Fox v. Dakkota Integrated Systems, LLC, No. 20-2782 (7th Cir. 2020)
Annotate this Case
Justia Opinion Summary
Want to stay in the know about new opinions from the Seventh Circuit US Court of Appeals?
Sign up for free summaries delivered directly to your inbox. Learn More ›
You already receive new opinion summaries from Seventh Circuit US Court of Appeals. Did you know we offer summary newsletters for even more practice areas and jurisdictions? Explore them here.
The Illinois Biometric Information Privacy Act regulates the collection, use, retention, disclosure, and dissemination of biometric identifiers (fingerprints, retina and iris scans, hand scans, and facial geometry). Fox's employer, Dakkota, required employees to clock in and out by scanning their hands on a biometric timekeeping device. Dakkota used third-party software to capture that data, which was stored in a third-party's database. Fox alleges that Dakkota did not obtain her informed written consent before collecting her biometric identifiers, unlawfully disclosed or disseminated her biometric data to third parties without her consent, failed to develop, publicly disclose, and implement a data-retention schedule and guidelines for the permanent destruction of its employees’ biometric identifiers, and failed to permanently destroy her biometric data when she left the company. Fox was represented by a union at Dakkota, The judge dismissed two counts as preempted by the Labor Management Relations Act, but remanded the section 15(a) claim to state court.
The Seventh Circuit reversed the remand order. Fox’s section 15(a) claim does not allege a mere procedural failure to publicly disclose a data-retention policy but alleges a concrete and particularized invasion of her privacy interest in her biometric data stemming from Dakkota’s violation of its section 15(a) duties to develop, publicly disclose, and comply with data retention and destruction policies. Her allegations plead an injury in fact for purposes of Article III. The invasion of a legally protected privacy right, though intangible, is personal and real, not general and abstract.
Download PDF
In the United States Court of Appeals For the Seventh Circuit ____________________ No. 20-2782 RAVEN FOX, Plaintiff-Appellee, v. DAKKOTA INTEGRATED SYSTEMS, LLC, Defendant-Appellant. ____________________ Appeal from the United States District Court for the Northern District of Illinois, Eastern Division. No. 19 C 2872 — Charles P. Kocoras, Judge. ____________________ ARGUED OCTOBER 29, 2020 — DECIDED NOVEMBER 17, 2020 ____________________ Before SYKES, Chief Judge, and WOOD and BRENNAN, Circuit Judges. SYKES, Chief Judge. As its name suggests, the Illinois Biometric Information Privacy Act (“BIPA” or “the Act”) protects a person’s privacy interests in his biometric identifiers, including fingerprints, retina and iris scans, hand scans, and facial geometry. See 740 ILL. COMP. STAT. 14/1 et seq. (2008). Section 15 of the Act comprehensively regulates the collection, use, retention, disclosure, and dissemination of bio- 2 No. 20-2782 metric identifiers. Id. § 14/15. Section 20 provides a right of action for persons aggrieved by a violation of the statute. Id. § 14/20. This appeal requires us to decide a question of Article III standing for a claimed violation of section 15(a), which requires a private entity in possession of biometric data to develop, publicly disclose, and implement a retention schedule and guidelines for destroying the data when the initial purpose for collection ends. Id. § 14/15(a). In Bryant v. Compass Group USA, Inc., we addressed standing to sue for two BIPA claims: (1) a violation of section 15(b), the Act’s informed-consent provision; and (2) a violation of one part of section 15(a)—namely, the duty to publicly disclose a data-retention policy. 958 F.3d 617, 619 (7th Cir. 2020). We held that the plaintiff had standing to pursue the section 15(b) claim, but our view of the section 15(a) claim was different. Id. at 626. The plaintiff had not alleged any concrete and particularized harm from the defendant’s failure to publicly disclose a data-retention policy, so we held that she lacked standing on that claim. Id. The latter holding was quite limited. We cautioned that our analysis was confined to the narrow violation the plaintiff alleged; we did not address standing requirements for claims under other parts of section 15(a). This appeal raises the question reserved in Bryant. Raven Fox filed a proposed class action in state court alleging that Dakkota Integrated Systems, her former employer, collected, used, retained, and disclosed her handprint for its timekeeping system. She raised several claims under BIPA, but the one that concerns us here accuses Dakkota of violating section 15(a). No. 20-2782 3 Dakkota removed the case to federal court under the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1453, and moved to dismiss the claims as preempted by federal labor law. The district judge read Bryant to foreclose Article III standing for section 