IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
MARIA TAPIA-RENDON, individually ) and on behalf of all others ) similarly situated, ) ) ) Plaintiffs, ) ) vs. ) Case No. 21 C 3400 ) WORKEASY SOFTWARE, LLC, ) ) Defendant. )
MEMORANDUM OPINION AND ORDER MATTHEW F. KENNELLY, District Judge: Plaintiff Maria Tapia-Rendon has filed suit against Workeasy Software, LLC (formerly known as EasyWork Software), alleging violations of the Illinois Biometric Information Privacy Act (BIPA). See 740 Ill. Comp. Stat. 14/20. The case has been certified as a class action; Tapia-Rendon is the class representative. Workeasy sells timekeeping devices to businesses. These devices enable an employee to clock in and out of work by scanning the tip of his or her fingers. Tapia- Rendon alleges that EWF's devices use these scans to generate templates associated with each fingerprint. These templates are then stored on a database hosted on a third- party server. Tapia-Rendon contends that Workeasy has control over these database servers. Workeasy, however, maintains that only customers have control over these database servers. Tapia-Rendon contends that Workeasy violated sections 15(b), (d), and (e) of BIPA because it collected, disclosed, and failed to secure class members' biometric information. She has moved for partial summary judgment (i.e., as to liability only) on her claims under section 15(b), (d), and (e) and on Workeasy's affirmative defenses. Workeasy has also moved for summary judgment on these same claims and on its
affirmative defense that Tapia-Rendon waived her BIPA rights. Background Workeasy Software, formerly known as EasyWork Software (EWF), sells timekeeping and enrollment devices to various business customers across Illinois. The relevant enrollment devices are known as the EC10, EC20, Xenio10, and Xenio20, and the relevant timekeeping devices are known as the EC200, EC500, EC700, Xenio10, Xenio20, Xenio200, Xenio500, Xenio700, TL200, TL250, and TL500. EWF contends that it has sold devices to thousands of customers, including between 100 and 200 customers in Illinois.
A. Functionality EWF's devices all function in a similar manner. To enroll a new user, an administrator of the device has to first activate the enrollment feature of the device and then select a finger, keycard, or numeric PIN to scan. If a finger is the selected method of verification, the new user then scans the tip of his or her finger three times on the device's scanning surface. The device uses software to convert the scan into a mathematical representation of the image. EWF contends that the device scans a user's finger and that the resulting template is based on the finger. See Def.'s Stat. of Facts ¶¶ 10,11. By contrast, plaintiffs contend that the device scans a user's fingerprint and that the resulting template is based on the fingerprint image. See Pl.'s Stat. of Facts ¶¶ 17, 18. Plaintiffs point out that in its own documents, EWF consistently uses terms such as "biometric key" and "fingerprint" to describe the scans and the device's functionality. See Pl.'s Stat. of Facts ¶¶ 31, 32; Pl.'s Ex. 6, EAS000572, at 572–73. In response, EWF argues
that this usage is puffery, a way to make its system sound more sophisticated and to align with industry jargon that helps clients understand the devices' technology. See Def.'s Resp. to Pl.'s Mot. for Summ. J. at 4; see Def.'s Ex. 5 at 80:18-20; Pl.'s Ex. 31 at 68:11-24. Once an individual is enrolled in the system, he or she only needs to place the enrolled finger onto the device's scanner to clock in and out of work. During each such scan, software licensed by EWF creates a template using the scan and compares it to templates stored in a database to identify the specific individual. On a match of templates, an individual's clock in/clock out attempt is marked as successful.
B. Database server Templates associated with each enrolled user are stored in one of two locations: on a local server maintained by the customer, or in a database hosted on a third-party company's servers. Both parties maintain that the database at issue here resides on servers that EWF leases from a company called Vault Networks, Inc. The plaintiffs contend that "[t]he template database is not leased from a third party; the servers on which the database resides are leased." See Pl.'s Resp. to Def.'s Stat. of Facts ¶ 15. Because of this setup, the plaintiffs argue, "the data transmitted from the timeclocks does go to WorkEasy, as it is in a database created, managed, and operated by WorkEasy, on servers under WorkEasy's control." See id. ¶ 19. For its part, EWF contends that it has no control over the servers and that device data goes directly from a customer's device to a dedicated cloud-based server that is set up for the specific customer. See Def.'s Stat. of Facts ¶ 19. Plaintiffs point to several items of evidence to support their contention that EWF
exercises control over the servers. These include: (1) Deposition testimony from EWF's CEO, Sinos Jos, that "Vault only leases the servers to us. They don't do anything to the server once they lease it to us. We are in full control of the servers." See Pl.'s Ex. 2 at 257:13-16; see also Pl.'s Ex. 40 (showing a communication between EWF and a customer in which EWF referred to "our servers."). (2) Testimony from EWF's expert, Jason Hale, who stated that "[t]he Dedicated Server Agreement between Vault Networks and EasyWorkforce states that 'Vault Networks exercises no control over, and accepts no responsibility for, the content of the information passing through Vault Networks' host
computers, network hubs, and points of presence.' This makes clear that EasyWorkforce is responsible for the data stored on the dedicated servers it leases from Vault Networks." Def.'s Ex. 7, A, at 10. Hale also stated that "EasyWorkforce was responsible for the application data associated with the remote timeclock devices, including access control to the server itself." Id. ¶ 23. (3) EWF's admission that "it stored reference templates on leased servers." Def.'s Answer to Am. Compl. ¶¶ 85, 92, 94. Plaintiffs also point out that EWF documents suggested that it had the ability to archive and delete customer data. See Pl.'s Ex. 66 at 3 (customers may "request[] destruction of data upon cancellation," otherwise "data is archived after one year of cancellation and non-use."). (4) Testimony from the EWF infrastructure and information team lead, who
