This blog is cross-posted on the Consumer Class Actions blog site as well.

Throughout much of 2023, businesses found themselves in a challenging position as they continued to grapple with defending against Illinois Biometric Information Privacy (BIPA) class action lawsuits. The year began on a somber note with the Illinois Supreme Court delivering unfavorable decisions on two pivotal threshold matters. However, rays of hope emerged when the same court issued two favorable decisions, one affirming union preemption, and another concerning medical exemptions under BIPA. These welcomed developments provided a reprieve for businesses contending with the longstanding challenges posed by the statute. As we navigate the complexities of BIPA, it becomes crucial for businesses to recognize and consider the various exemptions embedded within the legislation—many of which have proven effective in legal defenses over the past few years.

Procedural History of BIPA

Enacted in 2008, BIPA regulates the collection, use, and handling of biometric identifiers and information by private entities. After a relatively quiet period spanning nearly a decade, the statute experienced a significant surge in activity following the landmark decision in Rosenbach v. Six Flags (2019 IL 123186). This ruling established that a plaintiff need not plead actual harm or injury resulting from an alleged BIPA violation to seek relief under the Act. Subsequently, more than 1,500 BIPA lawsuits have been filed in Illinois.

The statute, having been largely untested before Rosenbach, gave rise to a series of critical threshold matters in the years that followed, many of which proved unfavorable for Illinois businesses. For instance, in early 2022, the Illinois Supreme Court, in McDonald v. Symphony (2022 IL 126511), decided that the Illinois Workers’ Compensation Act did not preempt BIPA. Approximately a year ago, the Illinois Supreme Court issued two highly anticipated decisions. First, in Tims v. Black Horse Carriers (2023 IL 127801), the Court held that the “catch-all” five-year statute of limitation under 735 ILCS 5/13-205 applies to all BIPA claims, as opposed to the one-year limitation period provided under 735 ILCS 5/13-201. Two weeks later, in Cothron v. White Castle (2023 IL 128004), the Court held that a claim under BIPA accrues each time a person scans or otherwise transmits biometric information.

While the White Castle decision initially reverberated through Illinois businesses facing potential exposure under BIPA, a careful examination of the ruling offers guidance and optimism for businesses navigating their defenses. At a point where many in the plaintiffs’ bar were ready to seize on separate $1,000 (negligent) or $5,000 (reckless/intentional) statutory damages for each scan, the high court reminded and acknowledged that a trial court has the power to fashion a damage award that fairly compensates the class and deters future violations without destroying a defendant’s business. 2023 IL 128004, ¶ 42. The majority seems to advocate for a sensible approach to damages under the statute, recognizing necessity for robust incentives for compliance while emphasizing that “the General Assembly chose to make damages discretionary rather than mandatory under the Act” and underscoring that “there is no language in the Act suggesting legislative intent to authorize a damage award that would result in the financial destruction of a business.” Id.

Although the majority’s decision held that a statute should be adopted “even though the consequences may be harsh, unjust, absurd or unwise,” id. ¶ 40, the Illinois Supreme Court, like state and federal courts throughout the country, has applied a contrary rule known as “the absurdity doctrine,” which holds: “[w]e will not make any determination that will construe an act of the legislature so as to lead to absurd, inconvenient or unjust consequences.” Loyola Academy v. S&S Roof Maintenance, Inc., 146 Ill. 2d 263, 273 (1992), citing McCastle v. Sheinkop, 121 Ill. 2d 188, 193 (1987); see also Evans v. Cook County State’s Attorney, 2021 IL 125513, ¶ 27 (“Statutes must be construed to avoid absurd or unjust results.”) (emphasis added), citing People v. Hamma, 207 Ill. 2d 486, 498 (2003). Citing this fundamental rule of statutory construction, the dissenting opinion in Cothron argued that the legislature could not have intended to impose punitive, crippling liabilities on businesses “wildly exceeding any remotely reasonable estimate of harm.” Cothron, ¶ 63. In response, the majority held that the risk of such “absurd” consequences is overblown. Accordingly, the most reasonable interpretation of Cothron’s holding is not that it embraces or invites absurd results, but that it requires trial courts applying BIPA’s non-mandatory damages provision to fashion appropriate remedies that are fair, equitable and suited to the circumstances of each case. The majority also makes clear that such damages should be tailored to deter future violations “without destroying defendant’s business.” Id., ¶ 42.