15(a) claimants, so he remanded that claim to state court and dismissed the others. The remand order was a mistake. Unlike in Bryant, Fox’s section 15(a) claim does not allege a mere procedural failure to publicly disclose a data-retention policy. Rather, Fox alleges a concrete and particularized invasion of her privacy interest in her biometric data stemming from Dakkota’s violation of the full panoply of its section 15(a) duties—the duties to develop, publicly disclose, and comply with data retention and destruction policies—resulting in the wrongful retention of her biometric data after her employment ended, beyond the time authorized by law. These allegations suffice to plead an injury in fact for purposes of Article III. The invasion of a legally protected privacy right, though intangible, is personal and real, not general and abstract. Because the section 15(a) claim was properly in federal court, we reverse the remand order and return the case to the district court for consideration of the preemption question. I. Background We recount the facts as alleged in the class-action complaint, accepting them as true for present purposes. From 2012 to 2019, Raven Fox worked for Dakkota Integrated Systems, an automotive supplier with several locations in the Midwest. Throughout her employment Fox was a “Team Lead” at Dakkota’s Chicago plant. Dakkota required employees, including Fox, to clock in and out of work by scanning their hands on a biometric timekeeping device. 4 No. 20-2782 Dakkota used third-party software to capture employees’ biometric data, which were then stored in a timekeeping database administered by a third party. Though not specifically alleged in the complaint, it’s undisputed that Fox was represented by a union during her employment. To understand Fox’s claims, an overview of the Illinois biometrics statute is helpful. The General Assembly enacted BIPA in 2008 in response to the growing use of biometrics “in the business and security screening sectors,” especially in Chicago and other locations in Illinois that were then emerging “as pilot testing sites for new applications of biometricfacilitated financial transactions.” 740 ILL. COMP. STAT. 14/5(a), (b). The legislative findings include a section regarding the immutability of biometric identifiers and the associated heightened risk of identity theft: Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions. Id. § 14/5(c). The legislative findings also acknowledge that “[t]he full ramifications of biometric technology are not fully known.” Id. § 14/5(f). Accordingly, the General Assembly found that “[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Id. § 14/5(g). No. 20-2782 5 To that end, section 15(b) of the Act prohibits private entities from collecting, capturing, or otherwise obtaining a person’s biometric identifiers or information without the person’s informed written consent. Id. § 14/15(b). The informed-consent regime bars the collection of biometric identifiers or information unless the collector first informs the person “in writing of the specific purpose and length of term for which [data are] being collected, stored, and used” and “receives a written release” from the person or his legally authorized representative. Section 15(d) prohibits the disclosure, redisclosure, or dissemination of stored biometric identifiers or information without the consent of the person or his legally authorized representative. Id. § 14/15(d). Most relevant here, the Act also imposes obligations regarding the retention and destruction of biometric identifiers and information. Section 15(a) of the Act provides: A private entity in possession of biometric identifiers or information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first. Additionally, a private entity in possession of biometric identifiers or information “must comply” with a dataretention schedule and destruction guidelines “[a]bsent a valid warrant or subpoena” to the contrary. Id. § 14/15(a). 6 No. 20-2782 The term “biometric identifier” is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Id. § 14/10. Finally, the Act provides a cause of action for persons aggrieved by a violation and permits the court to award injunctive relief, actual or statutory damages, and attorney’s fees. Id. § 14/20. With the legal background in place, we return to the complaint. Fox alleges that Dakkota did not obtain her informed written consent before collecting her biometric identifiers as required by the Act and unlawfully disclosed or disseminated her biometric data to unnamed third parties without her consent—including to a third-party administrator that hosted the employees’ biometric data in its data center. She further alleges that Dakkota failed to develop, publicly disclose, and implement a data-retention schedule and guidelines for the permanent destruction of its employees’ biometric identifiers. Finally, she alleges that Dakkota failed to permanently destroy her biometric data when she left the company and still has not done so. Fox filed her suit in state court as a