Fox v. Dakkota Integrated Sys., LLC

• Decision Date: 17 November 2020
• Docket Number: No. 20-2782,20-2782
• Parties: Raven FOX, Plaintiff-Appellee, v. DAKKOTA INTEGRATED SYSTEMS, LLC, Defendant-Appellant.
• Court: U.S. Court of Appeals — Seventh Circuit

980 F.3d 1146

Raven FOX, Plaintiff-Appellee,

v.DAKKOTA INTEGRATED SYSTEMS, LLC, Defendant-Appellant.

No. 20-2782

United States Court of Appeals, Seventh Circuit.

Argued October 29, 2020

Decided November 17, 2020

Catherine Mitchell, Attorney, James B. Zouras, Attorney, Ryan F. Stephan, Attorney, Stephan Zouras, LLP, Chicago, IL, for Plaintiff-Appellee

Erin Bolan Hines, Attorney, Melissa A. Siebert, Attorney, Jonathon Studer, Attorney, Shook, Hardy & Bacon LLP, Chicago, IL, for Defendant-Appellant

Before Sykes, Chief Judge, and Wood and Brennan, Circuit Judges.

Sykes, Chief Judge.

As its name suggests, the Illinois Biometric Information Privacy Act ("BIPA" or "the Act") protects a person's privacy interests in his biometric identifiers, including fingerprints, retina and iris scans, hand scans, and facial geometry. See 740 ILL. COMP. STAT. 14/1 et seq . (2008). Section 15 of the Act comprehensively regulates the collection, use, retention, disclosure, and dissemination of biometric identifiers. Id. § 14/15. Section 20 provides a right of action for persons aggrieved by a violation of the statute. Id. § 14/20.

This appeal requires us to decide a question of Article III standing for a claimed violation of section 15(a), which requires a private entity in possession of biometric data to develop, publicly disclose, and implement a retention schedule and guidelines for destroying the data when the initial purpose for collection ends. Id. § 14/15(a). In Bryant v. Compass Group USA, Inc. , we addressed standing to sue for two BIPA claims: (1) a violation of section 15(b), the Act's informed-consent provision; and (2) a violation of one part of section 15(a)—namely, the duty to publicly disclose a data-retention policy. 958 F.3d 617, 619 (7th Cir. 2020). We held that the plaintiff had standing to pursue the section 15(b) claim, but our view of the section 15(a) claim was different. Id. at 626. The plaintiff had not alleged any concrete and particularized harm from the defendant's failure to publicly disclose a data-retention policy, so we held that she lacked standing on that claim. Id. The latter holding was quite limited. We cautioned that our analysis was confined to the narrow violation the plaintiff alleged; we did not address standing requirements for claims under other parts of section 15(a).

This appeal raises the question reserved in Bryant . Raven Fox filed a proposed class action in state court alleging that Dakkota Integrated Systems, her former employer, collected, used, retained, and disclosed her handprint for its timekeeping system. She raised several claims under BIPA, but the one that concerns us here accuses Dakkota of violating section 15(a).

Dakkota removed the case to federal court under the Class Action Fairness Act ("CAFA"), 28 U.S.C. § 1453, and moved to dismiss the claims as preempted by federal labor law. The district judge read Bryant to foreclose Article III standing for section 15(a) claimants, so he remanded that claim to state court and dismissed the others.

The remand order was a mistake. Unlike in Bryant , Fox's section 15(a) claim does not allege a mere procedural failure to publicly disclose a data-retention policy. Rather, Fox alleges a concrete and particularized invasion of her privacy interest in her biometric data stemming from Dakkota's violation of the full panoply of its section 15(a) duties—the duties to develop, publicly disclose, and comply with data retention and destruction policies—resulting in the wrongful retention of her biometric data after her employment ended, beyond the time authorized by law. These allegations suffice to plead an injury in fact for purposes of Article III. The invasion of a legally protected privacy right, though intangible, is personal and real, not general and abstract. Because the section 15(a) claim was properly in federal court, we reverse the remand order and return the case to the district court for consideration of the preemption question.

