In the
United States Court of Appeals For the Seventh Circuit ____________________ No. 20-2782 RAVEN FOX, Plaintiff-Appellee, v.
DAKKOTA INTEGRATED SYSTEMS, LLC, Defendant-Appellant. ____________________
Appeal from the United States District Court for the Northern District of Illinois, Eastern Division. No. 19 C 2872 — Charles P. Kocoras, Judge. ____________________
ARGUED OCTOBER 29, 2020 — DECIDED NOVEMBER 17, 2020 ____________________
Before SYKES, Chief Judge, and WOOD and BRENNAN, Circuit Judges. SYKES, Chief Judge. As its name suggests, the Illinois Bio- metric Information Privacy Act (“BIPA” or “the Act”) pro- tects a person’s privacy interests in his biometric identifiers, including fingerprints, retina and iris scans, hand scans, and facial geometry. See 740 ILL. COMP. STAT. 14/1 et seq. (2008). Section 15 of the Act comprehensively regulates the collec- tion, use, retention, disclosure, and dissemination of bio- 2 No. 20-2782
metric identifiers. Id. § 14/15. Section 20 provides a right of action for persons aggrieved by a violation of the statute. Id. § 14/20. This appeal requires us to decide a question of Article III standing for a claimed violation of section 15(a), which requires a private entity in possession of biometric data to develop, publicly disclose, and implement a retention schedule and guidelines for destroying the data when the initial purpose for collection ends. Id. § 14/15(a). In Bryant v. Compass Group USA, Inc., we addressed standing to sue for two BIPA claims: (1) a violation of section 15(b), the Act’s informed-consent provision; and (2) a violation of one part of section 15(a)—namely, the duty to publicly disclose a data-retention policy. 958 F.3d 617, 619 (7th Cir. 2020). We held that the plaintiff had standing to pursue the sec- tion 15(b) claim, but our view of the section 15(a) claim was different. Id. at 626. The plaintiff had not alleged any con- crete and particularized harm from the defendant’s failure to publicly disclose a data-retention policy, so we held that she lacked standing on that claim. Id. The latter holding was quite limited. We cautioned that our analysis was confined to the narrow violation the plaintiff alleged; we did not address standing requirements for claims under other parts of section 15(a). This appeal raises the question reserved in Bryant. Raven Fox filed a proposed class action in state court alleging that Dakkota Integrated Systems, her former employer, collected, used, retained, and disclosed her handprint for its timekeep- ing system. She raised several claims under BIPA, but the one that concerns us here accuses Dakkota of violating section 15(a). No. 20-2782 3
Dakkota removed the case to federal court under the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1453, and moved to dismiss the claims as preempted by federal labor law. The district judge read Bryant to foreclose Article III standing for section 15(a) claimants, so he remanded that claim to state court and dismissed the others. The remand order was a mistake. Unlike in Bryant, Fox’s section 15(a) claim does not allege a mere procedural failure to publicly disclose a data-retention policy. Rather, Fox alleges a concrete and particularized invasion of her privacy interest in her biometric data stemming from Dakkota’s violation of the full panoply of its section 15(a) duties—the duties to develop, publicly disclose, and comply with data retention and destruction policies—resulting in the wrongful retention of her biometric data after her employment ended, beyond the time authorized by law. These allegations suffice to plead an injury in fact for purposes of Article III. The invasion of a legally protected privacy right, though intangi- ble, is personal and real, not general and abstract. Because the section 15(a) claim was properly in federal court, we reverse the remand order and return the case to the district court for consideration of the preemption question. I. Background We recount the facts as alleged in the class-action com- plaint, accepting them as true for present purposes. From 2012 to 2019, Raven Fox worked for Dakkota Integrated Systems, an automotive supplier with several locations in the Midwest. Throughout her employment Fox was a “Team Lead” at Dakkota’s Chicago plant. Dakkota required em- ployees, including Fox, to clock in and out of work by scan- ning their hands on a biometric timekeeping device. 4 No. 20-2782
Dakkota used third-party software to capture employees’ biometric data, which were then stored in a timekeeping database administered by a third party. Though not specifi- cally alleged in the complaint, it’s undisputed that Fox was represented by a union during her employment. To understand Fox’s claims, an overview of the Illinois biometrics statute is helpful. The General Assembly enacted BIPA in 2008 in response to the growing use of biometrics “in the business and security screening sectors,” especially in Chicago and other locations in Illinois that were then emerg- ing “as pilot testing sites for new applications of biometric- facilitated financial transactions.” 740 ILL. COMP. STAT. 14/5(a), (b). The legislative findings include a section regard- ing the immutability of biometric identifiers and the associ- ated heightened risk of identity theft: Biometrics are unlike other unique identifiers that are used to access finances or other sensi- tive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions. Id. § 14/5(c). The legislative findings also acknowledge that “[t]he full ramifications of biometric technology are not fully known.” Id. § 14/5(f). Accordingly, the General Assembly found that “[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Id. § 14/5(g). No. 20-2782 5