agreed that "WorkEasy maintains a Cloud database with data from the timeclocks." Pl.'s Ex. 47 at 28:5-8. (5) Company material including descriptions that suggested EWF exercised a level of control over the database servers, such as: "Easy Clocking Time and Attendance software uses latest technologies and engineering practices. In designing, architecting, developing, and implementing the system [EWF has] kept security, scalability, performance and availability in primary consideration." Pl.'s Ex. 65 (explaining highlights of the "system." including facts about the servers). In response, EWF maintains that it does not have control over the template data
or the servers that house the data. It contends that only customers own and have access to the data and the servers. In support of its argument, EWF points to deposition testimony from CEO Jos, who stated that "I'm sure that the data ownership is, it's owned by the customer. So there is no specific data ownership document that we share or maintain or produced." See Pl.'s Ex. 2 at 126:3-16. C. Transmission Plaintiffs contend that EWF never communicated to class members that it was sending their fingerprint templates to Vault Networks' server and doing so without encryption. The two parties disagree on whether EWF transmits the templates to Vault Networks. EWF contends that the data goes from the customer's device directly to the dedicated cloud-based server that has been set up for that customer. EWF's expert also states that data is sent from timeclock devices to the EasyWorkforce servers
residing in the Vault Networks data center. See Def.'s Ex. 7, Ex. A at 27. In challenging these contentions, plaintiffs point to EWF marketing material that suggests customers do not actually have control over the servers. For example, one EWF document explains that timeclock data is "transferred automatically from the time clocks to the software on the Easy Clocking® cloud or server in real time." See Pl.'s Ex. 24. Plaintiffs also note that EWF (as opposed to customers or Vault Network) encrypts the template database. See Pl.'s Ex. 14 at 72:8-73:2. D. Encryption and security protocols The two parties also dispute whether template data is adequately encrypted when stored on the servers. Plaintiffs contend that EWF stored template data without
encryption on servers owned by Vault Networks, at least before 2022. See Pl.'s Ex. 2 at 188:4–189:10 (EWF software stores template data on servers), 247:10–248:4 (EWF CEO admitting that digital templates were encrypted in the device but not on the cloud storage); Pl.'s Ex. 47 at 28:17–19 (explaining that database was not encrypted until Service Organization Control Type 2 (SOC 2) certification in 2022). But EWF's expert, Jason Hale, stated that the databases were encrypted. Def.'s Ex. 7, Ex. A at 18-21. The parties' experts also offer different understandings of the system's security protocols. EWF's expert, Jason Hale, opines that "Easy Workforce used industry- standard security measures for preventing unauthorized access to its cloud-based servers storing biometric minutiae records." See id. at 28. On the other hand, plaintiffs' expert, David Harding, opines that EWF did not follow industry standards to protect customer data and did not encrypt user data until mid-2022, which is after this lawsuit was filed. Pl.'s Ex. 49 at 10-12. In support of this conclusion, he states that EWF failed
to create a written access control policy and receive a Service Organization Control Type 2 (SOC 2) security certification until 2022. Id. SOC 2 is a minimum compliance and security requirement for third-party service providers holding sensitive information. Id. Plaintiffs' expert opined that even after EWF implemented a written access-control policy, "it still fell far short of what is considered reasonable within the biometrics industry." Id. at 11. After comparing the security protocols around different types of data that EWF stores, he also concluded that EWF "gave greater protections to certain types of data than it did to Class members' fingerprint templates." Id. at 12. E. This lawsuit On June 24, 2021, Tapia-Rendon filed a putative class action lawsuit against
Employer Solutions Staffing Group II, LLC, United Tape & Finishing Co., Inc., and EWF, alleging violations of BIPA. She then amended her complaint to assert claims only against EWF and United Tape. After United Tape settled its claims with the plaintiff class, it was dismissed from this lawsuit on May 17, 2023. At this stage in the proceedings, Tapia-Rendon, on behalf of the class, has moved for summary judgment on her claims against EWF under sections 15(b), (d), and (e) of BIPA, 740 Ill. Comp. Stat. 14/15(b), (d), (e), and on EWF's affirmative defenses. EWF has likewise moved for summary judgment on these same claims and on its defense that Tapia-Rendon waived her BIPA rights. Discussion Summary judgment is appropriate if there is no genuine dispute of material fact and the moving party is entitled to judgment as a matter of law. See Fed. R. Civ. P. 56(a). A genuine dispute of material fact exists "if the evidence is such that a
reasonable jury could return a verdict for the nonmoving party." Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). The burden is on the moving party to demonstrate no genuine dispute of material fact exists. See Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). "The ordinary standards for summary judgment remain unchanged on cross-motions for summary judgment." Blow v. Bijora, Inc., 855 F.3d 793, 797 (7th Cir. 2017). In assessing a summary judgment motion, the Court construes all facts in the light most favorable to the nonmoving party and draws all reasonable inferences in that party's favor. See Horton v. Pobjecky, 883 F.3d 941, 948 (7th Cir. 2018). The Court may not "make credibility determinations" or "weigh the evidence." Payne v. Pauley,
337 F.3d 767, 770 (7th Cir. 2003). To defeat summary judgment, the nonmoving party must identify specific facts, beyond a "mere scintilla of evidence," that raise a genuine issue for trial and that enable a jury to reasonably find for the non-movant party. See Johnson v. Advoc. Health & Hosps. Corp., 892 F.3d 887, 894, 896 (7th Cir. 2018); Anderson, 477 U.S. at 248. Tapia-Rendon argues that she is entitled to summary judgment because there is no genuine dispute of material fact as to liability on the following claims: EWF violated section 15(b) of BIPA by capturing, collecting, or otherwise obtaining class members' biometric information in the form of fingerprint templates; EWF violated section 15(d) of BIPA by disclosing or otherwise disseminating subclass members' biometric information without the requisite authorization; and EWF violated section 15(e) of BIPA by failing to adequately secure the subclass' biometric information. See 740 Ill. Comp. Stat. 14/15(b), (d), (e). She also argues that EWF's affirmative defenses are legally deficient.