I. Background

We recount the facts as alleged in the class-action complaint, accepting them as true for present purposes. From 2012 to 2019, Raven Fox worked for Dakkota Integrated Systems, an automotive supplier with several locations in the Midwest. Throughout her employment Fox was a "Team Lead" at Dakkota's Chicago plant. Dakkota required employees, including Fox, to clock in and out of work by scanning their hands on a biometric timekeeping device. Dakkota used third-party software to capture employees’ biometric data, which were then stored in a timekeeping database administered by a third party. Though not specifically alleged in the complaint, it's undisputed that Fox was represented by a union during her employment.

To understand Fox's claims, an overview of the Illinois biometrics statute is helpful. The General Assembly enacted BIPA in 2008 in response to the growing use of biometrics "in the business and security screening sectors," especially in Chicago and other locations in Illinois that were then emerging "as pilot testing sites for new applications of biometric-facilitated financial transactions." 740 ILL. COMP. STAT. 14/5(a), (b). The legislative findings include a section regarding the immutability of biometric identifiers and the associated heightened risk of identity theft:

Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.

Id. § 14/5(c). The legislative findings also acknowledge that "[t]he full ramifications of biometric technology are not fully known." Id. § 14/5(f). Accordingly, the General Assembly found that "[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information." Id. § 14/5(g).

To that end, section 15(b) of the Act prohibits private entities from collecting, capturing, or otherwise obtaining a person's biometric identifiers or information without the person's informed written consent. Id. § 14/15(b). The informed-consent regime bars the collection of biometric identifiers or information unless the collector first informs the person "in writing of the specific purpose and length of term for which [data are] being collected, stored, and used" and "receives a written release" from the person or his legally authorized representative. Section 15(d) prohibits the disclosure, redisclosure, or dissemination of stored biometric identifiers or information without the consent of the person or his legally authorized representative. Id. § 14/15(d).

Most relevant here, the Act also imposes obligations regarding the retention and destruction of biometric identifiers and information. Section 15(a) of the Act provides:

A private entity in possession of biometric identifiers or information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first.

Additionally, a private entity in possession of biometric identifiers or information "must comply" with a data-retention schedule and destruction guidelines "[a]bsent a valid warrant or subpoena" to the contrary. Id. § 14/15(a).

The term "biometric identifier" is defined as "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." Id. § 14/10. Finally, the Act provides a cause of action for persons aggrieved by a violation and permits the court to award injunctive relief, actual or statutory damages, and attorney's fees. Id. § 14/20.

With the legal background in place, we return to the complaint. Fox alleges that Dakkota did not obtain her informed written consent before collecting her biometric identifiers as required by the Act and unlawfully disclosed or disseminated her biometric data to unnamed third parties without her consent—including to a third-party administrator that hosted the employees’ biometric data in its data center. She further alleges that Dakkota failed to develop, publicly disclose, and implement a data-retention schedule and guidelines for the permanent destruction of its employees’ biometric identifiers. Finally, she alleges that Dakkota failed to permanently destroy her biometric data when she left the company and still has not done so.

Fox filed her suit in state court as a proposed class action. Count I alleges a violation of section 15(a) premised on Dakkota's failure to develop, publicly disclose, and comply with a retention schedule and destruction guidelines for the biometric data it collects from its employees. Counts II and III allege violations of sections 15(b) and (d) premised on Dakkota's failure to obtain informed consent before collecting biometric data and its failure to obtain consent to disclose or disseminate the data to third parties.

Dakkota removed the suit to federal court under CAFA and moved to dismiss all three claims as preempted by the Labor Management Relations Act, 29 U.S.C. §§ 141 – 197 ("LMRA"). Because Fox was represented by a union when she worked for Dakkota, the preemption argument relied on our recent decision in Miller v. Southwest Airlines Co. , which held that similar BIPA claims by unionized airline employees were preempted by the federal Railway Labor Act. 926 F.3d 898, 902–03 (7th Cir. 2019).

The judge agreed in part and dismissed Counts II and III, the section 15(b) and (d) claims, as preempted by the LMRA. But he remanded the section 15(a) claim to ...