Dorian v. Amazon Web Services Inc, No. 2:2022cv00269 - Document 89 (W.D. Wash. 2023)
Court Description: ORDER denying Defendant's 45 Motion to Dismiss. Signed by Judge John H. Chun. (LH)
Download PDF
<![CDATA[
Dorian v. Amazon Web Services Inc Doc. 89 1 2 3 4 5 UNITED STATES DISTRICT COURT WESTERN DISTRICT OF WASHINGTON AT SEATTLE 6 7 8 9 AVELARDO RIVERA and YASMINE ROMERO, individually and on behalf of all others similarly situated, 12 ORDER Plaintiffs, 10 11 CASE NO. 2:22-cv-00269 v. AMAZON WEB SERVICES, INC., Defendant. 13 14 I 15 INTRODUCTION 16 This matter comes before the Court on Defendant Amazon Web Services, Inc.’s 17 (“Amazon”) motion to dismiss. Dkt. # 45. The Court has considered the submissions in support 18 of, and in opposition to, the motion, the rest of the case file, and the applicable law. Being fully 19 advised, the Court DENIES the motion. 20 21 22 23 24 ORDER - 1 Dockets.Justia.com 1 II 2 BACKGROUND 3 “Biometrics” refers to technologies used to identify an individual based on unique 4 physical characteristics. Dkt. # 88 at 3. 1 One of the most prevalent uses of biometrics is facial 5 recognition technology, which works by scanning an image for a human face, extracting facial 6 feature data, generating a “faceprint” through the use of facial recognition algorithms, and 7 comparing the resultant faceprint to other faceprints stored in a faceprint database. Id. Amazon 8 is one of many companies that have developed and produced facial recognition products. Id. at 9 5–11. Amazon’s product, Rekognition, allows customers to add image and video facial 10 recognition analysis to their applications, products, and services. Id. at 5. To do so, the 11 customer must upload electronic images or videos to its Amazon cloud-storage accounts (also 12 known as “S3 buckets”) and then run a command within Rekognition called “index-faces” to 13 extract biometric data from those images. Id. at 8. The customer can then use Rekognition to 14 identify people within the images. Id. at 5–10. After the biometric data is extracted, it is stored 15 in an Amazon back-end database called a Rekognition “collection.” Id. at 8. One such customer 16 that uses Rekognition is ProctorU Inc., a company that develops and licenses online test 17 proctoring software for use by students and educational facilities. Id. at 10. 18 Plaintiffs Avelardo Rivera and Yasmine Romero are citizens and residents of Illinois who 19 took multiple remote tests while attending two colleges in Illinois in 2019–2020. Dkt. # 88 at 2, 20 11. Both colleges used a proctoring software developed by ProctorU to administer the tests. Id. 21 at 10–11. In order to identify Plaintiffs, the ProctorU software required them to submit their 22 23 24 1 For the purposes of a motion to dismiss, the Court accepts all well-pleaded allegations in Plaintiffs’ complaint as true and draws all reasonable inferences in favor of Plaintiffs. See Wyler Summit P’ship v. Turner Broad. Sys., Inc., 135 F.3d 658, 661 (9th Cir. 1998). ORDER - 2 1 images as well as images of valid identification documents. Id. at 11–12. Unbeknownst to 2 Plaintiffs, the ProctorU software then used Amazon’s Rekognition program to perform facial 3 recognition on them and verify their identities. Id. Plaintiffs did not receive notice from 4 Amazon, through ProctorU or otherwise, that Amazon was collecting, storing, or otherwise using 5 their biometric data. Id. Plaintiffs were not asked for, nor did they provide, consent for Amazon 6 to store, collect, or otherwise use their biometric data. Id. Plaintiffs allege that at no time while 7 possessing their biometric data did Amazon maintain a publicly available retention and deletion 8 schedule for biometric data. Id. They also allege that Amazon failed to destroy their biometric 9 data after the initial purpose for collecting or maintaining their data had been satisfied. Id. 10 Plaintiffs bring a class action suit against Amazon for violating Illinois’s Biometric 11 Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”), which regulates the collection, 12 storage, and use of biometric identifiers and biometric information (collectively, “biometric 13 data”). See generally Dkt. # 88. Specifically, Plaintiffs allege that Amazon violated section 14 15(a) and 15(b) of BIPA by possessing their biometric data without publishing or complying 15 with a “retention schedule or guideline for permanently destroying Plaintiffs’ and the Class’s 16 biometric data after the initial purpose for collecting or obtaining their biometric data had been 17 satisfied,” and by “collecting” the same data without providing adequate notice and obtaining 18 their consent. Id. at 15–17. 