For its part, EWF argues that it is entitled to summary judgment because there is no genuine dispute of fact on the following points: the timeclocks do not collect biometric identifiers; EWF never possessed any biometric identifiers or biometric information; it did not collect, capture, or otherwise obtain such data in violation of section 15(b) of BIPA; it never disseminated such data in violation of section 15(d) of BIPA; and plaintiff, individually, has waived any claim under BIPA. See 740 Ill. Comp. Stat. 14/15(b), (d). Because the two sides' arguments are largely the flip sides of the same coins, the Court addresses together their respective contentions on each of plaintiffs' BIPA claims.
A. Section 15(b) Section 15(b) of BIPA prohibits a private entity from "collect[ing], captur[ing], purchas[ing], receiv[ing] through trade, or otherwise obtain[ing] a person's or a customer's biometric identifier or biometric information, unless it first (1) informs the subject . . . in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject . . . in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information." 740 Ill. Comp. Stat. 14/15(b). Plaintiffs contend that EWF violated section 15(b) because it collected, captured, or otherwise obtained class members' biometric information without receiving written consent from class members. 1. Biometric information To sustain a section 15(b) claim, a plaintiff must first show that the information in
question constitutes a biometric identifier or biometric information. BIPA defines a biometric identifier as "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." 740 Ill. Comp. Stat. 14/10. And it defines "biometric information" as "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers." Id. BIPA does not, however, provide a list of the specific types of information that constitute biometric information. EWF spills a great deal of ink arguing that the data its devices collect does not constitute biometric identifiers. But the plaintiffs concede that, at least for purposes of
the summary judgment motions. The question, rather, as the plaintiffs put it in their motion—which was filed first—is whether EWF collects biometric information as defined under BIPA by generating templates based on a user's fingerprint scan. In its motion for summary judgment, EWF says there is a factual dispute regarding whether the templates are biometric information; it does not seek summary judgment on that point. See Def.'s Mem. for Summ. J. at 8 ("Only if the templates are deemed 'biometric information 'will BIPA apply, which is a disputed fact between Plaintiff's expert and EWF and its expert, and is discussed further in EWF's response to Plaintiff's motion for summary judgment."). The Court, however, agrees with plaintiffs' assertion that there is no genuine factual dispute that the devices collected biometric information. The evidence establishes that they did so. Because they contend that the devices collected biometric information, the plaintiffs must establish that the templates the devices generated were "based on"
biometric identifiers, in this case, fingerprint scans. See 740 Ill. Comp. Stat. 14/10 ("Biometric information must be based on an individual's biometric identifier."). Both sides agree that the templates were generated using a mathematical representation of points on a user's finger. But they seem to disagree on whether the templates were based on a biometric identifier, namely a scan of a fingerprint (which BIPA categorizes as a biometric identifier). See Def.'s Resp. to Pl.'s Stat. of Facts ¶¶ 16, 17. Although not directly elaborated upon in EWF's brief, based on its responses to plaintiffs' statement of facts, EWF seems to suggest that because the devices scan "fingers" and not "fingerprints," they do not trigger scrutiny under BIPA. For example, in its response to plaintiffs' statement of facts, EWF denies that the devices "collect
biometric information or identifiers" and says that "a mathematical representation of a part of a finger is taken." Def.'s Resp. to Pl.'s Stat. of Facts ¶ 32; Def.'s Resp. Mem. to Pl.'s Mot. for Summ. J. at 3. As the plaintiffs contend, however, the record is replete with instances in which EWF has used the term "fingerprints" in describing the scans. See, e.g., Pl.'s Ex. 39 (devices are "able to read wet, dry, dirty or damaged fingerprints"); Pl.'s Ex. 40 (referring to devices using a "fingerprint algorithm" to create a "fingerprint template" and calling the device a "fingerprint scanner" that is "able to capture fingerprint information below the first layer of the skin under any conditions."); Pl.'s Ex. 42 ("Our devices capture the image and converts [sic] this fingerprint image to what is known as a fingerprint template"); Def.'s Ex. 5 at 57:4–6 ("[W]e were not saving the fingerprint, and we were only collecting the numerical representation of that"). Moreover, EWF has conceded that a template is based on "a fingerprint image." See Pl.'s Ex 1, at Ans. No. 6.