The White Castle decision firmly underscores the discretionary nature of damages under BIPA, emphasizing the importance of proportionality. However, Illinois businesses shouldn’t hold out hope that a jury will be so mindful. In recent years, businesses have achieved success by strategically leveraging applicable exemptions, and the Illinois Supreme Court’s recent recognition for certain exemptions, further underscores the need for businesses in Illinois to thoroughly explore every available avenue for exemptions. Therefore, it’s imperative for Illinois businesses to meticulously examine and leverage any relevant exemptions to navigate the challenging landscape of BIPA.

Health Care Worker Medical Exemption

At the end of 2023, the Illinois Supreme Court issued a rarity – a favorable decision for Illinois medical providers defending against BIPA lawsuits. On November 30, 2023, the high court delivered a long-awaited ruling in Mosby v. The Ingalls Memorial Hospital (2023 IL 129081), providing clarity on the protection status of biometric information collected from health care workers under BIPA. The case addressed certified questions relating to whether (1) BIPA applies to health care workers (as opposed to patients) and whether, more narrowly, (2) biometric information collected from a health care worker, when utilized for purposes related to health care treatment, payment, or operations as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), falls within BIPA’s purview. Id., ¶ 1. Answering both certified questions in the affirmative, the Court’s decision established that when health care worker data is gathered for HIPAA-defined health care activities, it is exempt from BIPA protection. Id., ¶ 59.

In Mosby, nurses brought forth a putative class action, alleging that their biometric information was collected for identification purposes before administering medication to patients through use of an automated medication dispensary system. Id., ¶ 5. Both the trial court and the Illinois Appellate Court had previously determined that these collections were subject to BIPA, contending that BIPA’s exclusions for activities “under HIPAA” were primarily designed to safeguard patient data, not data pertaining to health care workers. Id., ¶¶ 7-8.

BIPA’s relevant exception states: “Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.” Id., ¶ 35. The Court, reversing the trial and appellate courts, applied principles of statutory construction, and emphasized that the use of the term “information” at the beginning of both phrases, separated by the disjunctive “or,” implied legislative intent to exclude two distinct categories of information. Id., ¶¶ 41-42, 52. Furthermore, the Court clarified that the term “under HIPAA” defined the scope of “health care treatment, payment, or operations” and that these terms pertained to activities performed by health care providers, not patients. Id., ¶ 53.

Nevertheless, the Court emphasized that it did not establish a sweeping, categorical exclusion of biometric identifiers from health care workers. Id., ¶ 57. Instead, the exclusion applied only when such information was collected for health care treatment, payment, or operations under HIPAA. Id. The extent to which lower courts will interpret and apply the Mosby decision, particularly in contexts beyond medication dispensing (i.e. time clock medical cases), remains a topic for future debate, and potentially another appellate review.

Union Exemption

Last year, the Illinois Supreme Court also gave employers a favorable decision when it decided that Section 301 of the Labor Management Relations Act (LMRA) preempts BIPA claims brought by bargaining unit employees covered by a collective bargaining agreement (CBA) where there is a broad management rights clause.

In Walton v. Roosevelt University (2023 IL 128338), the plaintiff alleged that he was required to scan biometric identifiers for timekeeping without being given notice and providing written consent, as required under BIPA. The trial court rejected Roosevelt University’s argument that the plaintiff’s claims were preempted by Section 301 of the LMRA. The Illinois Appellate Court reversed the trial court, relying on a 2021 Seventh Circuit BIPA decision in Fernandez v. Kerry, Inc., 14 F.4th 644, 646 (7th Cir. 2021), and explained that “when the employer invokes a broad management rights clause from a [CBA] in response to a [BIPA] claim, the claim is preempted because it requires an arbitrator to determine whether the employer and the union bargained about the issue or the union consented on the employees’ behalf.” See 2022 IL App (1st) 210011, ¶ 19.

Affirming the appellate court’s decision, the Illinois Supreme Court held that, “[g]iven the language in the CBA and the LMRA, it is both logical and reasonable to conclude any dispute [under BIPA] must be resolved according to federal law and the agreement between the parties. Therefore . . . we defer to the uniform federal case law on this matter and find that when an employer invokes a broad management rights clause from a CBA in response to a [BIPA] claim brought by bargaining unit employees, there is an arguable claim for preemption. Accordingly, because we do not believe the federal decisions were wrongly decided, and here the CBA contained a broad management rights clause, we find Walton’s [BIPA] claims are preempted by the LMRA.”