To that end, section 15(b) of the Act prohibits private en- tities from collecting, capturing, or otherwise obtaining a person’s biometric identifiers or information without the person’s informed written consent. Id. § 14/15(b). The informed-consent regime bars the collection of biometric identifiers or information unless the collector first informs the person “in writing of the specific purpose and length of term for which [data are] being collected, stored, and used” and “receives a written release” from the person or his legally authorized representative. Section 15(d) prohibits the disclosure, redisclosure, or dissemination of stored biometric identifiers or information without the consent of the person or his legally authorized representative. Id. § 14/15(d). Most relevant here, the Act also imposes obligations re- garding the retention and destruction of biometric identifiers and information. Section 15(a) of the Act provides: A private entity in possession of biometric identifiers or information must develop a writ- ten policy, made available to the public, estab- lishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identi- fiers or information has been satisfied or with- in 3 years of the individual’s last interaction with the private entity, whichever occurs first. Additionally, a private entity in possession of biometric identifiers or information “must comply” with a data- retention schedule and destruction guidelines “[a]bsent a valid warrant or subpoena” to the contrary. Id. § 14/15(a). 6 No. 20-2782
Free access — add to your briefcase to read the full text and ask questions with AI
In the
United States Court of Appeals For the Seventh Circuit ____________________ No. 20-2782 RAVEN FOX, Plaintiff-Appellee, v.
DAKKOTA INTEGRATED SYSTEMS, LLC, Defendant-Appellant. ____________________
Appeal from the United States District Court for the Northern District of Illinois, Eastern Division. No. 19 C 2872 — Charles P. Kocoras, Judge. ____________________
ARGUED OCTOBER 29, 2020 — DECIDED NOVEMBER 17, 2020 ____________________
Before SYKES, Chief Judge, and WOOD and BRENNAN, Circuit Judges. SYKES, Chief Judge. As its name suggests, the Illinois Bio- metric Information Privacy Act (“BIPA” or “the Act”) pro- tects a person’s privacy interests in his biometric identifiers, including fingerprints, retina and iris scans, hand scans, and facial geometry. See 740 ILL. COMP. STAT. 14/1 et seq. (2008). Section 15 of the Act comprehensively regulates the collec- tion, use, retention, disclosure, and dissemination of bio- 2 No. 20-2782
metric identifiers. Id. § 14/15. Section 20 provides a right of action for persons aggrieved by a violation of the statute. Id. § 14/20. This appeal requires us to decide a question of Article III standing for a claimed violation of section 15(a), which requires a private entity in possession of biometric data to develop, publicly disclose, and implement a retention schedule and guidelines for destroying the data when the initial purpose for collection ends. Id. § 14/15(a). In Bryant v. Compass Group USA, Inc., we addressed standing to sue for two BIPA claims: (1) a violation of section 15(b), the Act’s informed-consent provision; and (2) a violation of one part of section 15(a)—namely, the duty to publicly disclose a data-retention policy. 958 F.3d 617, 619 (7th Cir. 2020). We held that the plaintiff had standing to pursue the sec- tion 15(b) claim, but our view of the section 15(a) claim was different. Id. at 626. The plaintiff had not alleged any con- crete and particularized harm from the defendant’s failure to publicly disclose a data-retention policy, so we held that she lacked standing on that claim. Id. The latter holding was quite limited. We cautioned that our analysis was confined to the narrow violation the plaintiff alleged; we did not address standing requirements for claims under other parts of section 15(a). This appeal raises the question reserved in Bryant. Raven Fox filed a proposed class action in state court alleging that Dakkota Integrated Systems, her former employer, collected, used, retained, and disclosed her handprint for its timekeep- ing system. She raised several claims under BIPA, but the one that concerns us here accuses Dakkota of violating section 15(a). No. 20-2782 3
