Companies gained a limited new edge in defending their compliance with Illinois’ biometric privacy law, following a recent state appeals court ruling that
Apple escaped Biometric Information Privacy Act liability because customers voluntarily used optional features like Touch ID and Face ID, their data was stored locally on their own devices, and the company didn’t collect or store that data on separate servers, the Illinois First District Appellate Court decided in late December. Apple therefore didn’t possess or control the users’ data, which would have triggered state biometric privacy requirements.
Apple’s victory comes in the wake of several cases in which plaintiffs successfully argued that companies violate BIPA by improperly collecting and storing data such as facial scans and fingerprints.
The latest appellate opinion adds to a growing pool of precedent that provides guidance to companies offering products or services that collect biometric data, defense attorneys said. However, the scope of its impact is limited by the fact-specific nature of the case, they said.
The decision is “helpful and it’s by far the best tool that defense can use to evaluate whether something falls under BIPA,” said David Oberly, a biometric privacy lawyer at Squire Patton Boggs.
It is especially useful as courts have chipped away at defense arguments in BIPA cases and interpreted the statute broadly in a manner favorable to plaintiffs, Oberly said.
“With BIPA, there’s so much that’s left uncertain at this point with the statute, so you can’t say with 100% certainty that its use is not going to result in a class action lawsuit,” he said.
Narrowing BIPA’s Scope
In the case, Apple user David Barnett filed a proposed class action against the company in June 2021, alleging that it possessed, and therefore controlled, data protected by BIPA but had neither first obtained the necessary consumer consent nor provided users a copy of the required retention policy.
The court’s explanation of why several of the facts alleged in the case don’t violate BIPA can be used when counseling companies on compliance with the law, defense lawyers said.
Plaintiffs equated Apple’s “product with the company,” Justice Oden Johnson wrote for the the unanimous three-member panel. Apple didn’t possess or control users’ biometric data, which remained confined to the user device rather than being stored on company servers, the opinion said.
The court’s conclusion builds on previous BIPA decisions that eliminated outlier interpretations of what qualifies as possession under the law, said Ken Suh, a senior defense counsel on privacy issues at Locke Lord.
“You have to specifically identify how your rights have allegedly been violated, and which service, which product,” Suh said. “If it’s a company, then what part of the company? You have to identify those things to be able to trace some kind of standing.”
Another key factor in the Illinois panel’s decision was the optional nature of using Apple’s biometric identification features, which are not required to unlock its devices, Suh said.
Users voluntarily choose to engage the facial and fingerprint scan features, must complete a multi-step process to capture their biometrics on that device, and can delete the stored scans at any time, the opinion said.
Pleading Standard
The decision also noted that several of the plaintiffs’ arguments drawing from federal court decisions didn’t meet Illinois’ standard for pleading facts in a complaint.
The state’s standard requires allegations that more specifically allege a claim than the comparatively more lenient notice-pleading standard used in federal courts, according to the opinion.
“As a result of this difference, we find less persuasive some of the federal cases cited by plaintiffs,” Johnson wrote.
That point will add to the factors defense counsel may consider when deciding whether to keep a BIPA case in state court or remove it to federal court, but it won’t outweigh other strategical considerations, Suh said.
“There is some notion amongst the defense bar that federal court might be advantageous in certain ways but, you know, we always counsel clients that there’s just no bright line rules like that,” Suh said.
Future Implications
The case’s outcome is unsurprising given the tenuous arguments tying Apple to BIPA violations, as it’s one of the few companies handling biometric data in the right way, said Eli Wade-Scott, leader of the class action practice at plaintiffs firm Edelson PC.
“When these types of ‘stretch suits’ are brought, it distracts from real privacy issues that the country is facing, from both inside and outside Apple,” Wade-Scott said.
While the opinion serves as a useful model for compliance attorneys, its scope of impact will be limited to cases with similar fact patterns, said Honigman LLP commercial litigation attorney Molly McGinley.
Virtual try-on technology cases are an area of BIPA litigation to which defendants may try to extrapolate the principles of the decision, noted Oberly of Squire Patton Boggs. Consumers voluntarily elect to have their biometric data collected by a tool confined to their own computer or phone, he said.
The appellate-level decision may be short-lived, however, if the Illinois Supreme Court decides to take up the issue, McGinley said.
“This decision is binding in the First District, but, you know, it may not be the ultimate sort of answer on the issue. It remains to be seen whether this would be something that the courts will have further to say on this issue,” she said.
