv-01880, is again before Judge Donato. However, unlike the previous case, Zellmer consists of a class of non-Facebook users who had their photos uploaded to Facebook by other Facebook users. In an April 2022 ruling, Judge Donato found that it would be "patently unreasonable" to hold Facebook liable for claims that it failed to inform nonusers in Illinois who were strangers to Facebook, about its collection and storage of their facial scans, and ruled against Plaintiffs on their Section 15(b) claim requiring notice and consent. However, the court allowed the claims under Section 15(a) to proceed, finding that factual issues abounded as to whether Facebook had a “written policy, made available to the public” that established data retention policies and related practices for biometric identifiers or information as required by 740 Ill. Comp. Stat. 14/15(a).
What is BIPA?
BIPA passed by the Illinois state legislature in 2008, protects biometric identifiers and biometric information of human beings. Biometric identifiers are defined as a "retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry," and "do not include writing samples, written signatures, [or] photographs." Biometric information is considered "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier," but "does not include information derived from items or procedures excluded under the definition of biometric identifiers."
Under BIPA, an organization may not "collect, capture, purchase, receive through trade, or otherwise obtain" biometric identifiers or information (collectively, biometric data) unless it first:
The organization must store, transmit, and protect from disclosure any collected biometric data using the reasonable standard of care within the applicable industry, and in a manner that is at least as protective as the means used to protect other confidential and sensitive information (740 Ill. Comp. Stat. 14/15(e)). Additionally, any organization that possesses biometric data must:
Does the Absence of a Public Retention Policy Constitute a Single Violation of the Statute or Can There Be More?
Recently Judge Donato asked the parties to analyze and submit 5-page briefs on whether the absence of a public retention policy as required by Illinois law is a single violation of Section 15(a) that can be remedied by a single liquidated damages award or whether there can be multiple violations. 740 Ill. Comp. Stat. 14/15(a).
For its part Facebook argues that “BIPA’s text establishes that the failure to publicly post a retention policy constitutes a single violation of BIPA and that the only authorized remedy for such a violation is a single award of actual or liquidated damages.” Facebook reasons that an entity cannot fail to publish something more than once. Facebook also argues that Section 20 of BIPA “limits recovery to those “aggrieved” by a violation” of the statute and that “BIPA does not extend a legal right to every member of the public in all situations.” Noting that Illinois courts require that “aggrieved” persons have a “direct, immediate and substantial interest rather than a speculative, theoretical, inconsequential or remote interest,” Facebook argues that no such showing can be made on these facts. Facebook asserts that Plaintiffs as non-users could not possibly have benefited from Facebook’s decision to post a retention policy and thus do not have the direct, immediate and substantial interest needed to meet the “aggrieved” requirement under BIPA.
Mr. Zellmer argues the opposite and focuses on the number of times Facebook scanned Plaintiff’s face to argue that the policy was violated multiple times. According to his brief:
“Here, each time Facebook scanned Plaintiff’s face, it used the scan to compare it to other faces stored in Facebook’s facial recognition system. Facebook scanned Plaintiff’s face on at least four separate occasions, each time without having a public policy containing the disclosures mandated by Section 15(a). On each such date Facebook owed Plaintiff a written policy. In addition, once the comparisons were completed, the purpose for which Facebook collected Plaintiff’s face scan ended. Facebook thus violated Section 15(a) by failing to timely delete Plaintiff’s biometric data.”
Plaintiff also argues that the statute provides for the award of liquidated damages in the absence of showing the existence of actual damages.
“Under Section 20, Plaintiff is entitled to liquidated damages of $5,000.00 for each of Facebook’s intentional and reckless violations of Section 15(a) or, alternatively, liquidated damages of $1,000.00 for each violation if the jury finds that Facebook was negligent in its failure develop a public policy or comply with Section 15(a)’s data destruction requirements. Plaintiff is entitled to liquidated damages in the absence of any showing of actual damages.”
Tactical Law will continue to monitor the case and report back on further developments, including Judge Donato's ruling.