- June 24, 2020
Burke Warren attorneys Chris Kentra and Brian Weinthal recently secured the dismissal (with prejudice) of a class action lawsuit against their client, VSP, alleging violations of the Illinois Biometric Information Privacy Act (“BIPA”). This significant victory comes at a time when businesses across the country – most recently the wildly popular video-sharing app TikTok – face a rush of BIPA cases, in which damages may be awarded even in the absence of actual consumer harm or compromised information. Defense activities were supervised by Bradley Garber and Nicole Wasylkiw – both senior in-house counsel at VSP.
“While we are thrilled by the result we obtained for our client in this case, it also serves as a cautionary tale about the increasing threat that BIPA litigation poses to Illinois businesses and corporations across the United States,” Kentra says. “Obtaining dismissal of these claims early in a case, as we did here, can spare companies the expense, risk, and bad press associated with claims that often don’t involve any real damages or injuries.”
Enacted in 2008, BIPA imposes several important obligations on private entities who engage in the collection, use, safeguarding, handling, storage, retention, or destruction of biometric identifiers and information. These obligations include maintaining a retention schedule and obtaining written consent from consumers before collecting and/or capturing biometric information, which includes fingerprints, voiceprints, retinal scans, or scans of facial geometry.
Importantly, BIPA establishes a private right of action for anyone “aggrieved” by an alleged violation of the act. Although the invocation of the statute was limited for more than a decade, BIPA litigation grew exponentially when the Illinois Supreme Court ruled in 2019 that plaintiffs do not need to demonstrate a separate or distinct injury to sue other than the purportedly unlawful collection of biometric information.
Dismissal with Prejudice
Burke Warren’s client, VSP Retail Development Holding, LLC (“VSP”) is a large retail optical and vision-care company based in California. VSP offers a “Virtual Try-On” tool on its website that enables website visitors and those seeking to purchase prescription eyewear to view images of how they look wearing particular frames. Website visitors use their cellphones or computer webcams to capture a series of images that then enable the “Virtual Try-On” tool to create three-dimensional representations of customers “wearing” different pairs of eyeglasses.
In September of 2019, VSP was sued in a putative class action in which the plaintiff alleged that the “Virtual Try-On” tool violated BIPA because it did not seek written consent prior to the capture and use of biometric information.
After removing the case from state court to the U.S. District Court for the Northern District of Illinois, Kentra and Weinthal recommended that VSP move to dismiss the complaint based on an exception to the statute’s consent and disclosure requirements. Specifically, BIPA does not apply to information captured from a patient in a health care setting, or to information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Garber and Wasylkiw were instrumental in helping Kentra and Weinthal amass critical information that would serve as the basis for the motion to dismiss.
In its motion, the firm argued that VSP’s efforts to collect, capture, and store information that enabled website users to purchase prescription and even non-prescription eyewear were, by definition, a form of health care treatment, payment, or operations. The District Court agreed, finding that because the plaintiff’s “facial geometry was obtained as a patient in a health care setting,” the biometric identifiers at issue fell within BIPA’s health care exemption. “As such, VSP cannot be held liable under BIPA for their collection or use.” The District Court then dismissed the case with prejudice, finding that any attempt to amend on plaintiff’s part would be “futile.”
“Companies that collect biometric information—and there are many of them—can do everything right and still find themselves in the crosshairs of increasingly aggressive plaintiffs’ firms that have come to see BIPA as a significant revenue generator,” Weinthal says. “It is critical that such businesses mount equally aggressive defense strategies as well as implement proactive compliance measures.”