19 Former lead plaintiff Jacinda Dorian filed her complaint in federal court on March 22, 20 2022. Dkt. # 1. Amazon filed its first motion to dismiss on May 16, 2022. Dkt. # 21. Amazon 21 filed a motion to stay discovery on July 12, 2022, which the Court denied on August 8, 2022. 22 Dkt. ## 29, 33. On August 30, 2022, Dorian moved to amend her complaint to substitute 23 putative class members Avelardo Rivera (“Rivera”) and Yasmine Romero (“Romero”) in her 24 place as the lead plaintiffs. Dkt. # 40. The Court granted the motion on September 20, 2022, ORDER - 3 1 and Plaintiffs Rivera and Romero filed an amended complaint on the same day. Dkt. ## 43, 44. 2 Amazon moved to dismiss Plaintiffs’ First Amended Complaint (“FAC”) on October 19, 2022. 3 Dkt. # 45. On July 17, 2023, the Court directed the parties to submit supplemental briefing 4 regarding whether Plaintiffs have Article III standing to pursue their claims under Section 15(a) 5 of BIPA. Dkt. # 79. On July 20, 2023, the parties filed a Stipulated Motion for Leave for 6 Plaintiffs to File a Second Amended Complaint. Dkt. # 80. The Court granted the motion on 7 July 21, 2023. Dkt. # 81. Plaintiffs filed their Second Amended Complaint (“SAC”) on July 26, 8 2023. Dkt. # 88. 9 III 10 DISCUSSION 11 When considering a motion to dismiss under Rule 12(b)(6), the Court construes the 12 complaint in the light most favorable to the nonmoving party. Livid Holdings Ltd. v. Salomon 13 Smith Barney, Inc., 416 F.3d 940, 946 (9th Cir. 2005). The Court must accept all well-pleaded 14 facts as true and draw all reasonable inferences in favor of the plaintiff. Wyler Summit P’ship, 15 135 F.3d at 661. The Court, however, is not required “to accept as true allegations that are 16 merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” Sprewell v. 17 Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001). “To survive a motion to dismiss, a 18 complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is 19 plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. 20 Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads 21 factual content that allows the court to draw the reasonable inference that the defendant is liable 22 for the misconduct alleged.” Iqbal, 556 U.S. at 677–78. Dismissal under Rule 12(b)(6) can be 23 based on the lack of a cognizable legal theory or the lack of sufficient facts alleged under a 24 cognizable legal theory. Balistreri v. Pacifica Police Dep’t, 901 F.2d 696, 699 (9th Cir. 1988). ORDER - 4 1 2 3 Amazon moves to dismiss all of Plaintiffs’ claims in its instant motion. Dkt. # 45. A. Article III Standing As an initial matter, the Court is satisfied that Plaintiffs’ SAC alleges sufficient facts to 4 establish Article III standing on their Section 15(a) claim. Plaintiffs amended their complaint to 5 allege that, in addition to failing to maintain a BIPA-compliant retention and deletion schedule, 6 Amazon also failed to destroy Plaintiffs’ data after the initial purpose for collecting or 7 maintaining their data bad been satisfied. Dkt. # 88 at 11–12. The Seventh Circuit has held that 8 such allegations establish Article III standing for a 15(a) claim. See Fox v. Dakkota Integrated 9 Sys., LLC, 980 F.3d 1146, 1149 (7th Cir. 2020) (“Fox alleges a concrete and particularized 10 invasion of her privacy interest in her biometric data stemming from Dakkota’s violation of the 11 full panoply of its section 15(a) duties . . . [t]hese allegations suffice to plead an injury in fact for 12 purposes of Article III.”). Satisfied that Plaintiffs have established Article III standing, the Court 13 turns to each of Amazon’s arguments for dismissal. 2 14 15 B. Definitions of “possess” and “collect” Section 15(a) of BIPA applies only to private entities “in possession of” biometric data. 16 740 ILCS 14/15(a). Amazon argues that Plaintiffs’ complaint does not allege facts showing that 17 it “possessed” their data under 15(a). Dkt. # 45 at 12. Similarly, section 15(b) of BIPA is only 18 triggered by those who “collect, capture, purchase, receive through trade, or otherwise obtain” 19 biometric data, and Amazon argues that Plaintiffs’ complaint does not allege facts showing that 20 Amazon did so. Id. at 17 (citing 740 ILCS 14/15(b)). 21 22 23 24 2 The parties agree in their stipulated motion that, given the limited amendments in the SAC, the previous briefing on the motion to dismiss remains sufficient. Dkt. # 80 at 3. In the interest of resolving the motion as expeditiously as possible, the Court will not require the parties to re-file duplicative briefs. ORDER - 5 1 i. 2 BIPA does not define “possession.” See generally 740 ILCS 14/1 et seq. The Court 3 therefore “assumes the legislature intended for it to have it popularly understood meaning.” 