IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
Delma Warmack-Stillwell, on ) behalf of herself and all ) others similarly situated, ) ) Plaintiff, ) ) ) v. ) No. 22 C 4633 ) ) Christian Dior, Inc., ) ) Defendant. ) )
Memorandum Opinion & Order Plaintiff Delma Warmack-Stillwell has filed this putative class action against defendant Christian Dior, Inc., under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq. Defendant now moves to dismiss the complaint under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). For the following reasons, the motion under Rule 12(b)(1) is denied and the motion under Rule 12(b)(6) is granted. I. According to the complaint, plaintiff visited defendant’s website and used a virtual try-on tool (“VTOT”) that allowed her to see how defendant’s sunglasses would look on her face, as if she were trying the glasses on in a brick-and-mortar store. The VTOT is accessed by clicking a button that appears next to images of eyewear for sale. Using the consumer’s web camera, the tool displays a real-time image of the user wearing the eyewear. The VTOT “is able to accurately detect, in an instant, where the chosen [eyewear] should be placed on an individual’s face, and moves the
product with the user’s movements to ensure that it appears as if the user is actually wearing the [e]yewear.” Complaint, Dkt. No. 1 ¶ 67. The VTOT is “powered by” an application created by another entity called FittingBox. When a consumer uses the VTOT, a facial geometry scan is performed and the data is collected and transferred to FittingBox’s server, and possibly defendant’s server too, where it is stored for an uncertain amount of time. Plaintiff alleges that defendant profits from the process of collecting, storing, and using consumers’ facial geometry scans because it improves customers’ experiences purchasing eyewear from defendant online.
Plaintiff complains that defendant’s conduct violates BIPA, which was enacted out of concern over increasing use of biometric data,1 which is “biologically unique to the individual” and, if
1 The statute specifically targets two types of biometric data: (1) “biometric identifiers,” which include a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”; and (2) “biometric information,” which includes “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an compromised, leaves that individual with “no recourse” and “heightened risk for identity theft.” 740 ILCS 14/5(c). Private entities are subject to various requirements and restrictions under BIPA, three of which are the bases for each of plaintiff’s three counts. First, under section 15(a) private entities in
possession of biometric data must have a publicly available written policy for the retention and destruction of that data. 740 ILCS 14/15(a). Second, under section 15(b), they must get informed consent before collecting, capturing, purchasing, receiving through trade, or otherwise obtaining an individual’s biometric data. 740 ILCS 14/15(b). And third, under section 15(c), they may not “sell, lease, trade, or otherwise profit from” an individual’s biometric data. 740 ILCS 14/15(c). II. Defendant lodges a threshold jurisdictional argument for dismissal under Rule 12(b)(1), asserting that plaintiff has not alleged an injury in fact sufficient to satisfy Article III for
her section 15(a) and 15(c) claims. The Seventh Circuit has recently examined what is required to plead an injury in fact under section 15(a). In Bryant v. Compass Group USA, Inc., the court held that merely alleging failure to publicly disclose a data-retention policy is insufficient. 958
individual.” 740 ILCS 14/10. The distinction is not important here, so I refer to these categories collectively as “biometric data.” F.3d 617, 626 (7th Cir. 2020). But the court later clarified that the holding of Bryant is narrow, and that a plaintiff pleads injury in fact where she “accuses [a defendant] of violating the full range of its section 15(a) duties by failing to develop, publicly disclose, and comply with a data-retention schedule and guidelines
for the permanent destruction of biometric data when the initial purpose for collection ends.” Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146, 1154 (7th Cir. 2020) (emphasis in original); see also Hazlitt v. Apple Inc., 543 F. Supp. 3d 643, 649 (S.D. Ill. 2021) (“Under Fox, the allegation that [defendant] has failed to follow a policy for retaining and destroying Plaintiffs’ biometric identifiers and information is enough to establish Article III standing for Plaintiffs’ section 15(a) claim.” (collecting cases)). Plaintiff here alleges violation of the full panoply of section 15(a)’s requirements. She alleges that defendant “did not develop or follow a retention policy” that would pass muster under
