Alleged violations of privacy laws continue to bedevil the federal courts—in particular, with respect to determining whether an alleged violation creates a sufficiently concrete and redressable grievance to permit the federal courts to hear the lawsuit under Article III of the U.S. Constitution. Generally speaking, a lack of Article III standing results in the dismissal of the lawsuit for lack of jurisdiction. In November, the Seventh Circuit issued an opinion addressing Article III standing that could have implications for privacy litigation, in Fox v. Dakkota Integrated Systems LLC.
Why this matters: According to Fox, Article III standing exists for violations of Illinois’s Biometric Information Protection Act (BIPA) when companies collect or retain biometric information in alleged violation of the act, without any other injury. In other words, companies may be held to their stated retention periods. Because Illinois is part of the Seventh Circuit, this opinion may result in an increase in pending claims for violation of BIPA. Of greater concern, possibly, is the potential adoption by other courts of this per se harm theory to other privacy laws to find standing for lawsuits challenging retention of personal information without pleading concepts traditionally required in order to meet the Article III injury requirements.
Illinois’s BIPA effectively establishes a notice, consent and retention policy regime; as of today, it is also the only biometric-focused privacy law in the United States with a private right of action for its violation. It requires notice to, and consent by, individuals before their biometric information may be collected; limits the disclosure of biometric information without consent; and requires establishing a retention and destruction policy for the biometric information. While the plaintiff alleged that her employer violated the panoply of obligations under BIPA, it is only the last piece—retention and destruction—at issue in Fox. (The other claims were dismissed as pre-empted by the federal Labor Management Relations Act because the plaintiff was represented by a union.)
To the Seventh Circuit, the retention and destruction claim went beyond alleging a technical failure to make the retention policy available to covered individuals (a requirement of BIPA): “Fox alleges a concrete and particularized invasion of her privacy interest in her biometric data stemming from Dakkota’s violation of the full panoply of its section 15(a) duties—the duties to develop, publicly disclose, and comply with data retention and destruction policies—resulting in the wrongful retention of her biometric data after her employment ended, beyond the time authorized by law.” This, the court explained, was intended to protect individuals’ biometric privacy just as much as the right to prevent collection of biometric information without compliance with the law’s informed consent requirement, which was already subject to Article III standing under Seventh Circuit and Ninth Circuit rulings.
In reaching this decision, the Seventh Circuit distinguished a prior decision involving alleged unlawful retention of dates of birth and Social Security numbers under federal law, in two ways. First, the court made clear that the immutable nature of biometrics is important because, unlike other forms of personal information, they cannot be changed. (A footnote acknowledges that a date of birth is immutable—yet it “is far less identifying than a retinal or iris scan, facial geometry, fingerprints, or handprints.”) Second, the Fox allegations also include claims that the biometric data was shared with a third party “with unknown security practices”: In other words, not only was the data immutable and held for longer than the company said it would be and the law permitted, but also it was held in a way that could present an additional risk to impacted individuals without identification of that risk. Accordingly, the court determined that Article III standing exists. Time will tell how far the Seventh Circuit is willing to take this application of Article III standing to privacy laws more generally.