proposed class action. Count I alleges a violation of section 15(a) premised on Dakkota’s failure to develop, publicly disclose, and comply with a retention schedule and destruction guidelines for the biometric data it collects from its employees. Counts II and III allege violations of sections 15(b) and (d) premised on Dakkota’s failure to obtain informed consent before collecting biometric data and its failure to obtain consent to disclose or disseminate the data to third parties. Dakkota removed the suit to federal court under CAFA and moved to dismiss all three claims as preempted by the Labor Management Relations Act, 29 U.S.C. §§ 141–197 No. 20-2782 7 (“LMRA”). Because Fox was represented by a union when she worked for Dakkota, the preemption argument relied on our recent decision in Miller v. Southwest Airlines Co., which held that similar BIPA claims by unionized airline employees were preempted by the federal Railway Labor Act. 926 F.3d 898, 902–03 (7th Cir. 2019). The judge agreed in part and dismissed Counts II and III, the section 15(b) and (d) claims, as preempted by the LMRA. But he remanded the section 15(a) claim to state court sua sponte, construing our decision in Bryant to mean that a violation of that section of the statute is insufficient to support standing to sue in federal court. Dakkota sought reconsideration of the remand order on Count I, but the judge denied the motion. Dakkota petitioned this court for permission to appeal, as CAFA permits. We granted that request. II. Discussion An order remanding a case to state court normally cannot be appealed. 28 U.S.C. § 1447(d). But in cases removed under CAFA, we may accept an appeal from an order granting or denying a motion to remand. Id. § 1453(c)(1). 1 1 The district court’s jurisdiction rested on diversity of citizenship. 28 U.S.C. § 1332. CAFA’s minimal-diversity requirement is satisfied because Fox is a citizen of Illinois and Dakkota’s members are citizens of Michigan and Canada; the amount-in-controversy requirement is satisfied because the class seeks over $5 million in damages. Id. § 1332(d). Federal-question jurisdiction provides additional support for removal. Under the complete-preemption doctrine, “a plaintiff’s state cause of action [can be recast] as a federal claim for relief making [its] removal [by the defendant] proper on the basis of federal question jurisdiction.” Vaden v. Discover Bank, 556 U.S. 49, 61 (2009) (alterations in original) (quotation marks omitted). 8 No. 20-2782 The judge’s remand decision flows from his conclusion that Bryant defeats Article III standing for violations of BIPA’s section 15(a). We review that decision de novo. See, e.g., Cook County v. Wolf, 962 F.3d 208, 218 (7th Cir. 2020). A. Article III Standing The federal judiciary is empowered to decide “Cases” and “Controversies,” U.S. CONST. art. III, § 2, a limitation that confines federal courts to hearing only those disputes that are sufficiently concrete and presented in a form historically recognized as appropriate for judicial resolution, DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 341 (2006). To invoke the adjudicative power of a federal court, the plaintiff must plead (and later establish) standing to sue, a requirement “rooted in the traditional understanding of a case or controversy.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). Where, as here, a case is removed from state court, the roles are reversed and the burden flips: In this procedural posture, the defendant, as the proponent of federal jurisdiction, must establish the plaintiff’s Article III standing. Bryant, 958 F.3d at 620. The elements of standing are familiar. “The plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 136 S. Ct. at 1547. The injury-in-fact requirement is usually the main event in litigation over standing, and it’s the only element at issue here. The test for injury in fact asks whether the plaintiff has “suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Id. at No. 20-2782 9 1548 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). A “particularized” injury is one that “affect[s] the plaintiff in a personal and individual way.” Lujan, 504 U.S. at 560 n.1. A generalized grievance shared by all members of the public will not suffice. DaimlerChrysler, 547 U.S. at 342–44. To qualify as “concrete,” an injury must be “real, … not abstract.” Spokeo, 136 S. Ct. at 1548 (quotation marks omitted). “[T]hat is, it must actually exist.” Id. Concrete injuries can be either tangible or intangible. Id. at 1549. Tangible injuries are easy to recognize; monetary losses and physical harms to persons or property are common examples. Id. Intangible injuries can be conceptually more difficult. And claims of an intangible injury from a statutory violation are more difficult still. Congress or a state legislature may identify and elevate historically noncognizable intangible harms to the status of cognizable injuries, but it does not follow that the injury-in-fact requirement is satisfied whenever a statute confers a right or