an entity subject to the GLBA. Id . at *22. BAM Trading and Jumio also argued the complaint was barred because the BIPA does not apply “extraterritorially” to entities and events outside of Illinois, but the court held that the relevant events in the case ( i.e. , the downloading of the BAM Trading application to the plaintiff’s phone and the collection of his facial features when he created an account) occurred “primarily and substantially” in Illinois. Id . at *25. Jumio separately argued that the plaintiff’s § 15(a) claim – which asserted that Jumio failed to publicly post and comply with a biometric retention policy – should be dismissed because Jumio had a publicly available online biometric retention policy. The court rejected this argument, in part because the biometric retention policy attached to Jumio’s motion to dismiss did not establish that Jumio had such a policy in effect at the time the plaintiff downloaded the BAM application. The court indicated, however, that it would consider at a later stage of the case whether to limit the plaintiff’s recovery against Jumio to claims arising after June 23, 2019 – the effective date of a settlement that Jumio reached in a previous BIPA class action. The court also rejected Jumio’s argument that its conduct was protected under the First Amendment. In Davis, et al. v. Jumio Corp. , 2023 U.S. Dist. LEXIS 25170 (N.D. Ill. Feb. 14, 2023), the plaintiff alleged that defendant Jumio Corp., an identity verification company, violated the BIPA by collecting the facial biometrics of users of Binance – a cryptocurrency marketplace – to verify their identities without providing the required notice or obtaining consent. Jumio sought to dismiss the putative class action by arguing its client, Binance, was subject to the BIPA’s “financial institution” exemption, which provides that the statute does not apply to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act. Acknowledging that it is not itself a financial institution, Jumio argued that the effective result of allowing the plaintiff to sue Jumio under the BIPA would be an end run around the exemption and result in indirectly applying the statute to Binance. The court denied Jumio’s motion to dismiss. It concluded that it was unclear from the pleadings whether Binance was entitled to that protection, let alone Jumio. Nor was the court swayed by Jumio pointing to other court proceedings where Binance described itself as a financial institution. The court opined that Binance’s statements were "self- serving" and that Binance being registered as a money transmitter with the U.S. Department of the Treasury's Financial Crimes Enforcement Network does not shed light on whether FinCEN maintains that such registration was accurate. Moreover, the complaint contained few factual allegations about Binance performing any financial activities. Jumio also argued that the complaint was barred because the BIPA does not apply entities and events outside of Illinois. The court held, however, given that the plaintiff was an Illinois resident, Jumio conducted business transactions in Illinois, and the plaintiff having submitted a photograph of his driver's license and a photograph of his face on the Binance App from Illinois were sufficient at the pleadings stage to overcome Jumio’s “extraterritoriality” challenge. In another action against Amazon, Rivera, et al. v. Amazon Web Services, Inc. , 2023 U.S. Dist. LEXIS 129517 (W.D. Wash. July 26, 2023), the plaintiffs – a group of Illinois residents who took exams using an online learning platform offered by non-party ProctorU – filed a proposed class action alleging that defendant Amazon Web Services, Inc. (“AWS”), a cloud-computing giant, violated the BIPA by collecting and storing biometric data derived from students’ online images. The plaintiffs claimed that to use Amazon’s “Rekognition” program, AWS customers such as ProctorU must upload their facial images to AWS’s cloud-based storage, and once the “Rekognition” program analyzes the facial features of individuals, AWS keeps the data in its own "back-end" database. The students' action claimed that AWS violated portions of the BIPA that regulate the “possession” and “collection” of biometric data and require published protocols for retaining or destroying the data once it has been used and for providing notice and obtaining consent. AWS moved to dismiss the case, and the court denied AWS’s motion. The court rejected AWS’s argument that it did not actually collect or possess the students’ biometric data but only provided the ability for ProctorU to do so. According to the court, the plaintiffs’ "allegations meet the common definition of the term 'possession.'" Id. at *3. Similarly, the court determined the students made a sufficient case that AWS collected their data before possessing it, despite the company's argument that it did not. AWS also argued "it has done everything it possibly can to comply with the statute" by requiring its customers, through the company’s terms of use, to comply with the law. The court pointed out that Amazon could and should have done more. Id. at *10 ("The court is not convinced that Amazon's inclusion of a
16
© Duane Morris LLP 2024
Duane Morris Privacy Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online