District court: BIPA does not violate Illinois constitution
On August 19, the U.S. District Court for the Southern District of Illinois denied defendants’ motion to dismiss claims that they unlawfully collected individuals’ biometric fingerprint data without first receiving informed consent. The court also addressed an argument as to whether the Illinois Biometric Information Privacy Act (BIPA) exemption for financial institutions violates the state’s constitution, ruling that the exemption applies only to institutions already subject to data protection standards of the Gramm-Leach-Bliley Act (GLBA) and therefore does not arbitrarily exempt financial institutions. According to the order, the plaintiff filed a putative class action against two companies (defendants) alleging they violated Section 15(b) of BIPA by unlawfully collecting employees’ biometric fingerprint data for timetracking purposes without informing employees in writing “of the purpose and period for which [their] fingerprints were being collected, stored, or used.” The plaintiff also claimed the defendants violated Section 15(a) of BIPA, which requires them to implement and follow a publically available biometric data retention and destruction schedule. The defendants filed a motion to dismiss, which presented several arguments, including that (i) the plaintiff failed to plead an actual injury and therefore lacked Article III standing; (ii) BIPA violates the state’s constitution because it imposes strict compliance requirements on certain entities but “arbitrarily” exempts “‘the entire financial industry’”; (iii) one of the defendants—a fingerprint database manager—qualifies as an exempt financial institution under BIPA; and (iv) the claims are time-barred and barred by waiver or equitable estoppel.
The court disagreed, allowing the plaintiff’s informed consent claims under Section 15(b) to proceed, noting, among other things, that BIPA’s financial institution exclusion is not “‘artificially narrow’ in its focus since both exempt and non-exempt financial institutions are subject to data reporting laws, with neither group receiving a benefit the other does not.” The court further noted that it has no indication in the pleading or declaration filed in motion practice that the fingerprint database manager defendant is a financial institution subject to the GLBA. However, the court remanded part of the suit back to state court. According to the court, the plaintiff’s Section 15(a) claims were not sufficient to establish Article III standing because this section “does not outline an entity’s duty to an individual” but rather “outlines a duty to the public generally.”