McGoveran v. Amazon Web Services, Inc.

• Court: District Court, D. Delaware
• Decided: September 30, 2021
• Docket: 1:20-cv-01399
• Status: Unknown

Opinion

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF DELAWARE

CHRISTINE McGOVERAN, JOSEPH VALENTINE, and AMELIA RODRIGUEZ, on behalf of themselves and all other persons similarly situated, known and unknown, Plaintiffs, v. C.A, No. 20-1399-LPS AMAZON WEB SERVICES, INC. and PINDROP SECURITY, INC., Defendants.

Stephen B. Brauerman and Ronald P. Golden III, BAYARD, P.A., Wilmington, DE Andrew D. Schlichter, Joel Rohlf, and Alexander L. Braitberg, SCHLICHTER BOGARD & DENTON, LLP, St. Louis, MO Attorneys for Plaintiffs Jody C. Barillare, MORGAN, LEWIS & BOCKIUS LLP, Wilmington, DE Beth Harrington, MORGAN, LEWIS & BOCKIUS LLP, Chicago, IL Raechel Keay Kummer, MORGAN, LEWIS & BOCKIUS LLP, Washington, DC Attorneys for Defendant Amazon Web Services, Inc. Jack B. Blumenfeld, MORRIS, NICHOLS, ARSHT & TUNNELL LLP, Wilmington, DE Andrew B. Bloomer, Catherine L. Fitzpatrick, and Amelia Bailey, KIRKLAND & ELLIS LLP, Chicago, IL Diana M. Torres, KIRKLAND & ELLIS LLP, Los Angeles, CA Attorneys for Defendant Pindrop Security, Inc.

MEMORANDUM OPINION

September 30, 2021 Wilmington, Delaware

fi. Pf ee \ STARK,.U.S. District Judge: Plaintiffs Christine MeGoveran, Joseph Valentine, and Amelia Rodriguez (collectively, “Plaintiffs”) brought this class action lawsuit against Defendants Amazon Web Services, Inc.

(“AWS”) and Pindrop Security, Inc. (“Pindrop,” and together with AWS, “Defendants”) for alleged violations of an Illinois statute, the Biometric Information Privacy Act (“BIPA”), 740 IL Comp. Stat. 14/1 et seg. (See generally D.1. 1) (“Compl.”) Defendants move to dismiss the complaint. (D.I. 12,15) They argue that Plaintiffs’ claims fail because the complaint alleges an improperly extraterritorial application of BIPA. Defendants also contend that the complaint should be dismissed because BIPA contains an exemption for financial institutions and because the complaint fails to state plausible claims upon which relief can be granted. For the reasons explained below, the Court will grant Defendants’ motions based on extraterritoriality. BACKGROUND A. Biometric Information Privacy Act In 2008, the Illinois legislature passed the Biometric Information Privacy Act because “{t}he use of biometrics is growing in the business and security sectors,” including in Illinois. See 740 Ill, Comp. Stat. 14/5(a)-(b). BIPA contains several definitions that are relevant for this case. BIPA defines a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 Ill. Comp. Stat. 14/10. It defines “biometric information” more broadly as “any information, regardless of how it is captured, converted, stored, or shared” that is “based on an individual’s biometric identifier.” fd. BIPA protects biometric information because biometric identifiers are “biologically unique to the individual” and cannot be changed,