4 Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197, 1205 (Ill. 2019) (citations omitted). The 5 Illinois Supreme Court has held that possession “occurs when a person has or takes control of the 6 subject property or holds the property at his or her disposal.” People v. Ward, 830 N.E.2d 556, 7 560 (Ill. 2005). The Ward court elaborated that the legislature did not intend for the reader “to 8 delve into the legal intricacies of the word ‘possession,’” and noted the fact that possession does 9 not require exclusive control over property. Id. at 561. Here, the Court similarly finds no 10 Possession indication that the ordinary meaning of possession does not apply. 11 Amazon’s main argument is that, because it acted only as a back-end service provider, it 12 did not even know of the presence of biometric data in ProctorU’s S3 buckets, let alone exercise 13 control over that data. Dkt. # 45 at 12–17. Instead, it states that only ProctorU “possessed” 14 Plaintiffs’ data within the meaning of BIPA. Id. at 14. Amazon cites several cases in which 15 courts have dismissed Section 15(a) claims against customers acting only in a service provider 16 capacity. See Heard v. Becton, Dickinson & Co., 440 F. Supp. 3d 960, 962 (N.D. Ill. 2020) 17 (“Heard I”); Jacobs v. Hanwha Techwin Am., Inc., No. 21 C 866, 2021 WL 3172967, at *3 (N.D. 18 Ill. July 27, 2021). Amazon also argues that Plaintiffs’ reading of section 15(a) would invite 19 absurd results because it would require Amazon to publish and comply with a retention and 20 deletion schedule for data that it does not access or use. Dkt. # 45 at 15–17. 21 The Court is unpersuaded by Amazon’s arguments. Plaintiffs have pleaded that, to use 22 Amazon’s Rekognition program, customers must “upload images to [Amazon]’s cloud-based 23 storage solution.” Dkt. # 88 at 8. They also allege after this upload occurs, Rekognition 24 “accesses the relevant images and uses its machine vision algorithms to extract the facial ORDER - 6 1 geometry of individuals pictured . . .” Id. Lastly, Plaintiffs allege that the “feature vectors of 2 facial geometry, as well as higher-order details such as whether a person is smiling, sad, or 3 disgusted, or is wearing eyeglasses or sunglasses, are then stored in an [Amazon] backend 4 database . . .” Id. The Court concludes that these allegations meet the common definition of the 5 term “possession.” 6 Courts have found possession to be sufficiently pleaded in analogous situations. For 7 example, in a case from the Northern District of Illinois, a plaintiff sued the manufacturer of a 8 medication dispensing system that required hospital workers to submit to a fingerprint scan to 9 obtain medication for distribution to patients. Heard v. Becton, Dickinson & Co., 524 F. Supp. 10 3d 831, 836 (N.D. Ill. 2021) (“Heard II”). After the court first dismissed the plaintiff’s 11 complaint, he filed a First Amended Complaint clarifying that when a user enrolls in the 12 medication dispensing system, the defendant stores their fingerprints on both the fingerprint 13 devices and the defendant’s servers. Id. at 840. The court found it significant that “the Pyxis 14 system is not hermetically sealed within a hospital; users’ biometric data flows back to BD’s 15 servers,” and found that the allegations plausibly supported the conclusion that defendant was “in 16 possession” of the users’ biometric data. Id. Similarly, Plaintiffs here have pleaded that 17 Amazon’s program Rekognition “accesses” their biometric data to perform facial recognition, 18 and then stores the same data on its back-end database, thereby making the data not hermetically 19 sealed within the ProctorU program. See Dkt. # 88 at 8. 