Although the ruling doesn’t entirely prohibit a BIPA claim by a bargaining unit employee under a CBA, Walton confirms the legitimacy of a preemption defense for employers who have established CBAs with expansive management rights clauses that may encompass mandated actions pertaining to BIPA claims. In such cases, employee claims under BIPA must adhere to the procedures specified in the relevant CBA, potentially involving individual private arbitration rather than class-wide proceedings.

Virtual Try-On Medical Exemption

As the plaintiffs’ bar continued to find creative ways to move beyond time clock BIPA cases, one trend included targeting businesses offering virtual try-on features for consumers to try various products at home, including glasses and makeup, through the use of a consumer’s computer or phone camera. But in September 2022, the court held in Svoboda v. Frames for America, Inc. (2022 WL 4109719 (N.D. Ill. Sept. 8, 2022)), that BIPA did not regulate the virtual try-on tool in this instance because it fell under the statute’s health care exemption.

Frames for America, Inc., which operates FramesDirect.com (an online platform selling prescription and non-prescription eyewear), offered a virtual feature on its website that allowed consumers to digitally try on glasses or sunglasses. The plaintiff alleged that Frames for America utilized software to scan a consumer’s facial geometry from a uploaded photograph and then digitally superimposed the eyewear on the consumer’s face. Id. at *1. Applying the same crucial exemption as in Mosby, the court dismissed the plaintiff’s complaint, reasoning that she qualified as a “patient receiving a health care service in a health care setting” when using the virtual try-on tool. Id. at *3. Even though the plaintiff did not seek medical treatment, consult an eye doctor, or make a purchase during the virtual try-on experience (id. at *1), the court concluded that “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses are all Class 1 medical devices.” Id. at *2. Consequently, the court held that the plaintiff “would have received a health care service had she purchased the glasses….” Id. Drawing an analogy, the court equated the virtual try-on feature in this case to services offered in optometrists’ offices. Id.

Illinois businesses providing a virtual try-on tool must meticulously assess the applicability of the medical exemption, particularly in situations where a potential connection can be argued between the product offered and a medical service. This careful analysis is crucial to navigate the complex regulatory landscape and ensure compliance, or exemption, with relevant statutes.

State Contractor Exemption

BIPA explicitly states that private entities that are “a contractor, subcontractor, or agent of a State or local unit of government when working for that State agency or local unit of government” are not subject to its mandates. (BIPA, Section 25(e)). While the exemption for state contractors under Section 25(e) has not been extensively explored by reviewing courts, the sole appellate decision addressing this provision, in Enriquez v. Navy Pier, Inc., clarifies that an entity qualifies for exemption if it meets three criteria: (1) it is a contractor, (2) of a unit of government, and (3) was working for that unit of government when collecting or disseminating biometric information. 2022 IL App (1st) 211414-U, ¶ 19, appeal denied, 201 N.E.3d 582 (Ill. 2023).

This interpretation aligns with previous rulings by trial courts, as exemplified in Thornley v. CDW-Government, LLC, 2022-CH-04246 (Cir. Ct. Cook Cty., Ill. June 25, 2001). The court in Thornley dismissed a class action lawsuit, reasoning that Section 25(e) of BIPA is straightforward and unambiguous. According to the court, the term “working” is commonly understood to mean “relating to or designating one that works,” leading to the conclusion that Section 25(e) applies to “one whom a state agency or local unit of government engages to … provide services….” The appellate court’s ruling in Enriquez not only affirms this interpretation but also provides a comprehensive analysis and a clear roadmap for businesses contracted to provide services for a state agency or local unit of government seeking to assert a defense under BIPA.

Financial Institution Exemption

According to Section 25(c) of BIPA, the provisions of the Act do not apply “in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 [GLBA] and the rules promulgated thereunder.” In a notable 2022 case, DePaul University successfully had a BIPA class action lawsuit dismissed by invoking this financial institution exemption. The plaintiff had alleged that the university violated BIPA by using an online remote proctoring tool that purportedly captured, collected, and stored plaintiff’s biometric information. Powell v. DePaul Univ., 2022 WL 16715887, at *1 (N.D. Ill. Dec. 6, 2022).