so disclosure leaves compromised individuals at an increased risk for identity theft. 740 [IL Comp. Stat. § 14/S(c). In this case, the relevant biometric identifiers are voiceprints. (Compl. 424) “A ‘voiceprint’ is more accurately called a voice spectrograph (or spectrogram),” and it is “a representation of an utterance of speech.” Thomas L. Bohan, Scientific Evidence and Forensic Science Since Daubert, 56 Me. L. Rev. 101, 134 (2004). Voiceprints may be used, for instance, to confirm the identities of individuals who call customer service lines. (Compl. { 40) B. Parties Plaintiffs Christine McGoveran, Joseph Valentine, and Amelia Rodriguez are all residents of Illinois. (/d. □□ 6-8) Defendants Pindrop and AWS are both Delaware corporations that are registered to do business in Illinois. (See id. {§ 10, 12) Pindrop has its principal place of business in Atlanta, Georgia. (See D.I. 16 at 6.3) It offers voiceprint services, including its “Deep Voice” and “Phoneprinting” products, which are “used by cali centers and customer service personnel to confirm the identity of individual callers.” (Compl. 52-57) AWS offers cloud storage services, with data centers in Virginia, Ohio, California, and Oregon. Ud. 4 59; see also DJ. 16 at 6) It also offers cloud-based call center services under the brand name “Amazon Connect.” (Compl. {{{ 60-61) Defendants have advertised that Pindrop’s voiceprinting technology can be integrated with Amazon Connect so that Amazon Connect customers may confirm callers’ identities. (/d. J] 64-68) One such Amazon Connect customer is nonparty John Hancock, a financial services company based in Massachusetts. (D.I. 16 at 3)

Cc. Factual Allegations Plaintiffs allege that Defendants have violated BIPA “by collecting, possessing, redisclosing, profiting from, and failing to safeguard their biometric identifiers and biometric information,” including their voiceprints. (Compl. { 1) Specifically, Plaintiffs allege that they “called John Hancock customer service representatives and/or call center(s) on numerous occasions, from Illinois, using Illinois telephone numbers.” (Id. § 93; see also id. F{ 94-96) According to Plaintiffs, “John Hancock’s call center(s) use Amazon Connect with Pindrop biometric voiceprint authentication” (id. { 97), and those call centers use Pindrop’s voiceprinting technology on every John Hancock caller (id. 4 100). As Plaintiffs understand the technology, “audio from incoming calls to call centers... is sent to Pindrop” (id. 1 75), and the “analysis of intercepted phone calls to extract biometric data takes place in part on Pindrop’s servers” (id. 78). Once that analysis is done, “the output

... is returned to AWS’s servers” (id. § 75), resulting in the storage of biometric information on AWS’s servers (id. {] 79-80). In Plaintiffs’ view, Defendants’ actions violate BIPA’s various provisions. (Cd. J¥ 110-22) To address this alleged misconduct, Plaintiffs seek to represent the following class of individuals: “fall Illinois citizens who placed one or more phone calls to, or received one or more phone calls from, an entity using Amazon Connect and Pindrop’s voice authentication and/or fraud detection technology, from December 17, 2014 until present.” (Ud. J 123) Plaintiffs estimate that the class includes “thousands of people.” (Jd. | 124)

dD. Procedural History Plaintiffs initially sued Defendants in Illinois state court, raising essentially the same allegations as in this case. See generally McGoveran v. Amazon Web Servs., Inc., 488 ¥. Supp. 714, 716-17 (S.D. Ill. 2020). Defendants removed that case to federal court. Jd 718. In September 2020, the Illinois district court dismissed the case for lack of personal jurisdiction over Defendants. Jd. at 721-24. As the court explained, “[n]othing about” the alleged course of conduct “occurred in Illinois except for the initial dialing of the phone by Plaintiffs.” Jd. at 722. A month later, Plaintiffs filed their complaint in this Court. (See Compi. at 1,31) The complaint contains five counts for alleged violations of each section of BIPA: e Count I — Violation of Section 15(a): “entities that possess biometric data ‘must develop a written policy, made available to the public’ regarding the retention and destruction of the data” e Count II ~ Violation of Section 15(b): “entities may not ‘collect’ a person’s biometric data unless they first provide notice and obtain informed written consent” Count I — Violation of Section 15(c): “entities that possess biometric data may not ‘sell, lease, trade, or otherwise profit from’ it” Count IV — Violation of Section 15(d): “entities may not disseminate biometric data without consent” Count V — Violation of Section 15(e): “entities that possess biometric data must ‘store, transmit, and protect’ it from disclosure in a manner consistent with ‘the reasonable standard of care within’ an industry” (D.I. 18 at 4) Pindrop and AWS each moved to dismiss the complaint. (D.I. 12,15) The Court received full briefing on the motions (see generally DI. 13, 16, 18, 19, 21, 22) and also