20 The cases Amazon cites to support its position are distinguishable. In Heard I, the court 21 dismissed the plaintiff’s complaint because it “merely parrot[ed] the statutory language” as to the 22 defendant’s alleged possession of the plaintiff’s data. 440 F. Supp. 3d at 968. The court noted 23 that, although the plaintiff claimed that the defendant “stored” his biometric information, this 24 conclusory allegation did not allow the court to draw the reasonable inference that the defendant ORDER - 7 1 was “in possession” of his biometric data because the plaintiff did not explain whether the 2 defendant exercised any form of control over the data, whether the defendant could access the 3 data, or how the defendant allegedly received the data. Id. By contrast, here Plaintiffs 4 specifically allege that Amazon receives their data when it is uploaded to their cloud-based 5 storage. Dkt. # 88 at 8. Plaintiffs also allege that Amazon can access and control their data to 6 perform facial recognition using its Rekognition program. Id. Plaintiffs have therefore 7 supported their claim with substantially more factual allegations than the plaintiff in Heard I. 8 9 The other case cited by Amazon, Jacobs, involved a plaintiff who sued the manufacturer of security cameras installed at the entrance of a T.J. Maxx store in downtown Chicago. 10 2021 WL 3172967, at *1. In dismissing the plaintiff’s complaint, the court noted that the 11 plaintiff did “not allege that defendant installed the cameras, operated the cameras, or in any way 12 accesse[d] or control[led] T.J. Maxx’s security system,” and that a full reading of the plaintiff’s 13 complaint suggested that “defendant’s only alleged connection to those cameras was its role as 14 the manufacturer and distributor.” Id. at *2. In contrast, Plaintiffs here have alleged that 15 Amazon did more than just create the Rekognition program and sell it to ProctorU; they allege 16 that Amazon accessed their data during the facial recognition process and then stored their data 17 on its back-end database. Dkt. # 88 at 8. 18 Lastly, the Court notes that Amazon’s arguments about the practicality of creating and 19 complying with a retention and deletion schedule are unconvincing, especially at the motion to 20 dismiss phase, and arguably irrelevant to whether it has violated BIPA. As Judge Robart stated 21 in Vance-Amazon, “there is nothing absurd about requiring any entity that obtains such 22 information to comply with the safeguards that the Illinois legislature deemed necessary.” Vance 23 v. Amazon.com Inc., 525 F. Supp. 3d 1301, 1313 (W.D. Wash. 2021); see also Rosenbach, 129 24 N.E.3d at 1207 (“[W]hatever expenses a business might incur to meet the law’s requirements are ORDER - 8 1 likely to be insignificant compared to the substantial and irreversible harm that could result if 2 biometric identifiers are information are not properly safeguarded; and the public welfare, 3 security, and safety will be advanced. That is the point of the law.”). 4 5 The Court concludes that Plaintiffs’ SAC sufficiently supports the allegation that Amazon was “in possession” of their biometric data under section 15(a) of BIPA. 6 ii. Collection 7 BIPA does not define section 15(b)’s operative terms, which include “collect, capture, 8 purchase, receive through trade, or otherwise obtain.” 740 ILCS 14/15(b). 3 Amazon argues that 9 collection requires something more than mere possession, and that “something more” is an 10 affirmative act or active step. Dkt. # 45 at 17–18. To support this contention, Amazon cites the 11 structure of the statute, which includes the term “possession” in section 15(a) but not 15(b), as 12 well as several cases that distinguish between possession and collection. See Heard I, 440 F. 13 Supp. 3d at 965–66; Jacobs, 2021 WL 31772967, at *2; Namuwonge v. Kronos, Inc., 418 F. 14 Supp. 3d 279, 286 (N.D. Ill. 2019). Amazon argues that Plaintiffs’ complaint does not allege 15 that it took any “active step[s]” to collect their data. Dkt. # 45 at 18. 16 As an initial matter, it is unclear whether Amazon’s interpretation of the statute is correct. 17 At least one court has found that an entity may not “possess” biometric data without having first 18 “collected” such data. See Figueroa v. Kronos, Inc., 454 F. Supp. 3d 772, 783–84 (N.D. Ill. 19 2020). The Kronos court reasoned that Section 15(a) was likely intended to apply to entities that, 20 before BIPA’s effective date, already possessed biometric information, while Section 15(b) was 21 intended to cover only those entities that came into possession of such information after BIPA’s 22 effective date. Id. But even assuming Amazon’s reading is correct, Plaintiffs have alleged 23 24 3 For simplicity’s sake, the Court uses the word “collect” to encompass all the operative terms. ORDER - 9 1 sufficient facts to support the inference that Amazon “collected” their data. Specifically, 2 Plaintiffs allege that Amazon’s program, Rekognition, “accesses” images after they have been 3 uploaded, and “extract[s] the facial geometry of the individuals pictured into a feature vector.” 