Fee v. Ill. Inst. of Tech.

• Decision Date: 15 July 2022
• Docket Number: 21-cv-02512
• Parties: DANIEL FEE, individually and on behalf of all others similarly situated, Plaintiff, v. ILLINOIS INSTITUTE OF TECHNOLOGY, Defendant.
• Court: U.S. District Court — Northern District of Illinois

DANIEL FEE, individually and on behalf of all others similarly situated, Plaintiff, v. ILLINOIS INSTITUTE OF TECHNOLOGY, Defendant.

No. 21-cv-02512

United States District Court, N.D. Illinois, Eastern Division

July 15, 2022

MEMORANDUM OPINION AND ORDER

Andrea R. Wood, United States District Judge

Plaintiff Daniel Fee is a former student at Defendant Illinois Institute of Technology (“IIT”). Like many IIT students, Fee took some exams online using a remote proctoring tool that employed facial-recognition technology to verify the student's identity. Fee, however, alleges that IIT failed to comply with the requirements set out in Illinois's Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., before collecting his biometric identifiers. Accordingly, he has brought the present action on behalf of himself and a putative class of similarly situated IIT students alleging violations of BIPA. Now before the Court is IIT's motion to dismiss Fee's First Amended Complaint (“FAC”) pursuant to Federal Rule of Civil Procedure 12(b)(6). (Dkt. No. 16.) For the reasons that follow, IIT's motion to dismiss is denied.

BACKGROUND

For the purposes of the motion to dismiss, the Court accepts all well-pleaded facts in the FAC as true and views those facts in the light most favorable to Fee as the non-moving party. Killingsworth v. HSBC Bank Nev., N.A., 507 F.3d 614 618 (7th Cir. 2007). The FAC alleges as follows.

Fee is a former student at IIT, a private research university located in Chicago. (FAC ¶ 1, 21, 83, Dkt. No. 13.) IIT offers both in-person and online courses to its students. (Id. ¶ 2.) For many of its online courses, IIT requires its students to take exams using Respondus Monitor an online remote proctoring tool. (Id.) Respondus Monitor's technology allows students to take exams online in a non-proctored environment. (Id. ¶ 27.) Relevant here, Respondus Monitor verifies the identity of the student taking an exam by using the student's webcam to capture their facial geometry and other biometric identifiers and conduct a “facial detection check.” (Id. ¶¶ 6772.)

While attending IIT, Fee took a class in Fall 2020 that required him to use Respondus Monitor for exams. (Id. ¶ 85.) According to Fee, IIT, by means of the Respondus Monitor tool, collected, stored, and used his biometric information without complying with the requirements of Illinois's BIPA. (Id. ¶¶ 13-15.) BIPA was enacted to “protect[] public welfare, security, and safety by regulating the collection, use, safeguarding, handling storage, retention, and destruction of biometric identifiers and biometric information.” (Id. ¶ 10 (quoting 740 ILCS 14/5(g)).) According to Fee, IIT violated BIPA by not maintaining a publicly available retention schedule and guidelines for permanently destroying students' biometric information; failing to inform Fee or its other students in writing that their biometric information was being collected; failing to inform Fee or its other students of the purpose and length of time for which their biometric information was being collected, stored, and used; not obtaining prior written authorization from Fee or its other students before collecting their biometric data profiting from its collection and use of Fee and its other students' biometric information; and disclosing or disseminating the biometric information of Fee and its other students without their consent. (Id. ¶¶ 13-15; 110-12; 119-121, 129, 135.) Consequently, Fee has sued IIT on behalf of himself and a class of similarly situated IIT students who took exams using Respondus Monitor “during the five years prior to the filing of the Complaint through January 20, 2021.” (Id. ¶¶ 94-95.)

DISCUSSION

To survive a Rule 12(b)(6) motion, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). This pleading standard does not necessarily require a complaint to contain detailed factual allegations. Twombly, 550 U.S. at 555. Rather, “[a] claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Adams v. City of Indianapolis, 742 F.3d 720, 728 (7th Cir. 2014) (quoting Iqbal, 556 U.S. at 678). “In addition to the allegations in the complaint, courts are free to examine . . . matters of which a court may take judicial notice in evaluating a motion to dismiss under Rule 12(b)(6).” Facebook, Inc. v. Teachbook.com LLC, 819 F.Supp.2d 764, 770 (N.D. Ill. 2011) (internal quotation marks omitted).