considered numerous notices of subsequent authority filed by the parties (see generally D.L 23, 28, 29, 30).! The Court heard oral argument by teleconference on September 15, 2021. (See 31) (Tr) LEGAL STANDARDS Evaluating a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) requires the Court to accept as true all material factual allegations in the complaint. See Spruill y, Gillis, 372 P.3d 218, 223 (3d Cir. 2004). “*The issue is not whether a plaintiff will ultimately prevail but whether the claimant is entitled to offer evidence to support the claims.’” Jn re Burlington Coat Factory Sec. Litig., 114 F.3d 1410, 1420 (3d Cir. 1997) (quoting Scheuer v. Rhodes, 416 U.S, 232, 236 (1974)). Therefore, the Court may grant such a motion to dismiss “only if, accepting all well- pleaded allegations in the complaint as true, and viewing them in the light most favorable to plaintiff, plaintiff is not entitled to relief.” Maio v. Aetna, Inc., 221 F.3d 472, 481-82 Gd Cir. 2000) (internal quotation marks omitted). “To survive a motion to dismiss, a civil plaintiff must allege facts that ‘raise a right to relief above the speculative level on the assumption that the allegations in the complaint are true (even if doubtful in fact).’” Victaulic Co, v. Tieman, 499 F.3d 227, 234 (3d Cir. 2007) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). A claim is facially plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Igbal, 556 U.S. 662, 678 (2009). Ultimately, “[t]he complaint must state enough facts to raise a reasonable expectation that

' The Court will deny Plaintiffs’ motion for leave (D.I. 32) to file a response to Pindrop’s notice of subsequent authority (D.L. 30) as moot. The Court has not cited nor relied on either of the cases Pindrop addressed in its notice.

discovery will reveal evidence of [each] necessary element” of a plaintiff’s claim. Wilkerson v. New Media Tech. Charter Sch. Inc., 522 F.3d 315, 321 (3d Cir. 2008) (internal quotation marks omitted). The Court is not obligated to accept “bald assertions” as true. Morse v. Lower Merion Sch. Dist., 132 F.3d 902, 906 (3d Cir. 1997) (internal quotation marks omitted). Nor is it obligated to credit “unsupported conclusions and unwarranted inferences.” Schuylkill Energy Res., Inc. v. Pa. Power & Light Co., 113 F.3d 405, 417 (3d Cir. 1997). The Court may likewise reject allegations that are “self-evidently false.” Nami v. Fauver, 82 F.3d 63, 69 Gd Cir. 1996). DISCUSSION I. Extraterritoriality Under Illinois law, a “statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute.” Avery v. State Farm Mut. Ins. Co., 835 N.E.2d 801, 852 (Il. 2005) (internal quotation marks omitted). BIPA does not contain an express provision stating it is intended to apply extraterritorially. See, e.g., Monroy v. Shutterfly, Inc., 2017 WL 4099846, at *5 (N.D. Ili. Sept. 15, 2017). Therefore, BIPA violations must occur in Illinois in order for plaintiffs to obtain any relief. See, e.g., Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1100 (N.D. Ill. 2017) (“[The plaintiffs] asserted violations of [BIPA] must have taken place in Illinois in order for them to win.”). The applicable test is whether the relevant circumstances “occur[ed] primarily and substantially in Illinois.” Avery, 835 N.E.2d at 854; see also Rivera, 238 EF. Supp. 3d at 1101.7

* Initially, Plaintiffs did not dispute the application of this “primarily and substantially” standard. (See, e.g., D.I. 18 at 17; DJ. 19 at 16) Just before the hearing (which the Court