4 Dkt. # 88 at 8. Plaintiff also alleges that after this extraction of biometric data, Amazon stores 5 the feature vectors on its own back-end database. Id. 6 Amazon again cites Jacobs to support its position, but as explained above, that case 7 involved a defendant who merely manufactured and distributed security cameras to various T.J. 8 Maxx stores. 2021 WL 3172967, at *3. Therefore, defendant’s connection with the security 9 cameras was essentially severed at the point of sale, and they were not involved in any data 10 collection process that occurred once the cameras were installed. Conversely, here, Plaintiffs 11 allege that Amazon continues to act as the “cloud-service provider” for ProctorU, and thus is 12 able to “access” and “extract” biometric data that is uploaded to ProctorU’s S3 buckets. Dkt. # 13 88 at 8–10. Amazon also cites Namuwonge and Bernal, two cases in which defendants provided 14 plaintiffs’ employers with timekeeping systems that recorded and stored employee fingerprints. 15 Namuwonge., 418 F. Supp. 3d at 286; Bernal v. ADP, LLC, No. 2017-CH-12364, 2019 WL 16 5028609, at *1 (Ill.Cir.Ct. Aug. 23, 2019). The courts dismissed plaintiffs’ section 15(b) claims 17 because they failed to allege any facts showing that the defendants collected, captured, or 18 otherwise obtained their information. Id. But there, like in Jacobs, the plaintiffs did not allege 19 any involvement in the data collection process on the part of defendants, beyond simply 20 providing the technology to the plaintiffs’ employers. Here, by contrast and as noted above, 21 Plaintiffs allege that Amazon remains involved in the data collection process through 22 Rekognition’s “accessing” and “extraction” of biometric data and subsequent storage in their 23 back-end database. Dkt. # 88 at 8–10. 24 This case is more analogous to Heard II, where the court stated: ORDER - 10 1 2 3 4 The FAC alleges that when a user enrolls in the Pyxis system, the device scans the user’s fingerprint, extracts the unique features of that fingerprint to create a user template, and then stores users’ biometric information both on the device and in [defendant’s] servers. Data from subsequent scans are also stored on [defendant’s] servers. These allegations suggest that [defendant] itself plays an active role in collecting or otherwise obtaining users’ biometric information from the Pyxis devices. 5 Heard II, 524 F. Supp. 3d at 841. The defendant in Heard II, like in Namuwonge and Bernal, 6 provided a technology to a third party, who then used the technology to collect and store 7 plaintiffs’ biometric data. But what allowed the complaint in Heard II to survive a motion to 8 dismiss were the allegations that defendant continued to play an active role in “extract[ing]” and 9 “stor[ing]” users’ biometric data on their servers. The allegations here are quite similar to those 10 in Heard II, and the Court therefore concludes that Plaintiffs have pleaded sufficient facts to 11 support the inference that Amazon “collected” their data under Section 15(b). 12 Lastly, Amazon emphasizes the “absurd, inconvenient, [and] unjust consequences” that 13 Plaintiffs’ reading of BIPA would entail. Dkt. # 45 at 19 (citing Solon v. Midwest Med. Records 14 Ass’n., Inc., 925 N.E.2d 1113, 1118 (Ill. 2010)). In particular, Amazon contends that complying 15 with BIPA’s notice-and-consent requirement would be impracticable because Amazon “does not 16 interact directly with ProctorU’s end users or any of its customers’ end users.” Id. Amazon 17 points to Zellmer v. Facebook, Inc., a Northern District of California case in which the court 18 rejected a BIPA claim brought by non-users of Facebook against Facebook, because it would be 19 “patently unreasonable to construe BIPA to mean that” companies are “required to provide 20 notice to, and obtain consent from,” end users “who [are] for all practical purposes total 21 strangers” to the companies. No. 18-cv-01880, 2022 WL 976981, at *3 (N.D. Cal. Mar. 31, 22 2022). But Zellmer is distinguishable because Plaintiffs are not “total strangers” to Amazon; 23 rather, they are connected through ProctorU, and it is therefore not inconceivable that Amazon 24 ORDER - 11 1 could notify them and obtain their consent during the image upload process. The Court therefore 2 declines to dismiss Plaintiffs’ complaint on these grounds. 