Seyfarth Synopsis: In Sosa v. Onfido, Inc., No. 20-CV-4247, 2022 U.S. Dist. LEXIS 74672 (N.D. Ill. Apr. 25, 2022), the Court issued the latest plaintiff-friendly decision under the Illinois Biometric Information Privacy Act (“BIPA”), putting businesses and employers on notice that the statute can apply to photographs in addition to the typically-alleged facial and hand scans. The Court denied the Defendant’s motion to dismiss on the basis that: (1) photographs and information derived from photographs are protected by BIPA; (2) Plaintiff sufficiently plead a claim for liquidated damages; and (3) the BIPA does not violate the First Amendment.
Plaintiff filed suit alleging that the Defendant markets and sells proprietary facial recognition software that is used by online businesses to verify consumers’ identities. Id. at *2. To verify a consumer’s identity, the consumer first uploads a copy of his or her identification and a facial photograph. Id. The software then scans the identification and photograph to locate the facial images on each document; extracts a unique numerical representation of the shape or geometry of each facial image, which is often called a ‘faceprint,” compares the faceprints from the consumer’s identification and photograph; and generates a score based on the similarity of the faceprints. Id. The software also can compare the faceprints obtained from a consumer’s identification or photograph with other biometric data in Defendant’s database, such as the biometric data of known masks or other consumers’ photographs. Id. at *2-3. Online businesses can integrate the software into their products and mobile apps in such a way that consumers seeking to verify their identities likely do not know that they are interacting with and providing their sensitive information to Defendant, a third party. Id. at *3.
Plaintiff was a member of an online marketplace that partnered with Defendant to verify its users’ identities using Defendant’s software. Id. Plaintiff claimed that, in April 2020, Plaintiff verified his identity in the online marketplace and that Defendant allegedly used its software to scan Plaintiff’s face, extract his faceprints, compare the two photographs, and then Defendant kept his unique faceprint in a database and accessed it every time another person used Defendant’s verification process. Defendant purportedly did not inform Plaintiff that it would collect, store, or use his biometric identifiers derived from his face,” and Plaintiff never signed a written release allowing Defendant to do so. Id. at *3-4.
Plaintiff filed suit against Defendant in the Circuit Court of Cook County, Illinois, alleging that it violated the BIPA, 740 Ill. Comp. Stat. 14/1 et seq., seeking to represent himself and a putative class of Illinois residents “who had their biometric identifiers or biometric information, including faceprints, collected, captured, received, otherwise obtained, or disclosed by Defendant while residing in Illinois.” Id. at *4. Defendant removed the lawsuit based on diversity jurisdiction and the Class Action Fairness Act (“CAFA”). Id. at *5. After the Court denied Defendant’s motion to compel arbitration (and the Seventh Circuit affirmed), Defendant moved to dismiss on the grounds that: (1) Plaintiff did not state a viable claim under the BIPA because the information Defendant allegedly collected — photographs and information derived from photographs — is not protected by the BIPA; (2) Plaintiff failed to adequately state a claim for liquidated damages; and (3) the BIPA violates the First Amendment.
The Court’s Decision
The Court denied Defendant’s motion to dismiss on all three grounds.
The BIPA’s Application To Data Derived from Photographs
The Court first addressed the argument that Plaintiff failed to state a claim under the BIPA because Defendant’s software captured information from user-submitted photographs, and neither photographs nor information derived from photographs are covered by the BIPA. The Court’s analysis turned on Section 10 of the BIPA, which defines “biometric information” and “biometric identifier” and also lists items that do not fall under those definitions — specifically, “biometric identifiers do not include photographs, and biometric information ‘does not include information derived from items or procedures excluded under the definition of biometric identifiers.’” Mem. Op. & Order at 11 (quoting 740 ILCS 14/10). The Court acknowledged that data derived from photographs is not “biometric information,” but it held that data derived from photographs in the form of “scans of face geometry” can constitute biometric identifiers. Id. at 11-12 (“As alleged . . ., [defendant’s] software scans identification cards and photographs to locate facial images and extracts a unique numerical representation of the shape or geometry of each facial image, which [plaintiff] refers to as a ‘faceprint.’ The faceprints extracted by [defendant] plausibly constitute scans of face geometry and, therefore, ‘biometric identifiers’ under BIPA.”) (internal citations omitted).
The Court rejected the argument that the data cannot be a “scan of face geometry” because it did not involve the scan of plaintiff’s “actual face, but rather, a scan of a photograph of his face,” holding that “[n]othing in the BIPA’s text . . . supports [defendant’s] contention that a scan of face geometry must be an ‘in person’ scan.” Id. at 14 (citation omitted).
Request For Liquidated Damages
The Court next turned to Defendant’s argument that Plaintiff’s request for liquidated damages should be dismissed because he failed to allege facts from which it reasonably could be inferred that Defendant negligently, recklessly, or intentionally violated BIPA. The court held that Plaintiff need not plead Defendant’s state of mind to allege a BIPA claim and that dismissing Plaintiff’s request for liquidated damages was unwarranted because the request sought a particular remedy (which is “distinct from [plaintiff’s] underlying claim for relief based on BIPA”). Id. at 18.