section 15(a). Complaint ¶ 28 (emphasis added); see also id. ¶ 86 (“Dior had not developed a written policy establishing retention schedules and guidelines for permanently destroying consumers’ biometric identifiers and biometric information, and did not destroy such data within the timeframes established by BIPA.”); id. ¶¶ 119–21. These allegations confer standing because “unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data.” See Fox, 980 F.3d at 1155 (emphases in original). In contrast, the cases defendant cites where courts found lack of standing on section 15(a) claims were devoid of allegations that the defendants had failed to comply with a retention policy
under that section. See, e.g., Garner v. Buzz Finco LLC, No. 3:21- cv-50457, 2022 WL 1085210, at *3 (N.D. Ill. Apr. 11, 2022) (“Unlike the allegations in Fox, Garner never alleges that Defendants failed to comply with a data retention schedule.”); Woods v. FleetPride, Inc., No. 1:21-CV-01093, 2022 WL 900163, at *5 (N.D. Ill. Mar. 27, 2022) (“The Section 15(a) claim in this case mirrors Bryant, not Fox. . . . This is not an issue of compliance beyond publication, and that makes all the difference.”). They are therefore inapplicable here. Defendant similarly argues that plaintiff has not done enough to plead injury in fact for her section 15(c) claim. The Seventh Circuit has characterized section 15(c) as a “general regulatory
rule” commanding that “no one may profit in the specified ways from another person’s biometric identifiers or information,” and that pleading a bare violation of this provision is not enough for standing purposes. Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1246–47 (7th Cir. 2021). The court observed, however, that a plaintiff may plead injury in fact under section 15(c) by alleging, for example, “that by selling her data, the collector has deprived her of the opportunity to profit from her biometric information.” Id. at 1247. Plaintiff does just that. In addition to alleging that defendant violated section 15(c) by using customer biometric data to “improve the customers’ experience on Dior’s website, and
increase sales of its [e]yewear,” Complaint ¶ 87; see also id.
Free access — add to your briefcase to read the full text and ask questions with AI
IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
Delma Warmack-Stillwell, on ) behalf of herself and all ) others similarly situated, ) ) Plaintiff, ) ) ) v. ) No. 22 C 4633 ) ) Christian Dior, Inc., ) ) Defendant. ) )
Memorandum Opinion & Order Plaintiff Delma Warmack-Stillwell has filed this putative class action against defendant Christian Dior, Inc., under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq. Defendant now moves to dismiss the complaint under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). For the following reasons, the motion under Rule 12(b)(1) is denied and the motion under Rule 12(b)(6) is granted. I. According to the complaint, plaintiff visited defendant’s website and used a virtual try-on tool (“VTOT”) that allowed her to see how defendant’s sunglasses would look on her face, as if she were trying the glasses on in a brick-and-mortar store. The VTOT is accessed by clicking a button that appears next to images of eyewear for sale. Using the consumer’s web camera, the tool displays a real-time image of the user wearing the eyewear. The VTOT “is able to accurately detect, in an instant, where the chosen [eyewear] should be placed on an individual’s face, and moves the
product with the user’s movements to ensure that it appears as if the user is actually wearing the [e]yewear.” Complaint, Dkt. No. 1 ¶ 67. The VTOT is “powered by” an application created by another entity called FittingBox. When a consumer uses the VTOT, a facial geometry scan is performed and the data is collected and transferred to FittingBox’s server, and possibly defendant’s server too, where it is stored for an uncertain amount of time. Plaintiff alleges that defendant profits from the process of collecting, storing, and using consumers’ facial geometry scans because it improves customers’ experiences purchasing eyewear from defendant online.