Dakkota removed the case to federal court under the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1453, and moved to dismiss the claims as preempted by federal labor law. The district judge read Bryant to foreclose Article III standing for section 15(a) claimants, so he remanded that claim to state court and dismissed the others. The remand order was a mistake. Unlike in Bryant, Fox’s section 15(a) claim does not allege a mere procedural failure to publicly disclose a data-retention policy. Rather, Fox alleges a concrete and particularized invasion of her privacy interest in her biometric data stemming from Dakkota’s violation of the full panoply of its section 15(a) duties—the duties to develop, publicly disclose, and comply with data retention and destruction policies—resulting in the wrongful retention of her biometric data after her employment ended, beyond the time authorized by law. These allegations suffice to plead an injury in fact for purposes of Article III. The invasion of a legally protected privacy right, though intangi- ble, is personal and real, not general and abstract. Because the section 15(a) claim was properly in federal court, we reverse the remand order and return the case to the district court for consideration of the preemption question. I. Background We recount the facts as alleged in the class-action com- plaint, accepting them as true for present purposes. From 2012 to 2019, Raven Fox worked for Dakkota Integrated Systems, an automotive supplier with several locations in the Midwest. Throughout her employment Fox was a “Team Lead” at Dakkota’s Chicago plant. Dakkota required em- ployees, including Fox, to clock in and out of work by scan- ning their hands on a biometric timekeeping device. 4 No. 20-2782
Dakkota used third-party software to capture employees’ biometric data, which were then stored in a timekeeping database administered by a third party. Though not specifi- cally alleged in the complaint, it’s undisputed that Fox was represented by a union during her employment. To understand Fox’s claims, an overview of the Illinois biometrics statute is helpful. The General Assembly enacted BIPA in 2008 in response to the growing use of biometrics “in the business and security screening sectors,” especially in Chicago and other locations in Illinois that were then emerg- ing “as pilot testing sites for new applications of biometric- facilitated financial transactions.” 740 ILL. COMP. STAT. 14/5(a), (b). The legislative findings include a section regard- ing the immutability of biometric identifiers and the associ- ated heightened risk of identity theft: Biometrics are unlike other unique identifiers that are used to access finances or other sensi- tive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions. Id. § 14/5(c). The legislative findings also acknowledge that “[t]he full ramifications of biometric technology are not fully known.” Id. § 14/5(f). Accordingly, the General Assembly found that “[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Id. § 14/5(g). No. 20-2782 5
To that end, section 15(b) of the Act prohibits private en- tities from collecting, capturing, or otherwise obtaining a person’s biometric identifiers or information without the person’s informed written consent. Id. § 14/15(b). The informed-consent regime bars the collection of biometric identifiers or information unless the collector first informs the person “in writing of the specific purpose and length of term for which [data are] being collected, stored, and used” and “receives a written release” from the person or his legally authorized representative. Section 15(d) prohibits the disclosure, redisclosure, or dissemination of stored biometric identifiers or information without the consent of the person or his legally authorized representative. Id. § 14/15(d). Most relevant here, the Act also imposes obligations re- garding the retention and destruction of biometric identifiers and information. Section 15(a) of the Act provides: A private entity in possession of biometric identifiers or information must develop a writ- ten policy, made available to the public, estab- lishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identi- fiers or information has been satisfied or with- in 3 years of the individual’s last interaction with the private entity, whichever occurs first. Additionally, a private entity in possession of biometric identifiers or information “must comply” with a data- retention schedule and destruction guidelines “[a]bsent a valid warrant or subpoena” to the contrary. Id. § 14/15(a). 6 No. 20-2782
The term “biometric identifier” is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Id. § 14/10. Finally, the Act provides a cause of action for persons aggrieved by a violation and permits the court to award injunctive relief, actual or statutory damages, and attorney’s fees. Id. § 14/20. With the legal background in place, we return to the complaint. Fox alleges that Dakkota did not obtain her informed written consent before collecting her biometric identifiers as required by the Act and unlawfully disclosed or disseminated her biometric data to unnamed third parties without her consent—including to a third-party administra- tor that hosted the employees’ biometric data in its data center. She further alleges that Dakkota failed to develop, publicly disclose, and implement a data-retention schedule