BIPA authorizes a prevailing party to recover, inter alia, the greater of actual damages or $1,000 in liquidated damages for each negligent BIPA violation and the greater of actual damages or $5,000 in liquidated damages for each intentional or reckless BIPA violation. 740 ILCS 14/20(1), (2). Importantly, Plaintiff sought not only liquidated damages but also injunctive relief and relief in the form of reasonable attorneys’ fees, costs, and expenses — the latter forms of relief having no associated mental state requirement. See Mem. Op. & Order at 19-20 (“Nor does [plaintiff] need to allege facts suggesting any level of culpability to plausibly state a BIPA claim in the first place,” as “[Plaintiff] may obtain injunctive relief or attorneys’ fees — as he has requested — regardless of whether [Defendant’s] actions are proven to be negligent, reckless, or intentional.”).
Finally, the Court addressed the argument that BIPA Section 15(b) — which requires a private entity to obtain informed consent before collecting an individual’s biometric data — violates the First Amendment as applied by restricting Defendant’s speech and its collection of “ information voluntarily provided by consumers to identify themselves as marketplace users.” Id. at 24. The court held that (1) Section 15(b) does not restrict defendant’s speech (meaning the First Amendment does not apply), and (2) even if Section 15(b) restricted defendant’s speech, it is a content-neutral restriction that survives the applicable level of First Amendment scrutiny (i.e., intermediate scrutiny).
In holding that Section 15(b) does not regulate Defendant’s speech, the Court reasoned that Section 15(b) “does not prohibit or otherwise restrict what a private entity may do with an individual’s biometric data once the data is obtained”; instead, Section 15(b) “regulates [D]efendant’s ability to obtain an individual’s biometric data by requiring [Defendant] to acquire the individual’s informed consent before doing so.” Mem. Op. & Order at 24. The Court relied on Dahlstrom v. Sun-Times Media, LLC, 777 F.3d 937 (7th Cir. 2015), where the Seventh Circuit held that the Driver’s Privacy Protection Act’s (the “DPPA”) “prohibition on obtaining information from driving records” did not restrict speech because it limited only “access to information.” Mem. Op. & Order at 24 (citation omitted). Sosa reasoned that “[l]ike the DPPA provision at issue in Dahlstrom, Section 15(b) burdens a party’s ability to access certain information.” Id. at 25.
The Court further held that, even if Section 15(b) restricted Defendant’s speech, it would nonetheless survive intermediate scrutiny under the First Amendment. The Court applied the four-prong intermediate scrutiny test set forth in Central Hudson Gas & Electric Corp. v. Public Service Commission of New York, 447 U.S. 557 (1980):  First, courts ask whether the commercial speech concerns unlawful activity or is misleading (if so, the speech is not protected by the First Amendment);  if the speech concerns lawful activity and is not misleading, courts next ask whether the asserted governmental interest is substantial;  if it is, then courts determine whether the regulation directly advances the governmental interest asserted; and  finally, courts ask whether the regulation is more extensive than necessary to serve that interest.
Regarding the first step, the Court held that the at-issue commercial speech does not concern unlawful activity and is not misleading because Section 15(b) “regulates both the misleading and non-misleading collection of biometric data.” Mem. Op. & Order at 31. But the Court held that Section 15(b) passes muster under steps (2) through (4). At the second step, the Court determined that Section 15(b) is supported by a substantial governmental interest — namely, the interest in protecting consumers’ rights to privacy in and control over their biometric data. At the third step, the Court held that Section 15(b) directly advances the government’s interest because the harms identified by the Illinois legislature are real and Section 15(b) alleviates those harms “to a material degree.” Id. at 33. Finally, the court held that Section 15(b) is not more extensive than necessary to serve the government’s interest, as: (1) Section 15(b) “does not outright prohibit companies . . . from obtaining biometric data; it merely requires them to obtain informed consent before doing so”; and (2) “it is not too onerous to require a company that wants to collect a consumer’s sensitive and immutable biometric data to obtain the consumer’s consent before doing so.” Id. at 35.
Sosa is one of several recent plaintiff-friendly BIPA decisions, and it reinforces the unanimous interpretation among courts to date that the BIPA can apply to data derived from photographs. The Sosa decision also seemingly tends to undermine the defense argument that a BIPA plaintiff must allege facts demonstrating negligence, recklessness, or intent to state a claim and request liquidated damages under the statute.
Significant questions remain, however, regarding the BIPA’s application to companies that collect biometric information. For one, the Court’s First Amendment analysis regarding Section 15(b) suggested that the same analysis might lead to the conclusion that claims brought under Sections 15(c) and/or 15(d) (which prohibit (i) profiting from biometric data and (ii) disclosing biometric data without consent, respectively) do violate the First Amendment. See Mem. Op. & Order at 27 (noting that statutory provisions restricting the sale, disclosure, and use of information “undoubtedly restrict speech”). Other important questions will be decided in appeals pending before the Illinois Supreme Court, including the question whether claims asserted under Sections 15(b) and 15(d) accrue only once upon the initial collection or disclosure of biometric information, or each time a private entity collects or discloses biometric information (see here), and the limitations period applicable to BIPA claims.