Defendants argue that Plaintiffs fail to allege conduct that occurred primarily and substantially in Illinois. (D.I. 13 at 6-8; DI. 16 at 5-10) The Court agrees with Defendants. With respect to Pindrop, Plaintiffs principally allege that Pindrop “extracted biometric information from calls originating from Illinois, from Illinois citizens, and from clearly recognizable Illinois phone numbers.” (D.I. 18 at 17) Itis similar for AWS. Plaintiffs principally allege that AWS “intercepted biometric information” from Illinois callers. (D.1. 19 at 16) The location of the caller does not, however, say anything about the location where the rest of the conduct occurred. As Defendants correctly point out, “Plaintiffs identify nothing to suggest their ‘voiceprints’ were created, possessed, or stored . . . in Illinois.” (D.I. 22 at 1; see also D.I. 16 at 9) Even if Plaintiffs’ “voice audio was intercepted in Illinois” (D.I. 18 at 17; DL. 19 at 17), as Plaintiffs cursorily allege (see Compl. ff 85, 110), voice audio is not the same as a voiceprint, and voice audio does not meet the definition of “biometric identifier” or “biometric information” under BIPA. See 740 Ill. Comp. Stat. 14/10. Moreover, AWS emphasizes that its data centers

scheduled despite not receiving any request for oral argument), Plaintiffs suggested for the first time that the Illinois legislature might have intended BIPA to have an extraterritorial effect. 29 at 1-2) (citing Am. Civ. Liberties Union v. Clearview Al, Inc., 2021 WL 4164452 (IIL Cir. Ct. Aug. 27, 2021)) During the hearing, Plaintiffs articulated this argument more forcefully. (See Tr. at 34-35, 48) Although Clearview was just decided, there is no reason why Plaintiffs could not have made this statutory argument in their briefing. Consequently, the Court considers this argument forfeited. See, e.g., Almirall, LLC v. Torrent Pharm., Ltd., 2021 WL 3021947, at *6 (D, Del. July 13, 2021) (holding that plaintiff forfeited argument for purposes of Rule 12 motion by not raising it in briefing). Even if Plaintiffs had not forfeited the argument, they are wrong, Clearview said only that BIPA “come[s] close” to having an express provision regarding extraterritorial application, not that it actually has such a provision. 2021 WL 4164452, at *5.

are located wholly outside Illinois — in Virginia, Ohio, California, and Oregon — and Plaintiffs do not allege otherwise. (D.I. 16 at 6,9)? Pindrop is also located outside Illinois in Atlanta, Georgia — and, again, Plaintiffs do not allege otherwise. (/d.) Simply put, there is no indication in the complaint that Defendants did anything in Illinois. Plaintiffs allege that both Defendants failed to make written biometric data retention and destruction policies available to the public and that they failed to provide notice to and obtain consent from Illinois citizens. (D.J. 18 at 17; D.I. 19 at 17) According to Plaintiffs, those failures “necessarily occurred in Illinois.” (D.I. 18 at 17; D.I. 19 at 17) The Court does not see why that must be true. (See Tr, at 10) (“[I]t really makes no sense to assign a location for an act that did not occur.”) More fundamentally, that argument depends on the assumption that Defendants were required to provide notice, publish policies, and obtain consent in Wlinois. As stated above, however, Plaintiffs have not alleged any activity in Illinois that would impose such obligations on Defendants. At bottom, Plaintiffs’ concrete allegations about this case’s connections to Illinois are □

nothing more than repeated statements (phrased three different ways) about Plaintiffs’ residency: Plaintiffs’ phone calls to John Hancock “originat[ed] from Illinois” because Plaintiffs live there;