DePaul University argued that its participation in U.S. Department of Education’s Federal Student Aid Program qualified it as a financial institution under the GLBA. Id. Supporting its stance, DePaul highlighted the acknowledgment by both the Federal Trade Commission (FTC) and the Department of Education that universities fall under the definition of financial institutions as per the GLBA. Id. Moreover, DePaul emphasized that rulemaking authority for Title V lies with the Consumer Financial Protection Bureau, which adopted and republished the privacy rules initially promulgated by the FTC. Id. at *2. According to the FTC rules, any institution “significantly engaged in financial activities” is considered a financial institution. Id. The court sided with DePaul, concluding that BIPA’s Section 25(c) applies to higher education institutions. The court was swayed by DePaul’s reliance on the FTC’s consistent and reasoned interpretation of the GLBA it administers. Id.

Despite being in the context of higher education, this decision should prompt any Illinois business facing BIPA claims to carefully analyze its reporting obligations and affiliations to determine whether they are in fact subject to Title V of the GLBA, and/or the rules promulgated thereunder.


Aside from analyzing compliance with and exposure under BIPA, Illinois businesses should be mindful of the everchanging landscape of the statute as lawsuits continue to progress. Businesses falling short of compliance standards should thoroughly examine whether any applicable BIPA exemptions may provide relief.

For further information, or to initiate a comprehensive review and audit of your BIPA compliance, feel free to reach out to Kristine Argentine, National Chair of Seyfarth Shaw’s Consumer Class Action Defense Practice Group, or Paul Yovanic, a seasoned BIPA litigator and counselor within the practice group.

This blog has been cross-posted on the Consumer Class Defense site.

Anyone following trends in consumer class action litigation will know that consumer privacy was a primary focus of the plaintiff’s bar in 2023. And there are no signs this uptick in consumer privacy claims is slowing any time soon. Although the claims center around use of tracking technology or analytics functions on consumer facing websites, several different statutes and claims have been asserted, including violations of state wiretap statutes and the Video Privacy Protection Act (“VPPA”).  

Although these cases are largely at the motion to dismiss stage, and therefore there is little insight into how certain key defenses will play out, some recent decisions surrounding VPPA claims have shifted the landscape in certain defendant’s favor.

Continue Reading Is the Video Privacy Protection Act Losing its Allure?

Employers looking to enhance their suite of employee benefit programs, and focused on lessons learned during the pandemic on wellbeing, are interested in providing greater access to wellness tools. And, the vendors who support those tools are more than happy to provide them. Global spend in the health and wellness market would be around $24.8 billion in 2023 according to a study by Kilo Health. Wellness apps and wearables abound in all sorts of areas — from counting steps to nutrition to mental health to physical fitness to financial fitness. These tools are relatively inexpensive to provide and easily accessible to the workforce – many times with just a simple download to a smartphone. And, best of all they’re completely private with no middle man, and only the employee seeing their own data and progress. Right? Well — not so fast.

Continue Reading Wellness Apps and Privacy

With so many companies being hauled into court in California based on claims that the functionalities on their website and use of service providers for marketing or analytics purposes violate consumer privacy rights, it is important to exhaust all possible defenses available to defendants. Late last year, the Ninth Circuit issued a ruling upholding a dismissal based on a lack of personal jurisdiction over a web-based payment company. Companies operating interactive websites may be able to take advantage of this ruling as part of their defense strategy in 2024.

Continue Reading Ninth Circuit Opinion Supports Personal Jurisdiction Defense for Interactive Websites

The California Privacy Protection Agency (“CPPA”) issued and discussed draft regulations on Cybersecurity Audits and Risk Assessments late in the summer. The CPPA Board plans to discuss the draft regulations at its upcoming December 8th public meeting, along with a presentation on the regulations. 

Continue Reading CPPA Considers Next Set of CPRA Regulations Covering Cybersecurity Audits and Risk Assessments

On October 5, 2023, Seyfarth offered a Masterclass, hosted by Lexology, which was designed to familiarize in-house counsel and privacy professionals, in and out of Washington state, with the My Health My Data Act legislation. Portions of the Act are already in effect and go into further effect on March 31, 2024.

We explored its obligations and its wide reach, specifically addressing how to identify: (1) who must comply; (2) who gets new rights and protections; and (3) what data is covered, since all of these are more wide-reaching than it may appear to the casual observer of state privacy legislation.

This session also uncovered significant “sleeper” compliance obligations and provided practical insight and actionable steps to use when guiding business teams.

You can access the video recording here, or click here to download the presentation slides.