imposes a duty and creates a cause of action for a violation. Id. As the Supreme Court made crystal clear in Spokeo, “Article III standing requires a concrete injury even in the context of a statutory violation.” Id. To determine whether an intangible harm satisfies the injury-in-fact requirement in a statutory case, both the legislature’s judgment and historical judicial practice “play important roles.” Id. Legislative judgment is “instructive and important” to discerning concrete cognizable injuries, but it’s not conclusive. Id. Because standing is a constitutional requirement, a legislature “cannot erase Article III’s standing requirements by statutorily granting the right to sue to a 10 No. 20-2782 plaintiff who would not otherwise have standing.” Id. at 1548 (quotation marks omitted). By way of example, Spokeo explained that if a plaintiff pleads a statutory claim but alleges only a “bare procedural violation, divorced from any concrete harm,” he will not have satisfied the injury-in-fact requirement. Id. at 1549. B. Article III Standing and BIPA Three recent BIPA cases hold the keys to the standing question. We’ve already mentioned Bryant and Miller. The third case is Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), a Ninth Circuit decision in a BIPA case originating in the Northern District of California. We’ll discuss the cases in chronological order, starting with Miller. Miller involved two class actions by unionized airline employees who were required to clock in and out of work by scanning their fingerprints. 926 F.3d at 901. The employees alleged that the airlines violated sections 15(a) and (b) of BIPA by failing to obtain informed consent before collecting and using their fingerprints in the biometric timekeeping systems, and by failing to maintain and publish dataretention protocols. The suits were filed in state court, but the airlines removed them to federal court and moved to dismiss, arguing that the claims were preempted by the Railway Labor Act, 45 U.S.C. §§ 151–188, which despite its name also applies to air carriers. Miller, 926 F.3d at 901–02. Turning first to the question of standing, we concluded that the suits alleged an injury that was sufficiently concrete to confer Article III standing because the collection and use of biometrics for timekeeping is a subject of collective bargaining between unions and management: No. 20-2782 11 [T]he stakes in both suits include whether the air carriers can use fingerprint identification. If the unions have not consented, or if the carriers have not provided unions with required information, a court or adjustment board may order a change in how workers clock in and out. The prospect of a material change in workers’ terms and conditions of employment gives these suits a concrete dimension that Spokeo … lacked. Either the discontinuation of the practice, or the need for the air carriers to agree to higher wages to induce unions to consent, presents more than a bare procedural dispute. Id. at 902 (emphasis added). Moving on to the preemption question, we held that the BIPA claims belonged before an adjustment board pursuant to the Railway Labor Act, which governs “topics for bargaining between unions and management” such as how workers clock in and out. Id. at 903. Because Illinois “cannot bypass the mechanisms of the Railway Labor Act and authorize direct negotiation or litigation between workers and management,” we held that the BIPA claims were preempted. Id. Next in line is Patel. The plaintiffs there sued Facebook for BIPA violations stemming from its “Tag Suggestions” feature, which uses facial-recognition technology to identify whether a user’s Facebook friends are depicted in an uploaded photo. Patel, 932 F.3d at 1268. Several Illinois Facebook users filed a class action alleging violations of sections 15(a) and (b) based on Facebook’s failure to maintain and publicly disclose a data-retention schedule and data-destruction guidelines, and its failure to obtain written 12 No. 20-2782 informed consent before collecting and using biometrics. Id. at 1274. The Ninth Circuit held that the Facebook users’ injury was sufficiently concrete and particularized to support Article III standing. Id. The court reasoned that the Illinois statute protects individual privacy interests in biometric identifiers—that is, a person’s “right not to be subject to the collection and use of [his] biometric data.” Id. Looking to historical judicial practice, the court analogized the privacy injury from a BIPA violation to the privacy injury that has long been recognized as actionable at common law in a tort claim for invasion of privacy. Id. at 1272 (citing the RESTATEMENT (SECOND) OF TORTS § 652A (AM. L. INST. 1977)). The Facebook users “necessarily” suffered a concrete and particularized injury when Facebook did not obtain their informed consent before collecting their biometric data and failed to maintain data retention and destruction protocols to keep their biometric data private. Id. at 1274. The court concluded that because BIPA