District Court refuses to enforce choice-of-law provision, allows individual state data privacy claims to proceed

Privacy/Cyber Risk & Data Security Courts State Issues Washington Illinois BIPA

On March 30, the U.S. District Court for the Northern District of Illinois denied a global tech company’s bid to dismiss class action Illinois Biometric Information Privacy Act (BIPA) claims. Plaintiffs (Illinois residents) sued the company alleging it violated BIPA by applying image recognition technology to photos uploaded to subscribers’ account without receiving informed written consent. Plaintiffs also claimed the company failed to establish a file retention schedule and deletion guidelines as required by state law. The company argued that the terms of use agreed to by the subscribers contain a choice-of-law provision stating that the laws of Washington State govern the conditions of use and any disputes. The court disagreed, stating that Washington’s biometric protection statute does not provide for a private cause of action and is therefore contrary to Illinois’ fundamental public policy. “The fact that BIPA creates a private cause of action underscores the importance Illinois places on an individual’s right to control their biometric information,” the court said. “Applying Washington law would rob plaintiffs of control over their individual biometric information, instead leaving it to Washington’s attorney general to bring suit.” The court also held that Illinois has a greater material interest in the dispute than Washington. The court allowed the plaintiffs’ claims regarding consent to proceed in federal court but remanded the other claims to the Cook County Circuit Court.