As organizations begin renewing and entering into new contractual relationships for 2024, an oft-forgotten aspect of the contracting process is determining whether a Business Associate Agreement (a “BAA”) is required. Under HIPAA, health care providers, health plans and health care clearinghouses (“Covered Entities”) are required to enter into BAAs with any vendor (“Business Associate”) that may have access to Protected Health Information (“PHI”). Many organizations operate under a misconception that they are not subject to HIPAA if they are not in the health care industry but, in fact, HIPAA’s reach is much broader than that. For example, organizations that sponsor health plans, including employers that sponsor self-funded plans, are responsible for their health plans’ compliance with HIPAA, including the requirement to enter into BAAs with plan vendors. As another example, information technology organizations providing services to employers that offer health plans may be asked to sign a BAA as a Business Associate if they have access to data on the employer’s systems that may constitute PHI.

Continue Reading Top 5 Reasons to Remember Your Business Associate Agreements This Fall

Thursday, October 5, 2023
1:00 p.m. – 2:00 p.m. ET
12:00 p.m. – 1:00 p.m. CT
11:00 a.m. – 12:00 p.m. MT
10:00 a.m. – 11:00 a.m. PT

REGISTER HERE

About the Program

Seyfarth is pleased to offer this Masterclass, hosted by Lexology, which is designed to familiarize in-house counsel and privacy professionals, in and out of Washington state, with the My Health My Data Act legislation. Portions of the Act are already in effect and go into further effect on March 31, 2024.

Join us as we explore its obligations and its wide reach, specifically addressing how to identify:

  1. who must comply
  2. who gets new rights and protections, and
  3. what data is covered

since all of these are more wide-reaching than it may appear to the casual observer of state privacy legislation.

The session will also:

  1. uncover significant “sleeper” compliance obligations and
  2. provide practical insight and actionable steps to use when guiding business teams.

We invite you to join us. You can register for free on Lexology’s site through the registration link above.

Speakers

Yana Komsitsky, Senior Counsel, Seyfarth Shaw

Neeka Hodaie, Associate, Seyfarth Shaw


If you have any questions, please contact Sophia Gomez at sgomez@seyfarth.com and reference this event.

On July 18, 2023, Oregon’s Governor Tina Kotek signed SB 619, which created the Oregon Consumer Privacy Act (“OCPA”). Oregon joins California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, and Texas, as the 12th state to enact a comprehensive consumer data privacy law.

Most provisions of the OCPA will take effect on July 1, 2024, with delayed compliance deadlines for honoring universal mechanisms consumers will use to exercise their right to “opt out” of a platform processing their personal information for certain purposes and for activities of tax-exempt organizations described in Section 501(c)(3) of the Internal Revenue Code. Notably, unlike most other state privacy laws, the OCPA exempts only certain nonprofit organizations. For activities of tax-exempt organizations described in Section 501(c)(3) of the Internal Revenue Code, the OCPA has a delayed effective date of July 1, 2025.

Continue Reading Oregon Enacts Consumer Privacy Act

Tuesday, September 12, 2023
2:00 p.m. to 2:30 p.m. Eastern
1:00 p.m. to 1:30 p.m. Central
12:00 p.m. to 12:30 p.m. Mountain
11:00 a.m. to 11:30 a.m. Pacific

REGISTER HERE

In the wake of recent, controversial Illinois Supreme Court decisions regarding BIPA claims, this webinar explores the implications of these decisions and what’s next on the horizon in BIPA litigation and compliance.

This webinar provides an update on BIPA litigation in both the lower and higher courts, including decisions recognizing BIPA exemptions and defenses.

The panelists also will discuss trends in privacy litigation, spurred by BIPA, including class actions asserting claims under GIPA, the Illinois Genetic Information Privacy Act.

Join us on September 12th.

Speakers

Danielle M. Kays, Senior Counsel, Seyfarth Shaw LLP
Ada W. Dolph, Partner, Seyfarth Shaw LLP


If you have any questions, please contact Donna Miskiewicz at dmiskiewicz@seyfarth.com and reference this event.

Learn more about our Workplace Privacy & Biometrics practice.This webinar is accredited for CLE in CA, IL, NJ, and NY. Credit will be applied for as requested for TX, GA, WA, NC and VA. The following jurisdictions may accept reciprocal credit with these accredited states, and individuals can use the certificate they receive to gain CLE credit therein: AZ, CT, NH. The following jurisdictions do not require CLE, but attendees will receive general certificates of attendance: DC, MA, MD, MI, SD. For all other jurisdictions, a general certificate of attendance and the necessary materials will be issued that can be used in other jurisdictions for self-application. Please note that attendance must be submitted within 10 business days of the program taking place. If you have questions about jurisdictions, please email CLE@seyfarth.com.