catch-all provision requiring its customers to comply with the law generally is enough to satisfy its legal obligations under [the] BIPA.”). For example, the court noted that Amazon could have notified the students and obtained their consent during the image upload process "because plaintiffs are not 'total strangers' to Amazon." Id. at *6. 4. BIPA Privacy Rulings That Favor Defendants Although the plaintiffs’ bar found a lot of success in 2023, it was not all roses for them. Defendants earned several hard fought victories in cases brought under the BIPA that will add to the defendants’ bar ’ s arsenal of potential defenses to privacy claims. In Mosby, et al. v. Ingalls Memorial Hospital , 2023 IL 129081 (Ill. Nov. 30, 2023), the Illinois Supreme Court held that the BIPA statute excludes from its scope data collected in two separate and distinct scenarios: (1) “information captured from a patient in a health care setting;” and (2) information collected “for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Unlike clause (1), the Supreme Court held that the exception in clause (2) is not limited to data obtained from patients and serves to exclude information that originates from any source. The plaintiffs in Mosby were nurses who claimed that their hospital-employers required them to use a fingerprint-based medication-dispensing system to verify their identities. The plaintiffs sued their employers and the company that distributed the medication-dispensing system, alleging that the defendants violated §§ 15(a), 15(b), and 15(d) of the BIPA by using the medical-station scanning device to collect, use, and/or store their “finger-scan data” without complying with the BIPA’s notice-and-consent requirements and by disclosing their purported biometric data to third parties without first obtaining their consent. The defendants moved to dismiss in the trial court, arguing that the claims failed because the plaintiffs’ data was specifically excluded from the BIPA’s scope under § 10 of the statute, which states that “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].” 740 ILCS 14/10. The defendants argued that the latter clause applied in that Plaintiffs’ fingerprints had been used in connection with the plaintiffs providing medicine to patients, meaning their fingerprints were “collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].” Id. The trial court denied the defendants’ motions. It ruled that § 10’s “health care exception” was limited to patient information protected under the HIPAA and that the exclusion does not extend to information collected from health care workers. On appeal, the First District of the Illinois Appellate Court affirmed the denial of the defendants’ motions to dismiss. Echoing the trial court, the Appellate Court determined that the biometric data of health care workers was not excluded from the BIPA’s scope and that the relevant provision of § 10 excluded from the BIPA’s protections “only patient biometric information.” Mosby , 2023 IL 129081, ¶ 16; see id. ¶ 17 (“[T]he Appellate Court held that ‘the plain language of the statute does not exclude employee information from the [BIPA’s] protections because they are neither (1) patients nor (2) protected under HIPAA.’”) (citation omitted). Appellate Court Judge Mikva dissented from the majority’s opinion. Judge Mikva opined that the legislature meant to exclude from the BIPA’s scope the biometric data of health care workers “where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by the HIPAA.” Id. ¶ 19 (citation omitted). Judge Mikva expressed the view that the first part of § 10’s “health care exception” excludes from the BIPA’s coverage information from a particular source ( i.e. , patients in a health care setting) and that the second part excludes information used for particular purposes ( i.e. , health care treatment, payment, or operations), regardless of the source of that information. On further appeal, the Illinois Supreme Court agreed with Appellate Court Judge Mikva’s dissent,
17
© Duane Morris LLP 2024
Duane Morris Privacy Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online