A state appeals panel has agreed a trial court was correct to dismiss a class action accusing Apple of violating a biometric privacy law because, while Apple devices may scan their faces and fingerprints, the plaintiffs haven't shown Apple actually every retained those scans.
Plaintiffs David Barnett, Ethel Burr and Michael Henderson sued Apple in Cook County Circuit Court in June 2021, alleging the company violated the Illinois Biometric Privacy Information Act through the fingerprint and facial recognition features of its phones, tablets and computers. According to their class action complaint, Apple didn’t have a written policy regarding retention and destruction of personal biometric data, nor did it obtain written consent before obtaining the information, actions allegedly required by the BIPA law before the company could scan their so-called biometric identifiers.
Cook County Judge Neil Cohen dismissed the complaint in January.
Although Apple iPhone, iPad and MacBook devices use either Touch ID or Face ID technology to recognize individual fingerprint and facial data to unlock the devices or log in to Apple Pay and App Store platforms, the equipment doesn’t store a user’s biometric data, the judge determined. Rather, the biometric software uses scanned images to “create a unique mathematical representation.”
The plaintiffs challenged Cohen’s opinion before the Illinois First District Appellate Court.
Justice Sharon Oden Johnson wrote the opinion, issued Dec. 23; Justices Carl Walker and Sanjay Tailor concurred.
“The word ‘possession’ is not defined in” BIPA, Johnson wrote.
And although the plaintiffs alleged “Apple ‘possesses’ their information because Apple software collected and analyzes their information,” the panel found the argument improperly equates the company with its products.
“In essence, plaintiffs are arguing that, since they chose to employ Apple’s optional software to collect, analyze and store their own information on their own devices, they handed control over their information to Apple,” Johnson wrote. “Based on the facts alleged by plaintiffs, it seems as though Apple designed these features almost with the express purpose of handing control to the user. The features are completely elective. In fact, the user must undertake a series of steps in order to use them.”
The panel said the complaint underscored this point by inclusion of step-by-step photos for using Face ID and Touch ID. The process established the devices and Apple’s software are tools, “but it is the user herself who utilizes these tools to capture her own biometric information.”
Notably, the complaint has no allegations Apple stores fingerprint or facial scans on separate servers or that there is an impediment preventing users from deleting their locally stored data. Apple can remotely update devices, but the complaint is silent regarding what affect those updates have on the challenged features.
“A complaint must plead facts not possibilities,” Johnson wrote. “Although we are at an early stage of the litigation, plaintiffs did not seek to amend their complaint after these points were made in the court below. Given the facts alleged by plaintiffs, we cannot find that Apple possesses plaintiffs’ biometric information.”
The panel likewise rejected plaintiffs’ allegations that Apple collected and captured private data in violation of BIPA.
“To the extent that the information was captured or recorded in a permanent file, that permanent file was on the user’s own device,” Johnson wrote, adding the data “remained in a multitude of different and distinct places, namely, the millions of devices of Apple’s numerous users.”
The decision marked a rare win for defendants against an onslaught of thousands of class action lawsuits under the BIPA law. The lawsuits have famously extracted settlements worth hundreds of millions of dollars from tech giants, including Facebook and Google, while generating a steady stream of settlements from smaller defendants, like employers sued for requiring workers to scan fingerprints to punch workplace timeclocks to track their hours worked, or to verify their identity when accessing secure areas in the workplace.
The settlements have been generated under the unpredictable threat of trials, at which many millions or even billions of dollars could be at stake under the law's plaintiff-friendly provisions. Illinois courts have notably ruled plaintiffs do not need to show they were ever actually harmed before moving forward with lawsuits capable of generating massive payouts that business defendants and advocates have described as "crippling" and ruinous.
A federal jury demonstrated the truth behind those warnings, recently ordering freight rail operator BNSF to pay more than $238 million to a group of about 45,000 truck drivers who say the company broke the BIPA law by requiring the truckers to scan hand prints when entering Illinois rail yards, without first abiding by the BIPA law's notice and consent provisions. Plaintiffs' lawyers, however, say the award was actually too low. They have asked the court to adjust the award to more than $800 million.
The plaintiffs in the lawsuit against Apple have been represented by attorneys William Beaumont, of Beaumont Costales, Chicago; and Philip Fraietta, of Bursor & Fisher, New York.
Apple’s representation includes attorneys Raj N. Shah, Eric M. Roberts, and Yan Grinblat, of the firm of DLA Piper, of Chicago and San Francisco; and Joshua G. Vincent and Kimberly A. Jansen, of Hinshaw & Culberston, of Chicago.
Jonathan Bilyk contributed to this report.