On November 29, 2020, a federal district court in Chicago ruled in Bryant v. Compass Group USA, Inc.[1] that Illinois’ Biometric Information Privacy Act (BIPA)[2] did not violate the Illinois constitution. The BIPA created a comprehensive set of rules for regulated companies that collect biometric data from Illinois residents, such as fingerprints and retina scans. In general, these companies must implement a policy for: (1) informing those from whom biometric information is collected of the fact that the information is being collected and for what purpose; (2) obtaining consent from those whose biometric information is collected to the use of the information for the purposes described in the policy and any potential dissemination of that information to third parties; and (3) a publicly available “retention schedule” for the information.
Liability under the BIPA is draconian. It carries penalties that could exceed $5,000 per violation and does not require a data breach, wrongful disclosure, or actual injury to the consumer. As a result, the BIPA has fueled many class action lawsuits.
In Bryant, the Plaintiff filed a class action lawsuit under the BIPA after her fingerprint scan was collected when she signed up to use a smart vending machine. Bryant alleged that Compass Group violated Section 15(a) of BIPA by possessing her biometric information and failing to destroy that information once the purpose for collecting it was complete.
In moving to dismiss Bryant’s Complaint, Compass Group raised a constitutional challenge to the BIPA. The Illinois state constitution provides that the Illinois general assembly “shall pass no special or local law when a general law is or can be made applicable.” The Illinois Supreme Court has held that this language “prohibits the General Assembly from conferring a special benefit or exclusive privilege on a person or a group of persons to the exclusion of others similarly situated.”
Compass Group argued that the BIPA conferred such a special benefit or exclusive privilege on the certain types of entities which are excluded from the BIPA and are therefore not subject to its requirements. Specifically, the BIPA excludes financial institutions, affiliates of financial institutions that are subject to the Gramm-Leach-Bliley Act, government agencies, and government contractors working in the capacity as contractors.
To prevail on this constitutional challenge, Compass Group had to establish that this exclusion was not rationally related to a legitimate government interest. The Court found that the Compass Group failed to do so, stating that “[t]he Illinois General Assembly’s decision to exclude certain entities from BIPA’s coverage is eminently rational.” The Court pointed out that financial institutions were excluded because they are already subject to comprehensive privacy protection requirements under federal law. The Court further pointed out that government agencies are already generally entitled to sovereign immunity. The Court noted further that the Illinois “…General Assembly planned to assess threats to privacy caused by governments’ possession of personal information in a different way—namely, by forming a study committee to review agencies’ policies and practices with respect to collection and storage of biometric identifiers.”[3] The Court held that because privacy safeguards are already in place, imposing the BIPA’s additional requirements on the excluded entities “would have been minimally efficacious.”
Joseph Messer has vast experience litigating claims under privacy laws such as the BIPA, the Fair Credit Reporting Act and the Telephone Consumer Protection Act. If you need assistance with claims under privacy laws or compliance matters feel free to contact Mr. Messer at jmesser@messerstrickler.com or (312) 334-3440.
[1] 2020 U.S. Dist. LEXIS 222219 (N.D. Ill. Nov. 29, 2020)
[2] 740 ILCS 14/1, et seq.
[3] This committee was supposed to review current policies and practices and make recommendations for improvement by January 2009. Query if this ever happened or whether action was taken on any such recommendations.