3 4 C. Illinois Extraterritoriality Doctrine In Illinois, statutes do not have extraterritorial effect “unless a clear intent in this respect 5 appears from the express provisions of the statute.” Avery v. State Farm Mut. Auto Ins. Co., 835 6 N.E.2d 801, 852–53 (Ill. 2005). BIPA does not contain a provision suggesting that it is intended 7 to apply extraterritorially. See generally 740 ILCS 14/1 et seq.; see also Vance-Amazon, 525 F. 8 Supp. 3d at 1307. But the Ninth Circuit has stated, in the context of an appeal of class 9 certification, that “it is reasonable to infer that the [Illinois] General Assembly contemplated 10 BIPA’s application to individuals who are located in Illinois, even if some relevant activities 11 occur outside the state.” Patel v. Facebook, Inc., 932 F.3d 1264, 1276 (9th Cir. 2019). To 12 determine whether a law is being applied extraterritorially, the Illinois Supreme Court has 13 instructed courts to consider whether the “circumstances relating to the transaction occur 14 primarily and substantially” in Illinois. Avery, 835 N.E.2d at 853. 15 Amazon contends that it cannot be held liable under BIPA because Plaintiffs have not 16 pleaded facts showing that Amazon “engaged in any conduct in Illinois, let alone that 17 [Amazon]’s conduct occurred ‘primarily and substantially’ in Illinois.” Dkt. # 45 at 21 (citing 18 Avery, 216 Ill.2d at 187). Amazon analogizes Plaintiffs’ claims to those in McGoveran, in which 19 the District of Delaware dismissed BIPA claims against Amazon under the extraterritoriality 20 doctrine. McGoveran v. Amazon Web Servs., Inc., No. 20-cv-1399, 2021 WL 4502089, at *3 (D. 21 Del. Sept. 30, 2021). There, the plaintiffs, all residents of Illinois, alleged that they called a third 22 party’s customer service representatives or call centers (located outside Illinois) from Illinois, 23 and that the third party used an Amazon program to extract biometric data from the calls. Id. at 24 *2. The court found that, at bottom, Plaintiff’s allegations simply established that they were ORDER - 12 1 residents of Illinois, and that a “plaintiff’s residency is not enough to establish an Illinois 2 connection in order to survive a motion to dismiss based on extraterritoriality.” Id. at *4. 3 Amazon also cites Vance v. Microsoft Corporation, where Judge Robart granted summary 4 judgment to Microsoft because discovery revealed that there was virtually no connection 5 between the claims and Illinois other than the plaintiffs’ residency. No. C20-1082-JLR, 2022 6 WL 9983979 (W.D. Wash. Oct. 17, 2022). 7 The Court concludes that the complaint in this case alleges facts beyond simply 8 Plaintiffs’ residency in Illinois. Plaintiffs also allege that they submitted their images and IDs 9 through ProctorU while in Illinois, presumably from an Illinois-based Internet Protocol (“IP”) 10 address. See Dkt. # 88 at 8–10. Given the other allegations in the complaint, these facts could 11 also support the inference that at least part of the data extraction process also occurred in Illinois. 12 Cf. In re Facebook Biometric Info Priv. Litig., 326 F.R.D. 535, 547 (N.D. Cal. 2018) (“[T]he 13 functionality and reach of modern online services . . . cannot be compartmentalized into neat 14 geographic boxes.”). Further, although the McGoveran court rejected the plaintiffs’ argument 15 that any failure to provide BIPA-compliant notice and obtain BIPA-compliant consent 16 “necessarily occurred in Illinois,” see McGoveran, 2021 WL 4502089, at *4 (“it really makes no 17 sense to assign a location for an act that did not occur.”), other courts, including the Illinois 18 Supreme Court, have found the location of purported failures or omissions to be relevant in 19 analyzing extraterritoriality. See, e.g., Avery, 835 N.E.2d at 854 (“The alleged deception in this 20 case—the failure to disclose the inferiority of non-OEM parts—also occurred in Louisiana”); 21 Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1101–02 (N.D. Ill. 2017) (“Rivera and Weiss also 22 allege that it was in Illinois where Google failed to provide Rivera and Weiss with required 23 disclosures and failed to get Rivera’s and Weiss’s consent”). Lastly, Plaintiffs’ alleged injuries 24 and those of the proposed class members occurred in Illinois. See Dkt. # 88 at 11–12. ORDER - 13 1 The Court also notes that the inquiry of whether an alleged statutory violation occurs 2 primarily and substantially within a state is “a highly fact-based analysis that is generally 3 inappropriate for the motion to dismiss stage.” Vance v. Int’l Bus. Machs. Corp., No. 20 C 577, 4 2020 WL 5530134, at *3 (N.D. Ill. Sep. 15, 2020); Monroy v. Shutterfly, Inc., No. 16 C 10984, 5 2017 WL 4099846, at *6 (N.D. Ill. 2017) (holding that the extraterritoriality doctrine is better 6 addressed on a motion for summary judgment); Rivera, 238 F. Supp. 3d at 1101–02 (N.D. Ill. 7 2017) (“Discovery is needed to determine whether there