In an apparent attempt to backtrack on its repeated use of "fingerprint," EWF argues that "fingerprint" "is an industry term that is loosely used to better assist clients with understanding the technology." See Def.'s Resp. to Pl.'s Stat. of Facts ¶ 32; Def.'s Ex. 5 at 90:22-25, 91:1-4 ("It's generally mentioned as fingerprint, and that's the common vocabulary."); Def.'s Ex. 1 at 208 ("It's made of the finger that's produced. . . . I would say it's an image of the finger, but if that's the common use of the lingo, well. . . . From an external standpoint it [fingerprint] is used because, to your point, it's a common lingo."). But the distinction between "finger" and "fingerprint" that EWF attempts to draw is basically made up. It is not a real distinction but rather a contrivance to suggest a
factual dispute that in reality does not exist. No one is suggesting that the employees are scanning, or are asked to scan, their fingernails, or the sides of their fingers, or their entire finger; they are scanning their fingertips. And that's where their fingerprints, as that term is commonly understood, reside. A device that scans the tip of a finger is taking a scan of the fingerprint that resides on a user's fingertip. A fingerprint, as commonly understood, is the "the impression of a fingertip on any surface," and a fingertip is "the tip of a finger." See Fingerprint, Merriam-Webster.com, https://www.merriam-webster.com/dictionary/fingertip (last visited Aug. 4, 2025); see also Fingertip, Merriam-Webster.com, https://www.merriam webster.com/dictionary/+ fingerprint (last visited Aug. 4, 2025).1 Indeed, an EWF document that explains "How to Clock In/Out with Fingertips on a Time Clock" includes images illustrating that users should place the top part of their finger—i.e., what might commonly be referred to as the "pad" on the underside of the top joint of the finger—on the device scanner to correctly
operate it. See Pl.'s Ex. 6. EWF has not identified any evidence to dispute that the devices take an image of anything but a fingerprint. In short, the point is not genuinely disputed. EWF also contends that the devices could not have captured a complete fingerprint because they scanned only a portion of a finger. See Pl.'s Combined Resp. and Reply Mem. at 3. In supporting their argument, plaintiffs cite Howe v. Speedway LLC, No. 19 C 1374, 2024 WL 4346631, at *4 (N.D. Ill. Sept. 29, 2024) (Chang, J.). In Howe, which involved an almost identical factual situation, Judge Edmond Chang began his analysis by explaining that "[w]hether the scanned image captured by the timeclocks ultimately constitutes a 'fingerprint' protected as a biometric identifier under BIPA is not a
question of fact that requires testimony from a technical expert. . . . [It] is a question of statutory interpretation for the Court to decide, because no underlying constituent facts are disputed." Id. Judge Chang went on to conclude that the "term 'fingerprint' as commonly understood does not contain some intrinsic requirement that it can only mean an 'entire' or 'complete' fingerprint, presumably (to Speedway's thinking) every single
1 In the absence of particularized definitions, the Court presumes that a statutory term has its "plain and ordinary meaning." People v. Chapman, 2012 IL 111896, ¶ 24, 965 N.E.2d 1119, 1126 ("When a statute contains a term that is not specifically defined, it is entirely appropriate to look to the dictionary to ascertain the plain and ordinary meaning of the term."). ridge and furrow on the surface of a finger." Id. at 7. He concluded that requiring this would upend BIPA's fundamental purpose: "Excluding partial fingerprints or scans under BIPA that could nonetheless be used to identify a unique person would undermine the fundamental purpose of the statute and leave large swaths of identifying biometric
information uncovered." Id. at 8. Ultimately, Judge Chang concluded that "[t]he term 'fingerprint' includes partial impressions or partial scans of finger ridges so long as those scans are capable of being used to identify a particular person." Id. This Court agrees. The fact that EWF's devices may have in some instances mistakenly identified an individual, as EWF claims, does not undermine the fact that EWF makes devices for the express purpose of taking scans and creating templates that are used to identify a person. Indeed, the functionality that the devices promise would not work if a fingerprint scan could not be linked back to a single unique individual. As in Howe, "[w]hether the finger scan collected by [defendant's] timeclocks is a biometric identifier depends on whether the scan is a sufficiently unique personal
feature capable of being used to identify a specific person, even though it is less than the size of a full fingerprint. On the factual record presented by the parties, the scans meet that requirement. . . . This system only works if the portion of the finger ridges scanned by the timeclock contains enough information to identify a specific individual." Id. at 8. As Judge Chang concluded in Howe, the templates generated by EWF's devices constitute biometric information within the meaning of BIPA because they are "information 'based on' the scan (which is a biometric identifier on the facts presented)." Id. at 8. There is no genuine factual dispute regarding this element. The Court finds pursuant to Fed. R. Civ. P. 56(g) that the templates constitute biometric information as defined by BIPA. 2. Collect, capture, or otherwise obtain The remaining elements of section 15(b) require the plaintiffs to show that EWF