and guidelines for the permanent destruction of its employ- ees’ biometric identifiers. Finally, she alleges that Dakkota failed to permanently destroy her biometric data when she left the company and still has not done so. Fox filed her suit in state court as a proposed class action. Count I alleges a violation of section 15(a) premised on Dakkota’s failure to develop, publicly disclose, and comply with a retention schedule and destruction guidelines for the biometric data it collects from its employees. Counts II and III allege violations of sections 15(b) and (d) premised on Dakkota’s failure to obtain informed consent before collect- ing biometric data and its failure to obtain consent to dis- close or disseminate the data to third parties. Dakkota removed the suit to federal court under CAFA and moved to dismiss all three claims as preempted by the Labor Management Relations Act, 29 U.S.C. §§ 141–197 No. 20-2782 7
(“LMRA”). Because Fox was represented by a union when she worked for Dakkota, the preemption argument relied on our recent decision in Miller v. Southwest Airlines Co., which held that similar BIPA claims by unionized airline employees were preempted by the federal Railway Labor Act. 926 F.3d 898, 902–03 (7th Cir. 2019). The judge agreed in part and dismissed Counts II and III, the section 15(b) and (d) claims, as preempted by the LMRA. But he remanded the section 15(a) claim to state court sua sponte, construing our decision in Bryant to mean that a violation of that section of the statute is insufficient to sup- port standing to sue in federal court. Dakkota sought recon- sideration of the remand order on Count I, but the judge denied the motion. Dakkota petitioned this court for permis- sion to appeal, as CAFA permits. We granted that request. II. Discussion An order remanding a case to state court normally can- not be appealed. 28 U.S.C. § 1447(d). But in cases removed under CAFA, we may accept an appeal from an order granting or denying a motion to remand. Id. § 1453(c)(1). 1
1 The district court’s jurisdiction rested on diversity of citizenship. 28 U.S.C. § 1332. CAFA’s minimal-diversity requirement is satisfied because Fox is a citizen of Illinois and Dakkota’s members are citizens of Michigan and Canada; the amount-in-controversy requirement is satisfied because the class seeks over $5 million in damages. Id. § 1332(d). Federal-question jurisdiction provides additional support for removal. Under the complete-preemption doctrine, “a plaintiff’s state cause of action [can be recast] as a federal claim for relief making [its] removal [by the defendant] proper on the basis of federal question jurisdiction.” Vaden v. Discover Bank, 556 U.S. 49, 61 (2009) (alterations in original) (quotation marks omitted). 8 No. 20-2782
The judge’s remand decision flows from his conclusion that Bryant defeats Article III standing for violations of BIPA’s section 15(a). We review that decision de novo. See, e.g., Cook County v. Wolf, 962 F.3d 208, 218 (7th Cir. 2020). A. Article III Standing The federal judiciary is empowered to decide “Cases” and “Controversies,” U.S. CONST. art. III, § 2, a limitation that confines federal courts to hearing only those disputes that are sufficiently concrete and presented in a form historically recognized as appropriate for judicial resolution, DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 341 (2006). To invoke the adjudicative power of a federal court, the plaintiff must plead (and later establish) standing to sue, a require- ment “rooted in the traditional understanding of a case or controversy.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). Where, as here, a case is removed from state court, the roles are reversed and the burden flips: In this procedur- al posture, the defendant, as the proponent of federal jurisdic- tion, must establish the plaintiff’s Article III standing. Bryant, 958 F.3d at 620. The elements of standing are familiar. “The plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 136 S. Ct. at 1547. The injury-in-fact requirement is usually the main event in litigation over standing, and it’s the only element at issue here. The test for injury in fact asks whether the plaintiff has “suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Id. at No. 20-2782 9
1548 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). A “particularized” injury is one that “affect[s] the plain- tiff in a personal and individual way.” Lujan, 504 U.S. at 560 n.1. A generalized grievance shared by all members of the public will not suffice. DaimlerChrysler, 547 U.S. at 342–44. To qualify as “concrete,” an injury must be “real, … not ab- stract.” Spokeo, 136 S. Ct. at 1548 (quotation marks omitted). “[T]hat is, it must actually exist.” Id. Concrete injuries can be either tangible or intangible. Id. at 1549. Tangible injuries are easy to recognize; monetary losses and physical harms to persons or property are com- mon examples. Id. Intangible injuries can be conceptually more difficult. And claims of an intangible injury from a statutory violation are more difficult still. Congress or a state legislature may identify and