CYBER RISK CLIENT ALERT: Facebook Settles Its BIPA Suit for $550 Million While Damage and Jurisdiction Issues Remain
All eyes are on the recent settlement in Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), where a group of class-action plaintiffs (“Class”) alleged that Facebook violated Illinois’ Biometric Information Privacy Act (“BIPA”). Patel had already received a lot of attention primarily because the Ninth Circuit found Article III standing in the absence of actual harm.
Patel settled for a massive $550 million. This is the largest cash settlement seen in a privacy-related suit according to the parties, which is creating a lot of new-found interest in BIPA with speculation on how the settlement amount will impact future claims.
Currently, the damages calculation under BIPA is clouded by uncertainty. The statutory language in Section 20 provides that “[a] prevailing party may recover for each violation.” (emphasis added). The question becomes: What is a violation? Is it each of the defendant’s wrongful retention, collection, and destruction of an individual’s biometric data provided for in Section 15, or is it each time the individual’s biometric information is utilized? These alternatives lead to drastically different results. So too does the way the biometric data is used, i.e. clocking in to work versus utilizing biometrics on social media. Plaintiffs advocate for the “per use” method to determine the number of violations, which do not seem to make sense in the time clock cases but in a social media scenario it is less clear. The Class in Patel did not specify in its pleadings how it was alleging damages, apart from the rudimentary request of $5,000 per intentional or reckless violation and $1,000 per negligent violation.
A time clock case was recently litigated in the Northern District of Illinois in Peatry v. Bimbo Bakeries United States, 393 F. Supp. 3d 766 (N.D. Ill. 2019). There the defendant removed the lawsuit to federal court based on diversity jurisdiction and the Class Action Fairness Act. The plaintiff moved to remand the case back to state court by contesting that the amount in controversy exceeded $75,000. This resulted in the defendant, not plaintiff, claiming that “each violation” represents “each time [the plaintiff] clocked in and out of work.” Id. at 768-69. The plaintiff countered by arguing the defendant mischaracterized her allegations, and that she was only alleging three violations, one for each enumerated subsection of Section 15(b). Judge Ellis found for Defendant and denied Plaintiff’s motion to remand the case back to state court, pointing to Section 15(d) that “makes it a violation to ‘disclose, redisclose, or otherwise disseminate’ biometric information, which suggests that each time [Defendant] allegedly disclosed [Plaintiff’s] biometric information by sharing it with a third-party vendor, a new violation occurred.” Id. at 769 (omitting internal citations). However, Judge Ellis clarified that it was the plaintiff’s inability to show “it is legally impossible for her to recover $5,000 per fingerprint scan” that determined her ruling, and that the court was leaving the determination of the undecided interpretation of BIPA’s damages for another day. Id. at 770. Thus it remains unclear whether repeated dissemination to the same vendor is a separate BIPA violation.
The attention-grabbing Patel settlement, coupled with the Illinois Supreme Court’s ruling that actual harm is not necessary to bring a claim, is likely going to attract more lawsuits being brought under BIPA, but in which court? Recent decisions in the Northern District of Illinois, such as McGinnis v. United States Cold Storage, Inc., No. 19-cv-00845, 2019 WL 7049921 (N.D. Ill. Dec. 23, 2019), have found that BIPA’s procedural harm alone is not enough to support standing in federal court. Instead there needs to be a risk that the plaintiff’s data has been breached or there is an appreciable risk of a breach to satisfy the requirement of concrete harm under Article III. This suggests that we may see a rise in BIPA lawsuits being filed in state court while defendants try to construe the allegations to meet diversity jurisdiction requirements, similar to Bimbo, and require plaintiffs to satisfy the concrete-harm requirement.
It is unclear whether the settlement in Patel will drive future settlements. BIPA suits target employers primarily, with only a few companies being sued outside of the employer/employee relationship. The present uncertainty regarding how violations are determined, and thus how damages are calculated in BIPA claims suggests that there will be increasing litigation over these issues, at least until there is legislative action or court interpretation providing guidance. Segal McCambridge will continue to stay current on important legislative amendments and judicial rulings that provide guidance on these issues relevant to our clients.
For further information regarding BIPA or privacy laws generally, contact Joseph Kish, firstname.lastname@example.org or 312.644.3538.
- Green Development Risks
- A Question of Timing: Policy-Limit Demands and Insurer Bad Faith in Florida
- CUBI: Everything You Need to Know About Texas' Biometric Law and Beyond...
- Prejudgment Interest Starting as Early as the Time of Injury? At a Rate of 9% Interest? A Bill Sits on Illinois’ Governor’s Desk.
- Now That Vaccine Distribution Has Begun, What Issues Do Employers Face?
- Immunity From Liability For Healthcare Facilities and Healthcare Professionals in the Continuing Battle Against the Covid-19 Pandemic
- A National Approach to Biometric Privacy
- Illinois Appellate Court Says the Learned Intermediary Doctrine Does Not Shield a Device Manufacturer from Liability When a Doctor is Deceived About a Device’s Prior Testing and Suitability
- Remote Jury Selection by Video Conferencing
- Illinois Appellate Court Eliminates Key Defense to BIPA Claims
- Professional Liability
- Class Action
- Complex Commercial Litigation
- Insurance & Reinsurance Litigation & Counseling
- Insurance Coverage
- Cyber Risk & Liability
- Toxic Tort
- Professional Development
- Construction Litigation & Counseling
- Social Media & Privacy
- Discrimination, Harassment & Hostile Workplace Claims
- Workers' Compensation
- Employment Litigation & Counseling
- Medical Negligence & Healthcare Liability
- Pharmaceutical & Medical Device Litigation
- Product Liability