collects, captures, or otherwise obtains the template data. Although some courts in this district have read an additional "active step" requirement into section 15(b) before imposing liability, doing so adds language that the statute does not include. See Rogers v. BNSF Ry. Co., No. 19 C 3083, 2022 WL 4465737, *3 (N.D. Ill. Sept. 26, 2022) (Kennelly, J.). Because BIPA does not elaborate on the meaning of "collect," "capture," and "obtain," the Court applies the "popularly understood meaning[s]" of these terms. G.T. v. Samsung Elecs. Am. Inc., 742 F. Supp. 3d 788, 797 (N.D. Ill. 2024). "Capture" includes "to record in a permanent file (as in a computer)," and "collect" means to "to bring together into one body and place, to gather or exact from a number of persons or sources, and to gather an accumulation of." Barnett v. Apple Inc., 2022 IL App (1st)
220187, ¶¶ 48-49, 225 N.E.2d 602, 611 (internal quotation marks omitted) (citing Merriam-Webster Online Dictionary). "Obtain simply means 'to gain or attain usually by planned action or effort'" and "'[t]o bring into one's own possession; to procure, esp. through effort.'"). Howe, 2024 WL 4346631, at *10 (citing Merriam-Webster Online Dictionary and Black's Law Dictionary (11th ed. 2019)). EWF argues that plaintiffs are unable to show that it even possessed the templates, let alone collected, captured, or obtained them. EWF argues that it merely provided its customers with equipment and software, and it was the customers who collected data, via the supplied tools, that was then stored on cloud-servers. EWF maintains that as a result, it had no control over any of the data that customers generated via the devices. Unlike other provisions in BIPA, section 15(b) does not expressly require showing "possession." Courts, however, have concluded that section 15(b) does not apply when
a plaintiff cannot show possession, because "collect, capture, and obtain" suggest that possession is a prerequisite to liability under section 15(b). See Jacobs v. Hanwha Techwin Am., Inc., No. 21 C 866, 2021 WL 3172967, at *2 (N.D. Ill. July 27, 2021) ("The parties appear to agree that mere possession of biometric data is insufficient to trigger Section 15(b)'s requirements.") (collecting cases); see also Karling v. Samsara Inc., 610 F. Supp. 3d 1094, 1103 (N.D. Ill. 2022) ("Samsara is correct that courts have held that § 15(b) does not apply to entities that merely possess rather than 'collect, capture, purchase, receive through trade, or otherwise obtain' the data."). In support of its contention that it did not possess template data, EWF cites two cases. First, it says that in Hazlitt v. Apple Inc., 543 F. Supp. 3d 643 (S.D. Ill. 2021), the
court found that Apple possessed user biometric information based on facial recognition data because it had "complete and exclusive control over the data on Apple Devices, including what biometric identifiers are collected, what biometric data is saved, whether biometric identifiers are used to identify users (creating biometric information), and how long biometric data is stored." Id. at 653. In contrast, in Barnett v. Apple Inc., the court found that Apple did not possess biometric information generated from Apple's Touch ID and Face ID features because the data was not stored on Apple's servers (as the data in Hazlitt was) but "on the users' individual devices and [] users [could] delete the information and disable the features." Barnett v. Apple Inc., 2022 IL App (1st) 220187, ¶ 45, 225 N.E.3d at 610. EWF argues that the situation in this case is like Barnett—any data collected by the devices it sells is stored in Vault Networks' servers that only customers can access. According to EWF, it merely monitors the servers without any ability to control or
dispose of the data stored on them. But the evidence permits a different view of matters, as the plaintiffs contend. Plaintiffs cite several statements made by EWF's CEO and in EWF's documents reflecting that EWF had some level of control over the data stored in Vault Networks' servers. Taken together, there is evidence sufficient to permit a reasonable jury to find that EWF had control over the data stored in Vault Networks' servers. First, EWF's CEO, Sinos Jos, made multiple statements indicating that EWF does exercise control over the servers and the data in the servers. He testified that "Vault only leases the servers to us. They don't do anything to the server once they lease it to us. We are in full control of the servers." See Pl.'s Ex. 2 at 257:13-16; see
also Pl.'s Ex. 40 (a communication between EWF and a customer in which EWF referred to "our servers."). CEO Jos explained that in preparation for discovery, EWF was able to query the server databases that contained the employees' digital templates and perform a data collection of certain types of user information about employees who had used the devices. See Pl.'s Ex. 2 at 143:7-11 ("This document was generated when I request an engineer to go into the system and specifically look for the data of those Illinois clients and see how many employees had the scans and what were the total number of scans." . . . [The system] should include the digital templates, yes."); see also id. at 146:11-148:16 (explaining how database was queried in preparation for document production). EWF's expert similarly made a number of statements suggesting that EWF had access to the servers. See Def.'s Ex. 7, A at 10 ("The Dedicated Server Agreement between Vault Networks and EasyWorkforce states that 'Vault Networks exercises no
control over, and accepts no responsibility for, the content of the information passing through Vault Networks' host computers, network hubs, and points of presence.' This makes clear that EasyWorkforce is responsible for the data stored on the dedicated servers it leases from Vault Networks."); see also id. at 9 ("EasyWorkforce was responsible for the application data associated with the remote timeclock devices, including access control to the server itself."). Additionally, plaintiffs have identified evidence suggesting that EWF had the ability to archive and delete customer data. See Pl.'s Ex. 66 at 3 (customers may "request[] destruction of data upon cancellation," otherwise "data is archived after one year of cancellation and non-use."). In response to plaintiffs' argument, EWF focuses almost entirely on its customers'
