Class action litigation for non-breach privacy violations has exploded. In contrast to a data breach situation where there is unauthorized access or data theft, a non-breach privacy violation happens when a company or data holder violates a statute or law related to a person’s data.
Why the rise in class actions related to this? The Illinois Biometric Information Privacy Act (BIPA) is the culprit.
Two BIPA rulings in two different venues–state and federal court—have been major wins for consumers. As a result, the plaintiffs’ bar shifted its focus on filing BIPA class actions in both federal and state court, leading to an onslaught of litigation against businesses that collect and use biometric data.
Brief Background on BIPA
BIPA contains a private right of action that allows individuals or groups of individuals to sue companies directly when their privacy rights have been violated.
Claims under BIPA can include a variety of allegations. For example, claims against companies can include allegations that biometric data was improperly disclosed or that the company failed to provide written notice and obtain written consent to collect biometric data.
While other laws, such as California’s Consumer Protect Act (CCPA), have a limited private right of action, BIPA is currently the only law that grants a private right of action for non-breach privacy violations.
In January, the Illinois Supreme Court (state court) held that in 2019 that individuals can pursue technical violations of BIPA and do not have to demonstrate actual “harm.”
Additionally, the Ninth Circuit (federal court) held in a separate case that plaintiffs had Article III standing to sue in federal court for technical violations of BIPA without alleging actual harm.
What Happens in a BIPA Lawsuit?
What can you expect if there is a lawsuit filed for non-breach violations of BIPA? Where will plaintiffs file suit? Well, that depends. The case law in this area continues to evolve, causing the litigation landscape to be a bit uncertain.
BIPA states that “… any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party… .”
Keep in mind: There are differences between state court and federal court. Some general distinctions between state and federal court:
- Compared to federal court, plaintiffs in state court are more likely to survive defendants’ efforts to dismiss the case, even with relatively weaker pleadings.
- There is a more structured format in federal court regarding discovery.
- Unlike in federal court, state court plaintiffs can immediately start asking for documents and witness interviews, which drives up the cost of litigation quickly.
- Some state courts, such as those in California, have a reputation for being friendlier venues for plaintiffs.
- State courts may not be as well-versed in complex or nuanced laws.
With tougher dismissal rates and costly early-stage discovery, state court can be tough for defendants given the advantages to plaintiffs. According to Bloomberg Law, from November 2020 through January 2021, 12 BIPA complaints were filed in Illinois federal court and at least 36 were removed from state courts, reinforcing defendants’ preference for federal court.
In addition to considerable legal costs from BIPA class actions, companies can face significant financial exposure for BIPA violations. The different outcomes that a company might see depending on the forum where a case is heard can vary–from the speed of the case to the overall outcome.
Understanding the venue and which forum is proper is key. Given the potential advantages for companies to be in federal court, the real question is whether all cases can be heard in federal court.
Standing as a Threshold Matter
One issue repeatedly resurfacing is whether BIPA cases have standing in federal court under Article III. Questions of BIPA standing arise in large part due to the US Supreme Court’s (SCOTUS) decision in Spokeo, Inc. v. Robins. Spokeo held that a “bare procedural violation” of a statute couldn’t confer Article III standing if the plaintiff fails to also allege a “concrete harm.” In other words, the plaintiff in Spokeo did not have any concrete injury, there was just a violation of the statute.
However, Spokeo stopped short in clarifying whether the plaintiff’s alleged injuries were sufficiently concrete and particularized to confer violations giving rise to Article III standing. This lack of clarity has resulted in federal courts taking inconsistent approaches in interpreting standing leading to different standards in different jurisdictions.
As a result, companies facing non-breach BIPA class actions lack guidance on whether certain cases can be filed in federal court since there is no defined uniform rule.
Issues of standing for BIPA cases continue to develop. A string of recent BIPA class actions removed from Illinois state court to federal court were appealed to address the issue of standing. The US Court of Appeals for the Seventh Circuit demonstrates an evolution in the interpretation of BIPA standing in federal.
In the court’s rulings, the Seventh Circuit made distinctions between cases asserting a mere violation of BIPA in order to confer Article III standing and those that also require an allegation of a particularized injury in order to confer standing:
- Rosenbach v. Six Flags Entertainment Corp (2019): Conferred standing on plaintiffs who allege BIPA violations without pleading an actual injury.
- Bryant v. Compass Group USA, Inc. (2020): Regarding Section 15(b), allegations that a defendant violated BIPA by collecting biometric information without first obtaining informed consent constituted an “injury in fact” and constituted Article III standing.
- Fox v. Dakkota Integrated Systems (2020): For an alleged violation of 15(a), the unlawful collection or retention of biometric data is a concrete and particularized and conferred Article III standing.
- Thornley v. Clearview AI, Inc. (2021): For an alleged violation of 15(c), no standing as only a bare procedural violation of BIPA alleged with no concrete and particularized harm injury in fact.
Navigating the Seventh Circuit’s roadmap as to which type of BIPA cases can be filed in state court or federal court based on these rulings will require companies to heavily scrutinize the facts of a case should they be faced with a lawsuit.
Additionally, it may not always be clear which court is proper. This could result in additional litigation costs being incurred and lawsuits dragging on while the proper venue is argued over.
Outside of the Seventh Circuit? As mentioned above, the Ninth Circuit held that plaintiffs had Article III standing to sue in federal court for technical violations of BIPA without alleging actual harm.
However, the Second Circuit concluded that purely technical violations of BIPA do not cause harm and dismissed the case from federal court (plaintiffs could re-file in state court). Navigating this roadmap of rulings is challenging to say the least.
The body of law for non-breach privacy class actions remains unsettled as courts continue to vary their interpretation of Article III standing. However, this issue goes beyond non-breach BIPA suits as the interpretation of Article III is not a novel issue isolated to BIPA cases.
Other privacy class action suits under such laws as the CCPA also wrestle with the lack of clarity from Spokeo regarding Article III standing. For example, the Ninth Circuit has allowed class actions to move forward despite the presence of “actual” harm leading to multimillion dollars in damages without any “actual” injury to the consumer.
The good news is that SCOTUS has agreed to hear the TransUnion LLC v. Ramirez case to address whether violating consumer privacy is an inherent harm. The decision in Ramirez will hopefully add clarity to the pleading requirements for Article III standing in BIPA cases and privacy cases.
Additionally, we are keeping an eye on whether the defendants in Thornley v. Clearview AI, Inc. file a petition for certiorari with SCOTUS (as they said they intend to do) in hopes the court will decide whether an allegation of a statutory violation of BIPA gives rise to a concrete and particularized injury-in-fact that is necessary for Article III standing.
This guidance will help to better define the litigation landscape and what to expect if a lawsuit is filed.
We will be closely watching what happens in Ramirez and monitoring whether the Clearview defendants take their unsettled question to SCOTUS as well. While we have yet to see how these cases will play out, until then, one thing is clear: Companies need to stay abreast and compliant with privacy laws to minimize exposure and understand the dynamic nature of the litigation environment.
With the ever-changing privacy laws, it is imperative to have a well-rounded approach to cyber risk, for more read: You Can Outsource a Service, But not Cyber Risk
The Four-Part Cyber Solution
Related Blog Posts
Every company has cyber risk. Learn how Cyber Liability insurance can help your company manage this risk and protect your business now.