A Proper Decision to Reject An Abusive Lawsuit
The Illinois Biometric Information Privacy Act (BIPA) is considered one of the most destructive and abused laws in the country, but it’s now getting pushback from judges. For the last 15 years, BIPA has stifled Illinoisans’ access to innovative biometric products — exposing businesses to crushing liability. In the past couple of years alone it has enabled hundreds of frivolous lawsuits, culminating in hundreds of millions of dollars paid to trial attorneys—all with little benefit to consumers.
Fortunately, a federal judge recently dismissed class action BIPA claims against Pindrop, a tech company that provides voice authentication services for banks and other financial institutions. The court’s dismissal here is a win not just for Pindrop. Illinois businesses and consumers who need access to this technology will benefit.
Protecting consumer data privacy is an important goal. Illinois enacted BIPA in 2008 with the best of intentions, to “regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” But in doing so, they created a monster by allowing “[a]ny person aggrieved by a violation” of the Act can sue for liquidated damages, statutory damages, millions of dollars in attorneys’ fees, and costs. And that is exactly what we’ve seen, lawsuits not to address actual harms but to shake-down businesses.
Rather than protecting privacy, BIPA’s main effect has been a torrent of frivolous class-action lawsuits against online businesses that offer valuable free services. There was a multi-million dollar suit against Shutterfly for allowing users to search their own albums by faces. There was a half-billion dollar settlement with Facebook. And there have been lawsuits against Google and even nursing homes. BIPA’s private right of action has been both untenable for businesses and harmful for consumers who need access to valuable technology.
In fact, the main beneficiary of BIPA’s private right of action has always been the entrepreneurial plaintiffs’ attorneys – not ordinary Illinoisans.
Class action plaintiffs in McGovernan v. AWS & Pindrop are Illinois residents who made calls to John Hancock Life Insurance Company in the last five years. They alleged they suffered injuries under BIPA by John Hancock’s affiliates, including Pindrop. John Hancock uses Pindrop’s “deep voice” technology to verify that callers seeking sensitive financial information are indeed who they claim to be. This technology provides customers both convenience and security.
Plaintiffs filed an amended complaint in U.S. District Court two years ago, seeking damages and an injunction on certain uses of Pindrop’s deep voice technology. They alleged that Pindrop violated BIPA by (1) failing to “develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information” and (2) by “sell[ing], leas[ing], trad[ing]” their biometric data.
Judge Stephanos Bibas rejected all of plaintiffs’ claims against Pindrop, finding that plaintiffs do not have standing to sue Pindrop and that Pindrop qualifies as a “financial institution,” which BIPA explicitly exempts from liability. To have standing in federal court, plaintiffs must meet three requirements. They must (1) have suffered actual harm that (2) is “fairly traceable” to the defendant’s actions which (3) may be remedied by a court ruling in plaintiffs’ favor. To meet the first requirement, plaintiffs must allege that they have suffered a “concrete and particularized—that is, real, and not abstract” injury. And to get injunctive relief, they must allege that their injury is “actual or imminent,” that is, “certainly impending.”
Judge Bibas found plaintiffs failed to adequately allege a “concrete and particularized injury” that would establish standing in this case. In other words, a mere misstep in applying BIPA’s requirements doesn’t cause the kind of individualized harm plaintiffs, themselves, must suffer in order to bring this suit at all. And as for the injunction on Pindrop’s technology, Judge Bibas found that “plaintiffs have not plausibly alleged continuing or imminent harm.”
The judge also threw out claims that Pindrop violated BIPA by selling Illinoisans’ voiceprints, explaining that the plaintiffs had failed to point to specific instances or injuries to establish this occurred. Finally, Judge Bibas also correctly found that Pindrop counts as a financial institution under the Gramm-Leach-Bliley Act when it is authenticating customers of investment and insurance firm John Hancock. This makes it exempt from BIPA’s requirements.
At the outset of his opinion, Judge Bibas rightfully warned that if legislatures “regulate an industry too strictly . . . [they] could stifle innovation.” By enabling endless, frivolous lawsuits spearheaded by the plaintiffs’ bar for reasonable uses of biometric technology, BIPA has done just that—and lined plaintiffs’ attorneys’ pockets in the process. McGovernan v. AWS & Pindrop sets a contrary, pro-innovation precedent that will prove valuable for businesses and consumers in years to come.