BIPA class actions – liability of third-party vendors

Takeaway:  We have written a number of articles about the explosion of class action litigation under Illinois’s Biometric Information Privacy Act (BIPA).  See BIPA – an ideal “no injury” class action (Feb. 9, 2022) and BIPA class actions: Seventh Circuit endorses pleading strategy calculated to avoid removal to federal court (Jan. 29, 2021).  The decision by the Northern District of Illinois in Ronquillo v. Doctor’s Associates, LLC, No. 21-C-4903, 2022 WL 1016600 (N.D. Ill. Apr. 4, 2022), which ruled that Section 15(b) of BIPA applies to third-party vendors with no direct employment relationship with a BIPA plaintiff, adds to the growing line of pro-plaintiff decisions under that statute.

In Ronquillo, a Subway restaurant employee named Mariel Ronquillo asserted claims regarding the restaurant’s point-of-sale (“POS”) system, consisting of computer hardware owned by HP Inc. (“HP”) and POS software licensed by the American franchisor of Subway restaurants, Doctor’s Associates, LLC (“DAL”).  Ms. Ronquillo “used the POS system to clock in and out of her shifts and breaks, as well as to unlock the cash registers.”  2022 WL 1016600, at *1.  Although she was directly employed by a Subway franchisee, she filed a putative class action asserting that HP and DAL violated § 15(b) of BIPA, alleging that “they collected and obtained her biometric information without providing her with the required notice and obtaining her written consent.”  Id.

HP and DAL filed separate motions to dismiss Ronquillo’s complaint, arguing her claims should be dismissed because (1) a Section 15(b) claim requires that a BIPA defendant “take active steps to collect, capture, or otherwise obtain the plaintiff’s biometric information,” whereas “possession of biometric data alone” does not subject a defendant to liability; and (2) “§ 15(b) does not apply to third-party vendors of technology an employer uses to obtain its employees’ biometric information,” such that “extending § 15(b)’s reach to such parties does not further BIPA’s purpose and instead creates absurd results.”  Id. at *2-*3.

The district court rejected both arguments.

On the “active steps” point, the district court cited the allegations of Ms. Ronquillo’s complaint, which asserted that “DAL uses the SubwayPOS system, which it exclusively controls, to capture workers’ fingerprints and create the reference templates,” and “HP stores the reference templates on its hardware, which DAL then compares to scanned fingerprints to identify the workers.”  Id. at *3.  Even though the Subway franchisee had more control of the overall process, Ms. Ronquillo’s allegations “allow[ed] for the reasonable inference that DAL and HP played more than a passive role in the process.”  Id.

On the third-party vendor point, the district court ruled that “DAL and HP cannot point to anything in BIPA’s text that supports limiting § 15(b)’s reach only to employers.”  Id.  The district court further rejected the argument that imposing liability on third-party vendors created absurd results, noting that DAL and HP could have contractually required the Subway franchisee to obtain the appropriate consents as a precondition to using the POS system.  Accordingly, “the Court cannot conclude that DAL and HP may escape liability under § 15(b) because they do not have a direct employment relationship with Ronquillo.”  Id.

The district court also rejected an extraterritoriality argument and an effort to dismiss Ms. Ronquillo’s enhanced statutory damages claim.  Id. at *4.  While the court’s opinion noted certain arguments might be properly renewed after evidence had been developed, as a whole, Ronquillo represents another difficult decision for BIPA class action defendants.

Latest Thinking

View more Insights
Insights Center
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their