Plaintiff complains that defendant’s conduct violates BIPA, which was enacted out of concern over increasing use of biometric data,1 which is “biologically unique to the individual” and, if
1 The statute specifically targets two types of biometric data: (1) “biometric identifiers,” which include a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”; and (2) “biometric information,” which includes “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an compromised, leaves that individual with “no recourse” and “heightened risk for identity theft.” 740 ILCS 14/5(c). Private entities are subject to various requirements and restrictions under BIPA, three of which are the bases for each of plaintiff’s three counts. First, under section 15(a) private entities in
possession of biometric data must have a publicly available written policy for the retention and destruction of that data. 740 ILCS 14/15(a). Second, under section 15(b), they must get informed consent before collecting, capturing, purchasing, receiving through trade, or otherwise obtaining an individual’s biometric data. 740 ILCS 14/15(b). And third, under section 15(c), they may not “sell, lease, trade, or otherwise profit from” an individual’s biometric data. 740 ILCS 14/15(c). II. Defendant lodges a threshold jurisdictional argument for dismissal under Rule 12(b)(1), asserting that plaintiff has not alleged an injury in fact sufficient to satisfy Article III for
her section 15(a) and 15(c) claims. The Seventh Circuit has recently examined what is required to plead an injury in fact under section 15(a). In Bryant v. Compass Group USA, Inc., the court held that merely alleging failure to publicly disclose a data-retention policy is insufficient. 958
individual.” 740 ILCS 14/10. The distinction is not important here, so I refer to these categories collectively as “biometric data.” F.3d 617, 626 (7th Cir. 2020). But the court later clarified that the holding of Bryant is narrow, and that a plaintiff pleads injury in fact where she “accuses [a defendant] of violating the full range of its section 15(a) duties by failing to develop, publicly disclose, and comply with a data-retention schedule and guidelines
for the permanent destruction of biometric data when the initial purpose for collection ends.” Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146, 1154 (7th Cir. 2020) (emphasis in original); see also Hazlitt v. Apple Inc., 543 F. Supp. 3d 643, 649 (S.D. Ill. 2021) (“Under Fox, the allegation that [defendant] has failed to follow a policy for retaining and destroying Plaintiffs’ biometric identifiers and information is enough to establish Article III standing for Plaintiffs’ section 15(a) claim.” (collecting cases)). Plaintiff here alleges violation of the full panoply of section 15(a)’s requirements. She alleges that defendant “did not develop or follow a retention policy” that would pass muster under
section 15(a). Complaint ¶ 28 (emphasis added); see also id. ¶ 86 (“Dior had not developed a written policy establishing retention schedules and guidelines for permanently destroying consumers’ biometric identifiers and biometric information, and did not destroy such data within the timeframes established by BIPA.”); id. ¶¶ 119–21. These allegations confer standing because “unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data.” See Fox, 980 F.3d at 1155 (emphases in original). In contrast, the cases defendant cites where courts found lack of standing on section 15(a) claims were devoid of allegations that the defendants had failed to comply with a retention policy
under that section. See, e.g., Garner v. Buzz Finco LLC, No. 3:21- cv-50457, 2022 WL 1085210, at *3 (N.D. Ill. Apr. 11, 2022) (“Unlike the allegations in Fox, Garner never alleges that Defendants failed to comply with a data retention schedule.”); Woods v. FleetPride, Inc., No. 1:21-CV-01093, 2022 WL 900163, at *5 (N.D. Ill. Mar. 27, 2022) (“The Section 15(a) claim in this case mirrors Bryant, not Fox. . . . This is not an issue of compliance beyond publication, and that makes all the difference.”). They are therefore inapplicable here. Defendant similarly argues that plaintiff has not done enough to plead injury in fact for her section 15(c) claim. The Seventh Circuit has characterized section 15(c) as a “general regulatory
rule” commanding that “no one may profit in the specified ways from another person’s biometric identifiers or information,” and that pleading a bare violation of this provision is not enough for standing purposes. Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1246–47 (7th Cir. 2021). The court observed, however, that a plaintiff may plead injury in fact under section 15(c) by alleging, for example, “that by selling her data, the collector has deprived her of the opportunity to profit from her biometric information.” Id. at 1247. Plaintiff does just that. In addition to alleging that defendant violated section 15(c) by using customer biometric data to “improve the customers’ experience on Dior’s website, and