3 Plaintiffs object to the Court’s consideration of information on AWS’s website related to the location of AWS’s data centers. (See D.I.19 at 17) The complaint cites the AWS website multiple times. (E.g., Compl. at 12 nn.9 & 12; id. at 13 nn.13-14; id at 14.17) Ona motion to dismiss, the Court is permitted to “consider matters of public record, orders, exhibits attached to the complaint and items appearing in the record of the case.” Oshiver v. Levin, Fishbein, Sedran & Berman, 38 F.3d 1380, 1384 n.2 3d Cir. 1994). Under the circumstances presented here, the Court is, therefore, permitted to consider the AWS website. See Adamson y, Ortho- McNeil Pharm., Inc., 463 F. Supp. 2d 496, 501 (D.N.J. 2006) (“[T]hese documents have been expressly relied upon by Plaintiff, thus there is no issue regarding notice to the Plaintiff, and this Court may properly consider them in deciding the instant motion to dismiss.”).

the calls were “from Illinois citizens” because Plaintiffs live there; and the calls were placed from “clearly recognizable Illinois phone numbers” because, once again, Plaintiffs live there. (See D.I. 18 at 17; D.I. 19 at 16) A plaintiffs residency is not enough to establish an Illinois connection in order to survive a motion to dismiss based on extraterritoriality. See, e.g., Vulcan Golf, LLC v. Google Inc., 552 F. Supp. 2d 752, 755 (N.D. Il. 2008) (dismissing claim even though “plaintiffs contend that [linois has ‘significant contacts’ with each of the named class plaintiffs because each is a resident”); Super Pawn Jewelry & Loan, LLC v. Am. Envt Energy, Inc., 2013 WL 1337303, at *7 (N.D. Ill. Mar. 29, 2013) (dismissing claim given “weak connection to Illinois” despite plaintiff’s residency). Here, Plaintiffs’ residency, standing alone, is not sufficient to establish that the alleged conduct occurred “primarily and substantially” in Illinois. The Illinois district court’s dismissal of the related action for lack of personal jurisdiction underscores the weak connection between Plaintiffs’ allegations and Illinois: In this case, Plaintiffs were the ones who made the cal! — to John Hancock — from their [llinois phone numbers, AWS then intercepted the calls once they were connected to an Amazon Connect call center and sent the audio to Pindrop for processing. The output from that processing was then returned to AWS’s servers. Nothing about this process occurred in Illinois except for the initial dialing of the phone by Plaintiffs. Moreover, there is no indication that either of these companies purposefully directed their activities at Illinois citizens or that this litigation arises from contacts they created with Illinois. Rather, the litigation arises because John Hancock, a third party based in Massachusetts, contracted with AWS and Pindrop to analyze the voices of its customers.

McGoveran, 488 F. Supp. 3d at 722 (internal citation omitted; emphasis added). The Court need not decide the precise relationship between the personal jurisdiction and extraterritoriality inquiries. Regardless of which inquiry imposes a higher burden, the Illinois district court’s jurisdictional findings and thoughtful analysis wholly support this Court’s ruling.4 The Court recognizes that other district courts have been hesitant to grant motions to dismiss BIPA claims based on extraterritoriality. See, e.g., Rivera, 238 F. Supp. 3d at 1101-02 (“Discovery is needed to determine whether there are legitimate extraterritoriality concerns.”); Monroy, 2017 WL 4099846, at *6 (“[The defendant] may raise the argument at a later time, if and when the record affords a clearer picture of the circumstances relating to [the plaintiff]’s claim.”). Still, [linois courts have dismissed other types of claims at this stage, based on extraterritoriality, when plaintiffs have failed to allege a “sufficient nexus” to Illinois. E.g., Int’ Equip. Trading, Ltd. v. Mlumina, Inc., 312 F. Supp. 3d 725, 732-34 (N.D. IIL. 2018); see also D.L 21 at 3 &n.1 (collecting cases). Even if dismissing BIPA claims is “generally inappropriate,” see Vance v. Int’l Bus. Machs. Corp., 2020 WL 5530134, at *3 (N.D. LIL. Sept. 15, 2020), that