are legitimate extraterritoriality 8 concerns”); Vance-Amazon, 525 F. Supp. 3d at 1309 (“[M]ore discovery is needed to explore 9 whether and to what extent Amazon’s alleged acts . . . occurred in Illinois.”). The Court thus 10 finds Amazon’s citation to Judge Robart’s summary judgment order in Vance-Microsoft to be 11 inapposite, since the court in that case had before it the full evidentiary record. Here, conversely, 12 the Court does not have a full understanding of how Amazon’s facial recognition technology 13 operates, and therefore cannot say with certainty that Plaintiffs’ suit would require extraterritorial 14 application of BIPA. In light of these factors, the Court declines to dismiss Plaintiffs’ complaint 15 on extraterritoriality grounds. 16 17 D. Financial Institution Exemption BIPA includes an exemption for “financial institutions.” See 740 ILCS 14/25(c) 18 (“Nothing in [BIPA] shall be deemed to apply in any manner to a financial institution or an 19 affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act 20 [“GLBA”].”). 4 Amazon argues that Plaintiffs’ colleges are financial institutions under the 21 22 23 24 4 Title V of the GLBA, 15 U.S.C. §§ 6801–6809, is a privacy law that regulates how financial institutions handle certain customer information. See 15 U.S.C. § 6801(a) (statement of policy); see also Am. Bar Ass'n v. FTC, 430 F.3d 457, 459 (D.C. Cir. 2005) (background). Under Title V, a “financial institution” is “any institution the business of which is engaging in financial activities,” such as “[l]ending, exchanging, transferring, investing for others, or safeguarding money or securities”; “[p]roviding financial, investment, or economic advisory services”; and “[u]nderwriting, dealing in, or making a market in securities.” 15 U.S.C. § 6809(3)(A); 12 U.S.C. § 1843(k)(4). ORDER - 14 1 exemption, and that applying BIPA to Amazon would have the practical effect of applying BIPA 2 to Plaintiffs’ colleges, in violation of Section 25(c). See Dkt. # 45 at 25–27. 3 First, as Amazon acknowledges, the law is unclear on whether Plaintiffs’ colleges do in 4 fact qualify as “financial institutions” subject to the GLBA. Compare Doe v. Northwestern 5 Univ., 586 F. Supp. 3d 841, 841–42 (N.D. Ill. 2022) and Duerr v. Bradley Univ., No. 21-CV- 6 01096, 2022 WL 1487747, at *7 (C.D. Ill. Mar. 10, 2022) with Patterson v. Respondus, Inc., 7 Nos. 20 C 7692, 21 C 1785, 21 C 2620, 2022 WL 860946, at *21 (N.D. Ill. Mar. 23, 2022). 5 But 8 even assuming they are, the Court cannot determine at this stage of briefing whether allowing 9 Plaintiffs’ claims to proceed would impermissibly apply BIPA’s requirements to the colleges. 6 10 Amazon’s contention is that requiring it to provide BIPA-compliant notice and obtain BIPA- 11 compliant consent from ProctorU’s end users would “necessarily interfere with the Colleges’ 12 [remote proctoring] activities, including by forcing the Colleges and ProctorU to redesign the 13 interfaces” through which students sign in to take a test. Dkt. # 45 at 27. But the Court can 14 imagine scenarios in which this would not be the case. For example, Amazon could create an 15 alert displaying BIPA-compliant notice at the point of photo upload, see Dkt. # 88 at 10, and 16 could instruct Rekognition not to run until it obtains the end user’s BIPA-compliant consent. 17 18 19 20 21 22 23 24 5 Amazon’s argument that Plaintiffs’ colleges are “financial institutions” under the 25(c) exemption relies on statements by the Consumer Financial Protection Bureau and the Federal Trade Commission. See, e.g., 12 C.F.R. § 1016.1(b)(2)(ii); Fed. Trade Comm’n Privacy of Consumer Financial Information, 65 Fed. Reg. 33646, 33648 (May 24, 2000) (explaining that institutions of higher learning may qualify as financial institutions because many are significantly engaged in lending funds to consumers through financial aid programs). But at least one court has declined to follow this statement because it was not promulgated under the FTC’s rulemaking authority. See Patterson, 2022 WL 860946, at *21–22, *22 n. 19. Further, the question of whether Plaintiffs’ colleges are significantly engaged in lending funds to consumers could be a question of fact unsuitable for resolution on a motion to dismiss. Id; see also Fee v. Illinois Inst. of Tech., No. 21-CV-02512, 2022 WL 2791818, at *5 (N.D. Ill. July 15, 2022). 