CYBER RISK CLIENT ALERT: Facebook Settles Its BIPA Suit for $550 Million While Damage and Jurisdiction Issues Remain

by

All eyes are on the recent settlement in Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), where a group of class-action plaintiffs (“Class”) alleged that Facebook violated Illinois’ Biometric Information Privacy Act (“BIPA”). Patel had already received a lot of attention primarily because the Ninth Circuit found Article III standing in the absence of actual harm.

Patel settled for a massive $550 million. This is the largest cash settlement seen in a privacy-related suit according to the parties, which is creating a lot of new-found interest in BIPA with speculation on how the settlement amount will impact future claims.

Currently, the damages calculation under BIPA is clouded by uncertainty.  The statutory language in Section 20 provides that “[a] prevailing party may recover for each violation.” (emphasis added).  The question becomes: What is a violation?  Is it each of the defendant’s wrongful retention, collection, and destruction of an individual’s biometric data provided for in Section 15, or is it each time the individual’s biometric information is utilized? These alternatives lead to drastically different results. So too does the way the biometric data is used, i.e. clocking in to work versus utilizing biometrics on social media.  Plaintiffs advocate for the “per use” method to determine the number of violations, which do not seem to make sense in the time clock cases but in a social media scenario it is less clear.  The Class in Patel did not specify in its pleadings how it was alleging damages, apart from the rudimentary request of $5,000 per intentional or reckless violation and $1,000 per negligent violation. 

A time clock case was recently litigated in the Northern District of Illinois in Peatry v. Bimbo Bakeries United States, 393 F. Supp. 3d 766 (N.D. Ill. 2019).  There the defendant removed the lawsuit to federal court based on diversity jurisdiction and the Class Action Fairness Act.  The plaintiff moved to remand the case back to state court by contesting that the amount in controversy exceeded $75,000.  This resulted in the defendant, not plaintiff, claiming that “each violation” represents “each time [the plaintiff] clocked in and out of work.”  Id. at 768-69.  The plaintiff countered by arguing the defendant mischaracterized her allegations, and that she was only alleging three violations, one for each enumerated subsection of Section 15(b).  Judge Ellis found for Defendant and denied Plaintiff’s motion to remand the case back to state court, pointing to Section 15(d) that “makes it a violation to ‘disclose, redisclose, or otherwise disseminate’ biometric information, which suggests that each time [Defendant] allegedly disclosed [Plaintiff’s] biometric information by sharing it with a third-party vendor, a new violation occurred.”  Id. at 769 (omitting internal citations).  However, Judge Ellis clarified that it was the plaintiff’s inability to show “it is legally impossible for her to recover $5,000 per fingerprint scan” that determined her ruling, and that the court was leaving the determination of the undecided interpretation of BIPA’s damages for another day.  Id. at 770. Thus it remains unclear whether repeated dissemination to the same vendor is a separate BIPA violation.

The attention-grabbing Patel settlement, coupled with the Illinois Supreme Court’s ruling that actual harm is not necessary to bring a claim, is likely going to attract more lawsuits being brought under BIPA, but in which court?  Recent decisions in the Northern District of Illinois, such as McGinnis v. United States Cold Storage, Inc., No. 19-cv-00845, 2019 WL 7049921 (N.D. Ill. Dec. 23, 2019), have found that BIPA’s procedural harm alone is not enough to support standing in federal court.  Instead there needs to be a risk that the plaintiff’s data has been breached or there is an appreciable risk of a breach to satisfy the requirement of concrete harm under Article III.  This suggests that we may see a rise in BIPA lawsuits being filed in state court while defendants try to construe the allegations to meet diversity jurisdiction requirements, similar to Bimbo, and require plaintiffs to satisfy the concrete-harm requirement.   

It is unclear whether the settlement in Patel will drive future settlements. BIPA suits target employers primarily, with only a few companies being sued outside of the employer/employee relationship. The present uncertainty regarding how violations are determined, and thus how damages are calculated in BIPA claims suggests that there will be increasing litigation over these issues, at least until there is legislative action or court interpretation providing guidance. Segal McCambridge will continue to stay current on important legislative amendments and judicial rulings that provide guidance on these issues relevant to our clients.  

For further information regarding BIPA or privacy laws generally, contact Joseph Kish, jkish@smsm.com or 312.644.3538.

Get Updates By Email

Blog Contributors