protects concrete privacy interests and the alleged violations of the statute “actually harm[ed] or pose a material risk of harm to those privacy interests,” the plaintiffs had alleged an injury in fact sufficient to confer Article III standing. Id. at 1275. Finally, in Bryant we returned to the question of Article III standing for claims raised under sections 15(a) and (b). Christine Bryant sued Compass Group USA, Inc., the owner and operator of “Smart Market” vending machines located in her workplace cafeteria. Bryant, 958 F.3d at 619–20. The vending machines did not accept cash. Instead, customers established a user account by scanning their fingerprints and setting up a payment link; they could then make pur- No. 20-2782 13 chases using a fingerprint scanner on the machines. Bryant voluntarily set up an account and regularly made purchases from the vending machines. She filed a proposed class action in state court accusing Compass Group of two BIPA violations: it “never made publicly available” a data-retention schedule and data-destruction guidelines, violating section 15(a), and it never obtained her informed consent in writing, violating section 15(b). Id. at 619. Compass Group removed the case to federal court, and like in Miller, Article III standing was contested. We distilled Miller’s core holding to this: “[The] union airline workers had standing to bring claims of violations of sections 15(a) and (b) of BIPA in federal court” because “they faced the ‘prospect of a material change in [their] terms and conditions of employment,’ if the employer, in light of [BIPA], had to bargain with the employee union to obtain employees’ consent or change how the employees clocked in.” Id. at 622 (quoting Miller, 926 F.3d at 902). But Miller did not resolve Bryant’s case because she was not a unionized employee and had not sued her employer; she was a vending-machine customer and had sued the vendor. Accordingly, we treated the standing issue as “a question of first impression.” Id. at 623. Like the Ninth Circuit in Patel, we reasoned that BIPA protects individual privacy interests in biometric data, and a violation of some of its provisions was akin to a tortious invasion of privacy. Id. In her section 15(b) claim, “Bryant was asserting a violation of her own rights—her fingerprints, her private information,” which “was an invasion of her private domain, much like an act of trespass would be.” Id. at 624. Compass Group’s failure to comply with the 14 No. 20-2782 informed-consent requirements of section 15(b) deprived Bryant of her right to make informed choices about the use of and control over her inherently sensitive biometric data. Id. at 626. That deprivation, we concluded, caused “a concrete injury-in-fact that is particularized to Bryant” and therefore satisfied the requirements for Article III standing. Id. We reached a different conclusion on the section 15(a) claim. Bryant alleged that Compass Group did not make data-retention and data-destruction policies publicly available. Id. That violation, we held, was insufficiently particularized to support Bryant’s standing. We explained that “the duty to disclose [data-retention policies] under section 15(a) is owed to the public generally, not to particular persons whose biometric information the entity collects.” Id. And because Bryant “allege[d] no particularized harm that resulted from Compass [Group’s] violation of section 15(a),” we concluded that she lacked Article III standing to pursue that claim in federal court. Id. Following a petition for rehearing in Bryant, we amended the opinion to clarify the limits of the section 15(a) holding. Bryant’s claim was extremely narrow, alleging only a violation of the section 15(a) duty to publicly disclose data retention and destruction protocols. We emphasized that “[o]ur analysis is thus limited to the theory she invoked” and did not address other provisions in section 15(a). Id. That clarification is important here. Fox’s section 15(a) claim is much broader than Bryant’s. She does not allege a mere failure to publicly disclose a data-retention policy. She accuses Dakkota of violating the full range of its section 15(a) duties by failing to develop, publicly disclose, and comply No. 20-2782 15 with a data-retention schedule and guidelines for the permanent destruction of biometric data when the initial purpose for collection ends. That violation, she alleges, resulted in the unlawful retention of her handprint after she left the company and the unlawful sharing of her biometric data with the third-party database administrator. An unlawful retention of biometric data inflicts a privacy injury in the same sense that an unlawful collection does. Just as section 15(b) expressly conditions lawful collection of biometric data on informed consent, section 15(a) expressly conditions lawful retention of biometric data on the continuation of the initial purpose for which the data was collected. The BIPA requirement to implement data retention and destruction protocols protects a person’s biometric