control of the server databases. It says that customers can choose to add new data, to delete data, and how to collect the data. See Def.'s Ex. 1 at 125:25-126:16; 244:19-24 (EWF CEO stating that data ownership belongs to customers); Def.'s Ex. 5 at 88:2-10 (EWF CEO stating that device is not within EWF's control but within the customer's control). But this argument does not necessarily defeat plaintiffs' contention that EWF has control over the server databases. "Possession," as it is commonly understood, and under BIPA, does not require exclusive control. The fact that EWF's customers may have exercised control over their server databases does not mean that EWF did not also exercise control over this data. See G.T., 742 F. Supp. at 797; Heard v. Becton, Dickinson & Co., 440 F. Supp. 3d 960, 968 (N.D. Ill. 2020). "The Illinois Supreme Court has held that 'possession, as ordinarily understood, occurs when a person has or takes control of the subject property or holds the property at his or her disposal.'" See Heard, 440 F. Supp. 3d at 968. Plaintiffs have pointed to
evidence sufficient to permit a reasonable jury to find that EWF has control over the servers, and thus that EWF possesses data on the servers. Because "capture," "collect," and "obtain" each indicate that a plaintiff must show that an entity gained control of users' biometric information, see G.T., 742 F. Supp. at 797 (citing Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 16, 216 N.E.3d 918, 923), a showing that EWF had control over the data in the servers would permit a reasonable jury to find that EWF "collects, captures, and obtains" the data. Based on the evidence referenced by the plaintiffs, a case can be made that this is not a situation, as EWF would have the Court believe, where EWF's "connection with the [devices and software] was essentially severed at the point of sale, and they were
not involved in any data collection process that occurred once the cameras were installed." Rivera v. Amazon Web Servs., Inc., No. 2:22-CV-00269, 2023 WL 4761481, at *5 (W.D. Wash. July 26, 2023). Instead, in this case, plaintiffs have identified evidence permitting a reasonable jury to find that even after the sale of its devices, EWF continues to provide a server database system over which it has control and therefore collects, captures, or at least otherwise obtains the biometric information that the devices send to the servers. The Court therefore denies EWF's motion for summary judgment regarding plaintiffs' section 15(b) claim. But although plaintiffs' evidence would permit a reasonable jury to find that EWF controlled the servers, and consequently that it captured, collected, or otherwise obtained biometric information, the evidence does not necessarily require such a finding. In considering plaintiffs' motion for summary judgment, the Court is "required to view the facts and draw reasonable inferences 'in the light most favorable to [EWF,] the
party opposing the [summary judgment] motion.'" See Scott v. Harris, 550 U.S. 372, 378 (2007) (citation omitted). EWF has offered evidence sufficient to permit a reasonable jury to find that it did not control the data on Vault Networks' servers. Among other things, EWF offers evidence that could be understood to show that it lacked such control, including its CEO's assertion that only customers control adding or deleting the data in the servers. See e.g., Def.'s Ex. 1 at 125:25-126:16; 244:19-24; Def.'s Ex. 5 at 88:2-10. And a jury would not be required to understand CEO Jos's testimony and the earlier-referenced EWF documents discussing the servers as the admissions or near-admissions that plaintiffs contend they are. Determining the weight to give each side's evidence and choosing what inferences should be drawn from this
evidence are matters within the province of a jury, not the Court. See Arana v. Bd. of Regents of Univ. of Wisconsin Sys., 142 F.4th 992, 1009 (7th Cir. 2025) ("It is not our role, however, to decide the strength of competing evidence. That is a role for the jury."); Applewhite v. Deere & Co., No. 4:18 CV 04106-SLD-JEH, 2020 WL 7029889, at *10 (C.D. Ill. Nov. 30, 2020) ("At the summary judgment stage, the court's function is not to weigh the evidence and determine the truth of the matter, but to determine whether there is a genuine issue for trial—that is, whether there is sufficient evidence favoring the non-moving party for a factfinder to return a verdict in its favor."). In short, each side has offered enough evidence to permit a reasonable jury to find in its favor on this point. Neither side is entitled to summary judgment on the plaintiffs' claim under section 15(b) of BIPA. B. Section 15(d) Plaintiffs also contend that EWF violated section 15(d) of BIPA, which states that
"[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information." 740 Ill. Comp. Stat. 14/15(d). The provision permits this conduct only if "(1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of
competent jurisdiction." Id. In this case it is undisputed that consent was lacking; the disputed issue includes whether EWF disclosed or disseminated the class members' biometric information. The alleged disclosure or dissemination, according to plaintiffs, consisted of EWF transmitting subclass members' biometric information, i.e., their fingerprint templates, to Vault Networks. EWF argues that it was not "in possession" of the biometric information and that even if it was, it was the customers who transmitted the data from the timeclocks to the servers. As discussed in the previous section, the Court has already determined that there are genuinely disputed facts precluding summary judgment on the question of EWF's possession of the biometric information. The Court therefore focuses on EWF's argument that it did not transmit the template data. See Heard, 440 F. Supp. 3d at 968 ("Sections 15(a) and 15(d) of BIPA apply to entities 'in possession of' biometric data.").
