An Illinois biometric privacy law that has spawned a blizzard of class action lawsuits in Illinois and even other states does not run afoul of a provision of the Illinois state constitution by exempting Illinois’ state and local governments, as well as banks and financial institutions, a federal judge has ruled.
On Nov. 29, U.S. District Judge Virginia M. Kendall rejected the attempt by vending machine supplier Compass Group USA to sidestep a class action lawsuit by asserting the law known as the Illinois Biometric Information Privacy Act conflicts with the state constitution’s prohibition on so-called “special legislation.”
Illinois lawmakers’ “decision to exclude government agencies and financial institutions was rationally related to BIPA’s legitimate government interest in protecting Illinois residents’ privacy,” Judge Kendall wrote. “Those two categories of institutions already had privacy safeguards in place, so imposing additional obligations on them would have been minimally efficacious.”
Attorney Douglas Werman
| Werman Salas P.C.
Last year, attorneys with the Chicago-based firm of Werman Salas filed a class action suit against Compass Group in Cook County Circuit Court, on behalf of named plaintiff Christine Bryant.
North Carolina-based Compass Group is a foodservice company that specializes in supplying vending machine kiosks to other companies to install in employee break rooms or lounges in office buildings and other workplaces. To use the machines, customers create an account, and then scan their fingerprints to prove their identities each time they make a purchase.
Bryant was not employed by Compass Group. Rather, she was employee of another company, which operated a call center in Rockford. According to the complaint, Bryant worked for that company for six months in 2018. During that time, Bryant said she scanned her fingerprint on Compass Group’s “Smart Market” vending machines in her employer’s cafeteria. She claimed she was directed by her employer to set up an account with Compass Group to use the vending machines when she was hired.
Her former employer is not named as a defendant in the lawsuit.
In the lawsuit, Bryant asserted Compass Group violated the Illinois BIPA law when its vending machines scanned her fingerprints and those of many others who used their products in Illinois, without first notifying users in writing that it was capturing and storing their fingerprints, and without first obtaining their written consent to capture and store the scanned prints.
Bryant also accused the company of violating a BIPA provision which she alleges requires companies, like Compass, to provide users whose fingerprints have been scanned, with written guidelines concerning how long the company would retain the fingerprint scans and ultimately destroy them.
While the law states the company has three years from the date of the user’s final interaction with its products to provide such a schedule, Bryant’s lawyers argued the court should close the door on that notice period, in Bryant’s case, at the moment she stopped working at the call center, not three years later.
Bryant’s allegations were very similar to any of the other mountain of class actions that continues to grow in Cook County courts and elsewhere under BIPA. Most of the actions to date target employers who require workers to scan their fingerprints to prove their identities when punching the clock for work shifts.
However, a large number also have targeted Facebook and other social media and tech companies over photo tagging and other technologies that create and store biometric templates of people’s faces and other unique physical identifiers.
A class action against Facebook, for instance, has resulted in a $650 million settlement.
After Bryant filed her lawsuit, Compass Group removed the case to federal court to escape the Cook County courts, which have a reputation for being more friendly to plaintiffs.
After failing to persuade both a federal district judge and the U.S. Seventh Circuit Court of Appeals that Bryant lacked standing under federal law to continue her lawsuit, Compass Group moved to kill the Illinois BIPA law itself.
The company argued the law violated the Illinois state constitution’s ban on laws that grant “a special benefit or exclusive privilege on a person or a group of persons to the exclusion of others similarly situated.” This provision is generally known as the state constitution’s “special legislation” provision.
Compass Group noted the BIPA law specifically exempts Illinois state and local governments from being sued, and also similarly protects financial institutions, which should make the law unconstitional special legislation.
Those claims have been leveled by other defendants against other BIPA-related class actions. To date, Judge Kendall noted other judges in federal court and Illinois state court have also rejected them.
In her decision, Judge Kendall said those exclusions don’t contradict the special legislation ban, because they are not out of step with the state government’s intention to allow these lawsuits to move forward against entities who might have a “profit motive to exploit individuals’ biometric information.”
She noted banks and other financial institutions were “likely excluded” from BIPA’s reach because “they are already subject to a comprehensive privacy protection regime under federal law.”
As for state and local government agencies, Kendall said they already enjoy so-called “sovereign immunity” under Illinois law, limiting the ability to sue them.
Further, she said, her reading of the legislative record – the record of the discussions held by lawmakers when considering a new law – indicated that lawmakers believed the state would “assess threats to privacy caused by governments’ possession of personal information in a different way – namely, by forming a study committee to review agencies’ policies and practices…”
The decision does not indicate if such a committee was ever empaneled or what conclusions it may have reached, or if it resulted in any substantive action by the state government.
Further, she said, government agencies can be exempted from BIPA and its lawsuit threat because they have “no profit motive … so the perceived dangers associated with possession of sensitive information are less severe…”
In the ruling, Judge Kendall also trimmed Bryant’s claims, ruling that she can’t sue the company over its alleged failure to provide her with the allegedly required data retention and destruction schedule.
The judge noted the law gives them three years to do so, and the status of Bryant’s employment at the Rockford call center has no bearing on that timeframe.
Bryant’s “desire to purchase items from Smart Market machines is unrelated to her employment,” Judge Kendall wrote. “She may still wish to go to a Smart Market machine located in any number of places to buy herself a snack.
“She gave Compass Group her fingerprint so that she could use the machines; her use of the machines was not tied to her employment.”
Compass Group is represented by attorneys Molly K. McGinley and Joseph C. Wylie II, of K&L Gates LLP, of Chicago.