elevate historically non- cognizable intangible harms to the status of cognizable injuries, but it does not follow that the injury-in-fact re- quirement is satisfied whenever a statute confers a right or imposes a duty and creates a cause of action for a violation. Id. As the Supreme Court made crystal clear in Spokeo, “Article III standing requires a concrete injury even in the context of a statutory violation.” Id. To determine whether an intangible harm satisfies the injury-in-fact requirement in a statutory case, both the legislature’s judgment and historical judicial practice “play important roles.” Id. Legislative judgment is “instructive and important” to discerning concrete cognizable injuries, but it’s not conclusive. Id. Because standing is a constitutional requirement, a legislature “cannot erase Article III’s standing requirements by statutorily granting the right to sue to a 10 No. 20-2782
plaintiff who would not otherwise have standing.” Id. at 1548 (quotation marks omitted). By way of example, Spokeo explained that if a plaintiff pleads a statutory claim but alleges only a “bare procedural violation, divorced from any concrete harm,” he will not have satisfied the injury-in-fact requirement. Id. at 1549. B. Article III Standing and BIPA Three recent BIPA cases hold the keys to the standing question. We’ve already mentioned Bryant and Miller. The third case is Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), a Ninth Circuit decision in a BIPA case originating in the Northern District of California. We’ll discuss the cases in chronological order, starting with Miller. Miller involved two class actions by unionized airline employees who were required to clock in and out of work by scanning their fingerprints. 926 F.3d at 901. The employees alleged that the airlines violated sections 15(a) and (b) of BIPA by failing to obtain informed consent before collecting and using their fingerprints in the biometric timekeeping systems, and by failing to maintain and publish data- retention protocols. The suits were filed in state court, but the airlines removed them to federal court and moved to dismiss, arguing that the claims were preempted by the Railway Labor Act, 45 U.S.C. §§ 151–188, which despite its name also applies to air carriers. Miller, 926 F.3d at 901–02. Turning first to the question of standing, we concluded that the suits alleged an injury that was sufficiently concrete to confer Article III standing because the collection and use of biometrics for timekeeping is a subject of collective bar- gaining between unions and management: No. 20-2782 11
[T]he stakes in both suits include whether the air carriers can use fingerprint identification. If the unions have not consented, or if the carriers have not provided unions with required in- formation, a court or adjustment board may order a change in how workers clock in and out. The prospect of a material change in workers’ terms and conditions of employment gives these suits a concrete dimension that Spokeo … lacked. Either the discontinuation of the practice, or the need for the air carriers to agree to higher wages to induce unions to consent, presents more than a bare procedural dispute. Id. at 902 (emphasis added). Moving on to the preemption question, we held that the BIPA claims belonged before an adjustment board pursuant to the Railway Labor Act, which governs “topics for bargain- ing between unions and management” such as how workers clock in and out. Id. at 903. Because Illinois “cannot bypass the mechanisms of the Railway Labor Act and authorize direct negotiation or litigation between workers and man- agement,” we held that the BIPA claims were preempted. Id. Next in line is Patel. The plaintiffs there sued Facebook for BIPA violations stemming from its “Tag Suggestions” feature, which uses facial-recognition technology to identify whether a user’s Facebook friends are depicted in an up- loaded photo. Patel, 932 F.3d at 1268. Several Illinois Face- book users filed a class action alleging violations of sections 15(a) and (b) based on Facebook’s failure to main- tain and publicly disclose a data-retention schedule and data-destruction guidelines, and its failure to obtain written 12 No. 20-2782
informed consent before collecting and using biometrics. Id. at 1274. The Ninth Circuit held that the Facebook users’ injury was sufficiently concrete and particularized to support Article III standing. Id. The court reasoned that the Illinois statute protects individual privacy interests in biometric identifiers—that is, a person’s “right not to be subject to the collection and use of [his] biometric data.” Id. Looking to historical judicial practice, the court analogized the privacy injury from a BIPA violation to the privacy injury that has long been recognized as actionable at common law in a tort claim for invasion of privacy. Id. at 1272 (citing the RESTATEMENT (SECOND) OF TORTS § 652A (AM. L. INST. 1977)). The Facebook users “necessarily” suffered a concrete and particularized injury when Facebook did not obtain their informed consent before collecting their biometric data and failed to