In this case, plaintiffs contend that the disclosure consisted of sending class members' biometric information to Vault Networks' servers. Plaintiffs contend that EWF did this by designing and programming its software to perform data transmissions; they do not contend that EWF directly effectuated the transmission. See Pl.'s Combined Resp. and Reply Mem. at 9. Although there are cases that have considered similar factual circumstances in the context of section 15(d) claims, none have directly addressed the question presented by the factual circumstances in this case—whether section 15(d) applies to an entity that enables someone else to disseminate biometric information. BIPA does not define "disclose" or "disseminate." "Where, as here, a statutory
term is not defined, we assume the legislature intended for it to have its popularly understood meaning"; in other words, a court considers the term's "plain and ordinary" meaning. Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, ¶ 24, 129 N.E.3d 1197, 1204-05. The Seventh Circuit has noted that "disclose[]" means "[t]o make (something) known or public; to show (something) after a period of inaccessibility or of being unknown; to reveal." Cothron v. White Castle Sys., Inc., 20 F.4th 1156, 1163 (7th Cir. 2021) (citing Black's Law Dictionary (11th ed. 2019)). "Disseminate" means to "spread abroad as though sowing seed" and "to disperse throughout." See Disseminate, Merriam-Webster.com, https://www.merriam-webster.com/dictionary/disseminate (last accessed Aug. 4, 2025). These definitions indicate that section 15(d) contemplates some direct involvement in the disclosure or dissemination of biometric information. Here there is nothing of the kind: EWF simply provided customers with the platform and software that
enabled transmission. Finding EWF guilty of transmission of the data would be the rough equivalent of finding Google guilty of transmitting emails because it supplies the Gmail software to the actual sender of the emails. This makes no sense. The statutory definition does not, in the Court's view, admit a reading that would imposes liability based on an entity enabling another entity to disclose or disseminate information. Judge Elaine Bucklo came to a similar conclusion in Clark v. Microsoft Corp., 688 F. Supp. 3d 743 (N.D. Ill. 2023). In Clark, an employee used a video-based coaching software called Brainshark, which interfaced with two Microsoft products, including a cloud service. The plaintiff argued that Microsoft violated section 15(d) by disclosing or disseminating his biometric data, namely his facial geometry scans, to Brainshark. See
id. at 750. Judge Bucklo explained that "I take those allegations to mean that Microsoft provides its Azure and ACS technology to Brainshark and other customers, but nothing in those allegations indicates disclosure, redisclosure, or dissemination of biometric data from Microsoft to Brainshark." Id. In other words, Judge Bucklo essentially determined that a company does not disseminate data through providing another entity with technology, even if that technology enables that other entity to transmit information. This Court agrees with Judge Bucklo's analysis. EWF provides its customers with a timekeeping device; from there, its customer activates the device and independently operates it. Although template data reaches Vault Networks' servers via the operation of EWF's software, it is the customers who operate the system and directly "press a button" that disseminates the data to the databases in Vault Networks' servers. See Pl.'s Ex. 2 at 189:6-10. Although EWF may have access to the Vault Networks' server databases—as discussed in the previous section—this is after the
transmission of data has already occurred. There is no evidence that EWF has access to or control over the data when it is still on customers' local databases or at any point before it reaches Vault Networks' servers. To be sure, there are cases in this district and elsewhere that suggest section 15(d) liability may be imposed even when an entity enables a third-party to transmit data through the entity's software. See e.g., Deyerler v. HireVue, Inc., No. 22 C 1284, 2024 WL 774833, at *7 (N.D. Ill. Feb. 26, 2024); Taylor v. 48forty Sols., LLC, No. 23 C 14400, 2024 WL 1530383, at *6 (N.D. Ill. Apr. 9, 2024); Heard v. Becton, Dickinson & Co., 524 F. Supp. 3d 831, 843 (N.D. Ill. 2021); McClaine v. DX Enters., Inc., No. 23 CV1168- DWD, 2024 WL 3860971, at *4 (S.D. Ill. Aug. 19, 2024); Johns v. Paycor, Inc., No. 3:20-
CV-264-DWD, 2025 WL 947914, at *4 (S.D. Ill. Mar. 28, 2025). The Court respectfully disagrees with these decisions to the extent they differ from its decision here. In this regard, some or all of the cases involve decisions on motions to dismiss for failure to state a claim; these decisions assess the plaintiffs' claims under a more generous standard and do not describe what sort of evidence is required to prove a section 15(d) claim. In addition, none of these cases expressly grapple with the distinction between directly transmitting data and providing equipment or software that allows others to transmit data. To the extent they do, in the Court's view they stretch the statutory terms "disclose" and "disseminate" too far. Finally, at least some of these cases rely on other decisions that involve factually distinguishable scenarios in which the defendant was the actor directly transmitting the data. See, e.g., Figueroa v. Kronos Inc., 454 F. Supp. 3d 772, 778 (N.D. Ill. 2020); Cothron, 2023 IL 128004, ¶ 45, 216 N.E.3d 918, 929. The Court concludes that there is no genuine factual dispute; EWF did not
disclose or disseminate biometric information within the meaning of section 15(d). EWF is entitled to summary judgment on this claim; plaintiffs are not. C. Section 15(e) Lastly, plaintiffs contend that EWF violated section 15(e) of BIPA because it failed to protect their fingerprint scans using established industry security standards despite providing other types of confidential information with more protection. Section 15(e) states that "[a] private entity in possession of a biometric identifier or biometric information shall: (1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) store, transmit, and protect from disclosure all biometric
identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information." 740 Ill. Comp. Stat. 14/15(e). Plaintiffs argue that EWF failed to secure biometric information under established standards of care, including encryption of the template databases and obtaining SOC 2 certification in a timely manner. See Pl.'s Mem. for Summ. J. at 16. EWF argues in response that there are factual disputes that preclude summary judgment on this claim. As EWF accurately points out, the two sides' experts render opposite conclusions on whether EWF's data protection met industry standards. David Harding, plaintiffs' expert, based his opinion on his review of the record and sources including the National Institute of Standards and Technology (NIST) and the International Organization of Standards (ISO). He concluded that "WorkEasy fell far short of meeting industry standards for securing class members' fingerprint templates. It fell short both as to its