increase sales of its [e]yewear,” Complaint ¶ 87; see also id. ¶¶ 88, 131–36, plaintiff alleges that she and the other class members “have been injured by Dior’s conduct” including through “the unknowing loss of control of their most unique biometric identifiers” and “violation of their rights in and ownership of their unique biometric identifiers and biometric information through Dior’s profiting from the same.” Id. ¶ 137. In other words, by using her biometric data for its own profit, defendant impacted plaintiff’s ownership over and ability to control that data for her own purposes. That type of allegation is lacking from cases like Thornley in which courts found plaintiffs lacked standing to bring a section
15(c) claim. See, e.g., Carpenter v. McDonald’s Corp., No. 1:21- cv-02906, 2021 WL 6752295, at *4–5 (N.D. Ill. Nov. 1, 2021) (alleging simply that defendant profited from plaintiff’s biometrics); Hazlitt, 543 F. Supp. 3d at 651–52 (same). Drawing all reasonable inferences in plaintiff’s favor, the allegation in paragraph 137 of the complaint makes it plausible that defendant’s use of plaintiff’s biometric information for profit “deprived her of the opportunity to profit from her biometric information.” Thornley, 984 F.3d at 1247. And contrary to defendant’s suggestion, it is not necessary to infer that this means plaintiff would have wanted a profit-sharing agreement with defendant, which itself may run afoul of section 15(c)’s categorical bar on third parties using
biometric data for profit and give rise to redressability concerns under Article III. III. Defendant also seeks to dismiss the complaint under Rule 12(b)(6), arguing that the alleged conduct falls under one of BIPA’s statutory exemptions. Among other things, BIPA excludes from its definitions of “biometric identifiers” and “biometric information”: (1) “information captured from a patient in a health care setting” and (2) “information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.” 740 ILCS 14/10. Only the first exemption--the “general health care
exemption”--is at issue here; defendant does not argue that the second exemption--the “HIPAA exemption”--applies. Whether the general health care exemption applies depends on whether plaintiff, in using the VTOT, was a “patient” in a “health care setting.” BIPA does not define these terms, so I “presume that the legislature intended the term[s] to have [their] popularly understood meaning,” which can be ascertained from dictionary definitions. Metro. Life Ins. Co. v. Hamer, 990 N.E.2d 1144, 1151 (Ill. 2013) (citations omitted). Merriam-Webster defines “patient” as “an individual awaiting or under medical care and treatment” or “the recipient of any various personal services.” Patient, Merriam-Webster,
https://www.merriam-webster.com/dictionary/patient (last visited February 2, 2023). Plaintiff argues that she cannot reasonably be considered a “patient” because she only sought non-prescription sunglasses, not prescription glasses. See Complaint ¶¶ 32–33. But sunglasses, even if non-prescription, protect one’s eyes from the sun and are Class I medical devices under the Food & Drug Administration’s regulations. See 21 C.F.R. § 886.5850. By using the VTOT to try on sunglasses, plaintiff was “an individual awaiting . . . medical care,” and therefore a “patient,” because the tool facilitates the provision of a medical device that protects vision. Indeed, according to the complaint, using the VTOT is the “online equivalent” of going to a brick-and-mortar
location to get sunglasses. Complaint ¶ 5. Though plaintiff may be right that VTOT users would be surprised to learn that “they were entering into a provider/patient relationship,” Resp., Dkt. No. 22 at 15, the relevant test is not a user’s subjective understanding, but rather an objective application of the text of the exemption. The outcome of the analysis should not change based on whether a consumer uses the VTOT in search of sunglasses mainly for style or if she uses the VTOT to purchase sunglasses as protection from the sun’s rays. For the same reasons, use of the VTOT constitutes “health care,” which is defined as “efforts made to maintain or restore physical, mental, or emotional well-being especially by trained
and licensed professionals.” Health care, Merriam-Webster, https://www.merriam-webster.com/dictionary/healthcare (last visited February 2, 2023). And I have no trouble finding that the VTOT counts as a “setting.” See Setting, Merriam-Webster, https://www.merriam-webster.com/dictionary/setting (last visited February 2, 2023) (“[T]he time, place, and circumstances in which something occurs or develops”). Arguing that a medical device does not transform every setting in which it is used into a “health care setting,” plaintiff asserts that “[a]n artist prepping a canvas is not providing a health care service if they use a scalpel instead of an Xacto knife.” Resp. at 15 n.10. True enough, but the analogy is inapt because the VTOT
facilitates the purchase of sunglasses to wear on one’s face-- which is exactly the use that fulfills that product’s medical purpose--rather than for some other unconventional purpose. Plaintiff also contends that more specific exemptions in BIPA--which relate to, for example, donor organs, blood for transplant recipients, and x-rays, see 740 ILCS 14/10--make clear that the general health care exemption was not intended to reach the facts alleged here. Plaintiff also cites legislative testimony to the same effect. I disagree that it is such a stretch to count the trying on and provision of sunglasses, even in a virtual setting, as “health care” alongside these more specific provisions.