IIT contends that the FAC must be dismissed with prejudice because BIPA does not apply to it. Specifically, BIPA Section 25(c) provides that “[n]othing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder.” 740 ILCS 14/25(c). IIT claims that because it is an institution of higher education that makes and administers numerous student loans, it qualifies as a financial institution subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”).

BIPA does not otherwise define the term “financial institution,” and neither the Illinois Supreme Court nor any intermediate Illinois appellate court has discussed the scope of Section 25(c)'s exemption. Consequently, this Court's task in interpreting BIPA's financial-institution exemption is to determine how the Illinois Supreme Court would rule. Rodas v. Seidlin, 656 F.3d 610, 626 (7th Cir. 2011). In Illinois, “[t]he fundamental rule of statutory interpretation is to ascertain and give effect to the intent of the legislature.” Dome Tax Servs. Co. v. Weber, 136 N.E.3d 1121, 1124 (Ill.App.Ct. 2019). “The most reliable indicator of that intent is the language of the statute itself. In determining the plain meaning of statutory language, a court will consider the statute in its entirety, the subject the statute addresses, and the apparent intent of the legislature in enacting the statute.” Id. at 1123-24 (citation omitted). Where the statutory language is clear and unambiguous, it must be applied as written. Id. at 1124.

The Court agrees with IIT that BIPA's exemption for financial institutions subject to Title V of the GLBA means what it says and is therefore best understood by looking to Title V of the GLBA. Codified at 15 U.S.C. §§ 6801-6809, Title V of the GLBA “contains a number of provisions designed to protect the privacy of ‘nonpublic personal information' . . . that consumers provide to financial institutions.” Trans Union LLC v. FTC, 295 F.3d 42, 46 (D.C. Cir. 2002); see also 15 U.S.C. § 6801(a) (“It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.”). A “financial institution” subject to Title V of the GLBA is “any institution the business of which is engaging in financial activities as described in section 1843(k) of Title 12.” 15 U.S.C. § 6809(3)(A). And lending money is one of the financial activities described in 12 U.S.C. § 1843(k). Thus, IIT claims that because it regularly makes and administers student loans, it qualifies as a “financial institution” as defined by Title V of the GLBA.

In addition, the rules promulgated under Title V of the GLBA-which are expressly referenced in BIPA's Section 25(c)-provide further insight into the meaning of “financial institution.” Originally, the GLBA spread out authority over implementing and enforcing Title V among multiple federal agencies, including the Federal Trade Commission (“FTC”). See Trans Union, 295 F.3d at 47. Pursuant to that authority, in May 2000, the FTC published a final privacy rule “with respect to financial institutions and other persons under [its] jurisdiction,” which was ultimately codified at 16 C.F.R. part 313. Privacy of Consumer Financial Information, 65 Fed.Reg. 33,646 (May 24, 2000). That rule took a broad view as to what entities qualify as “financial institutions” and recognized that the term could encompass an institution of higher education. Id. at 33,678. Indeed, it provided that “[a]ny institution of higher education that complies with the Federal Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. [§] 1232g, and its implementing regulations, 34 CFR part 99, and that is also a financial institution subject to the requirements of this part, shall be deemed to be in compliance with this part if it is in compliance with FERPA.” 65 Fed.Reg. at 33,678 (emphasis added). Moreover, the FTC directly responded to comments from colleges and universities requesting that they not be included in the definition of “financial institution.” Id. at 33,648. It explained that it “disagreed with those commenters” because “[m]any, if not all, such institutions appear to be significantly engaged in lending funds to consumers.” Id.

In 2010, the Dodd-Frank Act transferred general Title V rulemaking authority to the Consumer Financial Protection Bureau (“CFPB”). 12 U.S.C. § 5512(b); Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 86 Fed.Reg. 70,020, 70,020 (Dec. 9 2021). Accordingly, in 2011, the CFPB substantially adopted and republished at 12 C.F.R. part 1016 the privacy rules originally promulgated by the FTC. Privacy of Consumer Financial Information (Regulation P), 76 Fed.Reg. 79,025 (Dec. 21, 2011). Like the original FTC rule, the CFPB's rule also recognizes that “[a]ny institution of...