maintain data retention and destruction protocols to keep their biometric data private. Id. at 1274. The court concluded that because BIPA protects concrete privacy interests and the alleged violations of the statute “actually harm[ed] or pose a material risk of harm to those privacy interests,” the plaintiffs had alleged an injury in fact suffi- cient to confer Article III standing. Id. at 1275. Finally, in Bryant we returned to the question of Article III standing for claims raised under sections 15(a) and (b). Christine Bryant sued Compass Group USA, Inc., the owner and operator of “Smart Market” vending machines located in her workplace cafeteria. Bryant, 958 F.3d at 619–20. The vending machines did not accept cash. Instead, custom- ers established a user account by scanning their fingerprints and setting up a payment link; they could then make pur- No. 20-2782 13
chases using a fingerprint scanner on the machines. Bryant voluntarily set up an account and regularly made purchases from the vending machines. She filed a proposed class action in state court accusing Compass Group of two BIPA viola- tions: it “never made publicly available” a data-retention schedule and data-destruction guidelines, violating sec- tion 15(a), and it never obtained her informed consent in writing, violating section 15(b). Id. at 619. Compass Group removed the case to federal court, and like in Miller, Article III standing was contested. We distilled Miller’s core holding to this: “[The] union airline workers had standing to bring claims of violations of sections 15(a) and (b) of BIPA in federal court” because “they faced the ‘prospect of a material change in [their] terms and conditions of employment,’ if the employer, in light of [BIPA], had to bargain with the employee union to obtain employees’ consent or change how the employees clocked in.” Id. at 622 (quoting Miller, 926 F.3d at 902). But Miller did not resolve Bryant’s case because she was not a unionized employee and had not sued her employer; she was a vending-machine customer and had sued the vendor. Accordingly, we treated the standing issue as “a question of first impression.” Id. at 623. Like the Ninth Circuit in Patel, we reasoned that BIPA protects individual privacy interests in biometric data, and a violation of some of its provisions was akin to a tortious invasion of privacy. Id. In her section 15(b) claim, “Bryant was asserting a violation of her own rights—her finger- prints, her private information,” which “was an invasion of her private domain, much like an act of trespass would be.” Id. at 624. Compass Group’s failure to comply with the 14 No. 20-2782
informed-consent requirements of section 15(b) deprived Bryant of her right to make informed choices about the use of and control over her inherently sensitive biometric data. Id. at 626. That deprivation, we concluded, caused “a con- crete injury-in-fact that is particularized to Bryant” and therefore satisfied the requirements for Article III standing. Id. We reached a different conclusion on the section 15(a) claim. Bryant alleged that Compass Group did not make data-retention and data-destruction policies publicly availa- ble. Id. That violation, we held, was insufficiently particular- ized to support Bryant’s standing. We explained that “the duty to disclose [data-retention policies] under section 15(a) is owed to the public generally, not to particular persons whose biometric information the entity collects.” Id. And because Bryant “allege[d] no particularized harm that resulted from Compass [Group’s] violation of section 15(a),” we concluded that she lacked Article III standing to pursue that claim in federal court. Id. Following a petition for rehearing in Bryant, we amended the opinion to clarify the limits of the section 15(a) holding. Bryant’s claim was extremely narrow, alleging only a viola- tion of the section 15(a) duty to publicly disclose data reten- tion and destruction protocols. We emphasized that “[o]ur analysis is thus limited to the theory she invoked” and did not address other provisions in section 15(a). Id. That clarification is important here. Fox’s section 15(a) claim is much broader than Bryant’s. She does not allege a mere failure to publicly disclose a data-retention policy. She accuses Dakkota of violating the full range of its section 15(a) duties by failing to develop, publicly disclose, and comply No. 20-2782 15