privacy just as concretely as the statute’s informed-consent regime. It follows that an unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data. If the latter qualifies as an invasion of a “private domain, much like an act of trespass would be,” Bryant, 958 F.3d at 624, then so does the former. Our decision in Gubala v. Time Warner Cable, Inc., 846 F.3d 909 (7th Cir. 2017), is not to the contrary. That case involved a claim against a cable-television provider for violation of a data-keeping provision in the Cable Communications Policy Act, 47 U.S.C. § 551(e). Id. at 910. The plaintiff was a former Time Warner Cable customer who alleged that the company failed to destroy the personal identifying information in his account file after he terminated his subscription, as the statute requires. We held that the plaintiff lacked standing because he did not allege that Time Warner had lost, leaked, 16 No. 20-2782 given away, disseminated, or otherwise misused his identifying information in any way that harmed him, or that the statutory violation created a materially appreciable risk of any such harm to him. Id. at 910–11. This case differs from Gubala for two reasons. First, keeping a former cable customer’s account information on file— his address, date of birth, telephone number, credit card and social security numbers—is not analogous to a tortious invasion of his right to privacy. It may be a procedural violation of the federal statute regulating cable companies, but absent a plausible allegation of harm or “a material risk of harm” from the violation, Spokeo, 136 S. Ct. at 1550, there’s no concrete injury and therefore no Article III standing, Gubala, 846 F.3d at 911 (citing Spokeo and explaining that “Gubala’s problem is that while he might well be able to prove a violation of section 551, he has not alleged any plausible (even if attenuated) risk of harm to himself from such a violation—any risk substantial enough to be deemed ‘concrete’”). In contrast, this case is about biometric identifiers, which are meaningfully different because they are immutable, and once compromised, are compromised forever—as the legislative findings in BIPA reflect. 2 That legislative judgment, though not conclusive, is “instructive and important.” Spokeo, 136 S. Ct. at 1549. A similar understanding of the 2 In Gubala the plaintiff’s date of birth was among the information the cable provider neglected to remove from his account. A date of birth is obviously unchangeable but is far less identifying than a retinal or iris scan, facial geometry, fingerprints, or handprints. No. 20-2782 17 inherent sensitivity of biometric data led to our conclusion in Bryant that a violation of BIPA’s provisions regulating the “collection, storage, and use” of biometrics “is closely analogous to historical claims for invasion of privacy.” 958 F.3d at 623. The Ninth Circuit said essentially the same thing in Patel. 932 F.3d at 1272–74. We see another distinction between this case and Gubala. Fox alleges that Dakkota’s unlawful retention of her biometric data includes an unlawful sharing of her data with a third-party database administrator with unknown security practices. There was no similar allegation of unlawful data sharing in Gubala. Fox also has Article III standing on Count I under a straightforward application of Miller. Recall that the Miller plaintiffs were unionized airline employees who accused their employers of violating sections 15(a) and (b). We held that the plaintiffs, as union members, had standing to pursue their claims in federal court because the collection, use, and retention of biometric data are topics for collective bargaining and could be used to win offsetting concessions on wages or other topics. Miller, 926 F.3d at 902. That was a concrete injury and was “independently sufficient” to establish standing, so we had no need to address whether the risk of misuse of the employees’ stored biometrics “itself suffices for standing.” Id. at 903. Fox’s circumstances are indistinguishable. Because Fox was represented by a union and that union had the prospect of making material improvements in the way BIPA was implemented, Miller’s reasoning applies with equal force here. We add that as Bryant illustrates, people whose claims do not arise directly from an employment relationship might 18 No. 20-2782 also have a prospect of material improvements, depending on the circumstances. We can safely save that situation for another day when we have a case with those facts. For these two separate and independent reasons, Fox has standing to litigate her section 15(a) claim in federal court, so the judge’s remand order must be reversed. There remains the question whether section 15(a) is preempted by the LMRA. See id. at 904–06. The judge did not address this issue, and the parties did not brief it here. Although the answer appears to flow directly from Miller, we prefer to remand to the district court to address the issue in the first instance. REVERSED AND REMANDED
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