4 During the hearing, Plaintiffs suggested that the Illinois court did not make a factual finding when it stated that “nothing . . . occurred in Illinois except for the initial dialing of the phone by Plaintiffs.” (See Tr. 40, 45-47) No matter how that statement is characterized, the Court views it as highly persuasive because: (i) it is unequivocal, and (ii) another district judge made it after considering many of the same factors that are relevant to the extraterritoriality analysis. Although Plaintiffs maintain that the Illinois court was wrong, Plaintiffs never appealed the dismissal of the related action. (/d. at 47) The Court also notes that Plaintiffs already had an opportunity to explore Defendants’ possible connections to Illinois in responding to Defendants’ motion to dismiss the related action. The instant case is effectively Plaintiffs’ second bite at the apple. Yet, in refiling essentially the same complaint in this Court, Plaintiffs have not added any notable allegations establishing a stronger connection to [Ilinois. (See Tr. at 8) (noting addition of only two paragraphs upon refiling here) 10

suggests there may be exceptions, and this case is one of them. (See Tr. at 51) Plaintiffs do not allege any direct interaction with AWS or Pindrop that might plausibly be imputed to Illinois; they allege only interactions with John Hancock in Massachusetts, who in turn interacted with Defendants. (See D.I. 21 at 3-4) Take, for example, Rivera. In that case, the plaintiffs alleged that photos of them were taken in Ulinois using Google Droid devices, that the photos were automatically uploaded to the Google Photos application from Illinois, and that Google performed scans of their faces. See Rivera, 238 F. Supp. 3d at 1090-91. Those allegations established a direct interaction between the plaintiffs and the defendants, and the allegations suggested that a good amount of the relevant conduct could be attributable to Illinois. Here, by contrast, Plaintiffs never interacted directly with Pindrop or AWS from Illinois, and the Defendants’ conduct cannot be fairly attributed to Illinois. Indeed, Plaintiffs have not meaningfully alleged that anything happened in IIlinois other than Plaintiffs dialing their phones. See McGoveran, 488 F. Supp. 3d at 722. Plaintiffs fare no better under Monroy. In that case, the plaintiffs sued Shutterfly for its similar use of facial recognition technology on photos of them uploaded to Shutterfly by other Illinois residents. See Monroy, 2017 WI. 4099846, at *1. Put differently, that case, like Rivera, involved a course of conduct in which the defendant was intentionally interacting with individuals in Illinois. The same is not true in this case. See McGoveran, 488 F. Supp. 3d at 722. While John Hancock’s activities with respect to Plaintiffs might be ascribed to Illinois, the

same cannot be said for Pindrop and AWS, who were merely third-party contractors performing work for John Hancock.

il

Finally, the Court notes that Plaintiffs have asked for the adoption of a rule that is overly broad and ultimately untenable. According to Plaintiffs, “under BIPA, as long as the source of the biometric data is Illinois, that’s enough to establish liability.” (Tr. at 44-45) That rule flies in the face of Illinois cases holding that a plaintiff’s residency is not enough to survive a motion to dismiss based on extraterritoriality. See, e.g., Vulcan Golf, 552 F. Supp. 2d at 755. Furthermore, if that rule were correct, then BIPA could impose liability on a vast number of corporations who do no business in Illinois and who lack any other significant connection to Illinois. There is no basis in the statutory language to find that BIPA stretches so far. In sum, the complaint is devoid of any allegations involving conduct that occurred “primarily and substantially” in Winois. BIPA does not apply extraterritorially, but the complaint alleges an extraterritorial application of BIPA. Accordingly, the Court will grant Defendants’ motions to dismiss.° IL. Amendment Plaintiffs asked during the hearing for an opportunity to amend their complaint to add

more specific allegations regarding connections between this case and Illinois. (See Tr. at 68) At this point, the Court cannot say that any such amendment would necessarily be futile. Accordingly, the Court will permit Plaintiffs to file a motion for leave to amend their complaint (following the Court’s procedures with respect to letter briefing for motions to amend) no later than October 29, 2021.

5 Because the Court will grant both motions based on extraterritoriality, it need not (and does not) reach any other issues presented.

CONCLUSION For the foregoing reasons, Pindrop’s and AWS’s motions to dismiss (D.I. 12, 15) will be granted. An appropriate order follows.