This conclusion comports with the one reached by the other courts that have considered whether BIPA’s general health care exemption applies in the context of virtual try-on tools for eyewear. See Svoboda v. Frames for Am., Inc., No. 21-C-5509, 2022 WL 4109719 (N.D. Ill. Sept. 8, 2022); Vo v. VSP Retail Dev. Holding, Inc., No. 19-C-7187, 2020 WL 1445605 (N.D. Ill. Mar. 25, 2020). Plaintiff’s attempts to distinguish these cases are unavailing. According to plaintiff, the court in Vo focused on the HIPAA exemption, not the general health care exemption. Although the court applied the definition of “health care” from HIPAA regulations, it performed its analysis under the general health care exemption and concluded that the virtual try-on tool at issue
“collected biometric information from a patient in a health care setting.” Vo, 2020 WL 1445605, at *2. Plaintiff also claims that both Svoboda and Vo emphasized allegations that defendants in those cases offered prescription eyewear. To the contrary, both courts recognized that the virtual try-on tools were also used for non- prescription sunglasses. See Svoboda, 2022 WL 4109719, at *2 (finding “non-prescription sunglasses” fall within the exemption); Vo, 2020 WL 1445605, at *2 (same). Plaintiff further asserts that the facts of her case are more like those in recent blood plasma BIPA cases, in which courts found the health care exemption inapplicable. See Vaughan v. Biomat USA,
Inc., No. 20-cv-4241, 2022 WL 4329094 (N.D. Ill. Sept. 19, 2022); Marsh v. CSL Plasma Inc., 503 F. Supp. 3d 677 (N.D. Ill. 2020). These cases applied the same definitions of “patient” and “health care” as the ones I applied above. The key distinction between those cases and this one, however, is that plaintiffs’ biometric information in those cases was collected in connection with the sale of their blood plasma. The courts concluded that removal of plasma in exchange for money is not “health care” because the purpose--at least from the donors’ perspectives--was not to “maintain or restore physical, mental, or emotional well-being”; it was to get paid. Vaughan, 2022 WL 4329094, at *7; see Marsh, 503 F. Supp. 3d at 683 (finding exemption does not apply because
“the only thing that [defendant] is providing to [plaintiff] is money,” not health care). Here, by contrast, users of the VTOT receive a product--sunglasses--to protect their physical health. Indeed, the Marsh and Vaughan courts found their cases distinguishable from the eyewear virtual try-on cases for this reason. See Marsh, 503 F. Supp. 3d at 684 (distinguishing Vo and noting it is “not surprising” that the exemption applied in the context of virtually trying on glasses); Vaughan, 2022 WL 4329094, at *7 (distinguishing Vo and Svoboda). IV. For these reasons, defendant’s motion to dismiss for lack of standing under Rule 12(b)(1) is denied. Defendant’s motion to dismiss under Rule 12(b) (6) is granted. Given this disposition, I do not reach defendant’s remaining arguments for dismissal.
ENTER ORDER:
Elaine E. Bucklo United States District Judge Dated: February 10, 2023