policies, and to the actual practices implemented." Pl.'s Ex. 49 at 9-13. Harding's report outlines the practices that EWF failed to implement, even after it began encrypting fingerprint data in 2022, including failing to require multi-factor authentication and a lack of clear and effective security policies. See id. There is also evidence from EWF CEO Jos's deposition seemingly admitting that template data on the servers was not encrypted. See Pl.'s Ex. 2 at 247:10–248:4 (EWF CEO admitting that digital templates are encrypted in the device but not in the cloud storage). Jason Hale, EWF's expert, provides contrary testimony. He concluded that EWF "used industry-standard security measures for preventing unauthorized access to its cloud-based servers storing biometric minutiae records," including multi-factor
authentication, IP address whitelisting, and limited access to the database. Def.'s Ex. 7, A, at 11-12. The Court notes that it is not clear whether Hale differentiated between EWF's conduct before and after its security rehaul in 2022. Still, considering that each expert has provided opinion testimony sufficient to permit a reasonable jury to find in favor of the particular expert's side, the Court agrees with EWF that this is a dispute appropriately left to a jury. See Morris v. Obaisi, No. 17 C 5939, 2023 WL 2745508, at *6 (N.D. Ill. Mar. 31, 2023) ("The Court does not make determinations as to which expert's opinion is more credible in deciding summary judgment. . . . Rather, such direct conflict between competing expert opinions presents a classic jury issue that precludes determination at the summary judgment stage, where the Court must draw all reasonable inferences in Morris's favor."). The same can be said about the plaintiffs' contention that even if EWF aligned with industry standards in protecting biometric information, it provided other types of
data that it stored with greater protection in violation of section 15(e). Both parties present sufficient evidence to create a genuine factual dispute on this point. Specifically, plaintiffs' expert Harding states that: "As noted above, WorkEasy used Google's Gmail and Google Drive products throughout the relevant time period. Google has encrypted Gmail mailboxes and Google Drive files since the services were established and provided commercially. On the other hand, WorkEasy did not encrypt fingerprint templates stored in its cloud database until the SOC 2 certification process in mid-2022, despite encrypting the templates on the timeclocks and in transit from timeclock to server throughout the class period." Pl.'s Ex. 49 at 13-14. By contrast, EWF points to testimony from its software architect, Eddy Sanchez
Tellez, who stated that social security numbers and template data were protected in the same way. See Def.'s Ex. 6 at 86:22-87:2. EWF therefore argues that because "[s]ocial security numbers are identified as 'confidential and sensitive information' in BIPA and because the server protects that data the same as the alleged biometric data in question, there is no violation of section 15(e)." See Def.'s Resp. to Pl.'s Mot. for Summ. J. at 20. The Court finds that there are genuine factual disputes on whether EWF protected template data in the same manner that it protected other confidential information in its system. For the reasons stated, neither side is entitled to summary judgment on plaintiffs' claim under BIPA section 15(e). D. Affirmative defenses The last remaining topic involves EWF's affirmative defenses. EWF has withdrawn a number of its defenses and now only asserts its fifth (implied and express
consent), seventh (estoppel, waiver, ratification, acquiescence), eleventh (failure to state a claim on which relief can be granted), and thirteenth (comparative fault, lack of causation, failure to mitigate, and avoidance of consequences) affirmative defenses. Plaintiffs seek summary judgment against the defendant on all its remaining defenses. EWF seeks summary judgment in its favor on its affirmative defense of waiver. Plaintiffs argue that because BIPA is a strict liability statute, common-law defenses are unavailable. See Olle v. C House Corp., 2012 IL App (1st) 110427, ¶ 15, 967 N.E.2d 886, 890 ("The supreme court has advised that statutes in derogation of common law will not be found to abrogate common-law affirmative defenses, unless it plainly appears that the intent of the statute is to impose strict liability."); Snider v.
Heartland Beef, Inc., 479 F. Supp. 3d 762, 772-73 (C.D. Ill. 2020) ("Therefore, it appears that BIPA imposes strict liability (though the defendant's intent may impact recovery) and assumption of the risk would not be available as a defense."). There is a significant amount of caselaw that establishes BIPA is a strict liability statute. See Howe, 2024 WL 4346631, at *10 ("On liability, BIPA is indeed a strict liability statute and requires no proof of a particular mental state to establish a violation of the statute's notice and consent or data-retention policy requirements under sections 15(a) and (b).") (citing Vaughan v. Biomat USA, Inc., No. 20 C 4241, 2022 WL 4329094, at *12 (N.D. Ill. Sept. 19, 2022); Bradenberg v. Meridian Senior Living, LLC, No. 20-CV- 03198, 2023 WL 5671275, at *3 (C.D. Ill. Sept. 1, 2023)); see also Snider, 479 F. Supp. 3d at 772 ("The Court hesitates to read a common law defense into a statute that plainly appears to abrogate it."). EWF argues that BIPA cannot be a strict liability statute because a BIPA plaintiff
has to prove EWF's negligent, intentional, or reckless state of mind to collect statutory damages. See 740 Ill. Comp. Stat. 14/20(a)(1-2). But "[d]amages and liability present distinct issues." Beard v. Wexford Health Sources, Inc., 900 F.3d 951, 955 (7th Cir. 2018); see also Howe, 2024 WL 4346631, at *10 ("The state-of-mind question for damages is separate from whether Howe can establish liability through a violation of the notice-and-consent requirements under section 15(b)."). The Court agrees that liability under BIPA amounts to strict liability. The Court therefore concludes that plaintiffs are entitled to summary judgment on EWF's remaining common-law affirmative defenses. And for the same reason, EWF is not entitled to summary judgment on its "waiver" defense.
Conclusion For the following reasons, the Court grants EWF's motion for summary judgment [dkt. no. 311] on plaintiffs' section 15(d) claim but denies its motion on plaintiffs' section 15(b) and (e) claims. The Court denies plaintiffs' motion for summary judgment [dkt. no. 300] on their remaining claims but grants the motion with respect to EWF's affirmative defenses. Finally, the Court finds under Fed. R. Civ. P. 56(g) that the templates at issue in this case constitute biometric information as defined by BIPA. The case is set for an in-person status hearing on August 15, 2025 at 9:05 a.m. for the purpose of setting a prompt trial date (as the case is over four years old) and discussing the possibility of settlement. Finally, the Court expects to issue next week its decision on summary judgment regarding United Tape’s crossclaim. Date: August 8, 2025
United States District Judge