with a data-retention schedule and guidelines for the perma- nent destruction of biometric data when the initial purpose for collection ends. That violation, she alleges, resulted in the unlawful retention of her handprint after she left the compa- ny and the unlawful sharing of her biometric data with the third-party database administrator. An unlawful retention of biometric data inflicts a privacy injury in the same sense that an unlawful collection does. Just as section 15(b) expressly conditions lawful collection of biometric data on informed consent, section 15(a) expressly conditions lawful retention of biometric data on the continua- tion of the initial purpose for which the data was collected. The BIPA requirement to implement data retention and destruction protocols protects a person’s biometric privacy just as concretely as the statute’s informed-consent regime. It follows that an unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlaw- ful collection of a person’s biometric data. If the latter quali- fies as an invasion of a “private domain, much like an act of trespass would be,” Bryant, 958 F.3d at 624, then so does the former. Our decision in Gubala v. Time Warner Cable, Inc., 846 F.3d 909 (7th Cir. 2017), is not to the contrary. That case involved a claim against a cable-television provider for violation of a data-keeping provision in the Cable Communications Policy Act, 47 U.S.C. § 551(e). Id. at 910. The plaintiff was a former Time Warner Cable customer who alleged that the company failed to destroy the personal identifying information in his account file after he terminated his subscription, as the statute requires. We held that the plaintiff lacked standing because he did not allege that Time Warner had lost, leaked, 16 No. 20-2782
given away, disseminated, or otherwise misused his identi- fying information in any way that harmed him, or that the statutory violation created a materially appreciable risk of any such harm to him. Id. at 910–11. This case differs from Gubala for two reasons. First, keep- ing a former cable customer’s account information on file— his address, date of birth, telephone number, credit card and social security numbers—is not analogous to a tortious invasion of his right to privacy. It may be a procedural violation of the federal statute regulating cable companies, but absent a plausible allegation of harm or “a material risk of harm” from the violation, Spokeo, 136 S. Ct. at 1550, there’s no concrete injury and therefore no Article III standing, Gubala, 846 F.3d at 911 (citing Spokeo and explaining that “Gubala’s problem is that while he might well be able to prove a violation of section 551, he has not alleged any plausible (even if attenuated) risk of harm to himself from such a violation—any risk substantial enough to be deemed ‘concrete’”). In contrast, this case is about biometric identifiers, which are meaningfully different because they are immutable, and once compromised, are compromised forever—as the legis- lative findings in BIPA reflect. 2 That legislative judgment, though not conclusive, is “instructive and important.” Spokeo, 136 S. Ct. at 1549. A similar understanding of the
2 In Gubala the plaintiff’s date of birth was among the information the cable provider neglected to remove from his account. A date of birth is obviously unchangeable but is far less identifying than a retinal or iris scan, facial geometry, fingerprints, or handprints. No. 20-2782 17
inherent sensitivity of biometric data led to our conclusion in Bryant that a violation of BIPA’s provisions regulating the “collection, storage, and use” of biometrics “is closely analo- gous to historical claims for invasion of privacy.” 958 F.3d at 623. The Ninth Circuit said essentially the same thing in Patel. 932 F.3d at 1272–74. We see another distinction between this case and Gubala. Fox alleges that Dakkota’s unlawful retention of her bio- metric data includes an unlawful sharing of her data with a third-party database administrator with unknown security practices. There was no similar allegation of unlawful data sharing in Gubala. Fox also has Article III standing on Count I under a straightforward application of Miller. Recall that the Miller plaintiffs were unionized airline employees who accused their employers of violating sections 15(a) and (b). We held that the plaintiffs, as union members, had standing to pur- sue their claims in federal court because the collection, use, and retention of biometric data are topics for collective bargaining and could be used to win offsetting concessions on wages or other topics. Miller, 926 F.3d at 902. That was a concrete injury and was “independently sufficient” to establish standing, so we had no need to address whether the risk of misuse of the employees’ stored biometrics “itself suffices for standing.” Id. at 903. Fox’s circumstances are indistinguishable. Because Fox was represented by a union and that union had the prospect of making material improvements in the way BIPA was implemented, Miller’s reasoning applies with equal force here. We add that as Bryant illustrates, people whose claims do not arise directly from an employment relationship might 18 No. 20-2782
also have a prospect of material improvements, depending on the circumstances. We can safely save that situation for another day when we have a case with those facts. For these two separate and independent reasons, Fox has standing to litigate her section 15(a) claim in federal court, so the judge’s remand order must be reversed. There remains the question whether section 15(a) is preempted by the LMRA. See id. at 904–06. The judge did not address this issue, and the parties did not brief it here. Although the answer appears to flow directly from Miller, we prefer to remand to the district court to address the issue in the first instance. REVERSED AND REMANDED