6 The Court notes that in all of Amazon’s cited cases, the plaintiffs sued their schools directly, see generally Northwestern Univ., 546 F. Supp. 3d 841; Duerr, 2022 WL 1487747, while here, Plaintiffs’ schools are not parties to this action. ORDER - 15 1 The Court does not see how providing such notice and obtaining such consent (or alternatively, 2 requiring ProctorU to provide such notice and obtain such consent) before running Rekognition 3 would “subject the Colleges’ remote proctoring activities to all of BIPA’s requirements,” Dkt. # 4 45, as the colleges themselves would not have to publish their own retention and deletion 5 schedule, would still be able to choose to use ProctorU for online examinations, and would not 6 have to obtain their own notice and consent from students. In sum, without the benefit of 7 additional evidence and briefing, the Court cannot resolve whether allowing Plaintiffs’ claims to 8 proceed would practically result in a violation of Section 25(c). 9 10 E. Definition of “aggrieved” BIPA provides that “[a]ny person aggrieved by a violation of this Act shall have a right 11 of action in a State circuit court or as a supplemental claim in federal district court against an 12 offending party.” 740 ILCS 14/20. Amazon argues that Plaintiffs are not “aggrieved” parties 13 because their legal rights have not been “adversely affected” or “invaded” by Amazon’s conduct. 14 Dkt. # 45 at 28 (citing Rosenbach, 129 N.E.3d at 1205). Amazon cites Bryant v. Compass Grp. 15 USA, Inc. for the proposition that “the duty to disclose under section 15(a) is owed to the public 16 generally, not to particular persons.” 958 F.3d 617, 626 (7th Cir. 2020). 17 The Court concludes that Plaintiffs have alleged sufficient facts to show that they are 18 “aggrieved” parties under the statute. First, the Court notes that Bryant is distinguishable 19 because it involved a plaintiff who had alleged only a claim under the provision of 15(a) 20 requiring development of a “written policy, made available to the public, establishing a retention 21 schedule and guidelines for permanently destroying biometric identifiers and biometric 22 information,” not under the provision requiring compliance with the established retention 23 24 ORDER - 16 1 schedule and destruction guidelines. Bryant, 958 F.3d at 626. 7 By contrast, here, Plaintiffs’ 2 SAC alleges not only that Amazon failed to maintain and publish a schedule and guidelines but 3 also that it failed to destroy Plaintiffs’ data after the initial purpose for collecting or maintaining 4 their data bad been satisfied. Dkt. # 88 at 11–12. Plaintiffs have therefore alleged a more 5 concrete and particularized injury than the plaintiff in Bryant. 6 Further, the Illinois Supreme Court has stated that, when a private entity fails to comply 7 with Section 15’s retention and destruction requirements, the violation constitutes an invasion of 8 the privacy rights of the person whose data is subject to the breach. See Rosenbach, 129 N.E.3d 9 at 1206. Although the plaintiff in Rosenbach alleged violations of Section 15(b), the court said 10 this about BIPA in general: 16 The duties imposed on private entities by section 15 of the Act regarding the collection, retention, disclosure, and destruction of a person’s or customer’s biometric identifiers or biometric information define the contours of that statutory right. Accordingly, when a private entity fails to comply with one of section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach … [S]uch a person or customer would clearly be “aggrieved” within the meaning of section 20 of the Act and entitled to seek recovery under that provision. No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action. 17 Id. (emphasis added). Plaintiffs here allege that Amazon violated its duties relating to retention 18 and destruction of their biometric data. See Dkt. # 88 at 11–12. They have therefore alleged 19 sufficient facts to make them “aggrieved” parties under the statute. 11 12 13 14 15 20 21 22 23 24 7 The Court also acknowledges that in Bryant, the Seventh Circuit was tasked with deciding whether the plaintiff had Article III standing to pursue a 15(a) claim in federal court, not whether he was “aggrieved” within the meaning of the statute. But the Court agrees with Amazon that the case’s holding is still relevant “to the nature and scope of the rights afforded under BIPA,” (see Dkt. # 49 at 16 n. 8) because the two inquiries both focus on whether a plaintiff has alleged a concrete and individualized injury. ORDER - 17 1 2 F. Amazon’s Compliance with BIPA Lastly, Amazon insists that—even if the Court concludes that it is subject to BIPA—it 3 has done everything it possibly can to comply with the statute. Dkt. # 45 at 28–29. It explains 4 that under its Service Terms, all Amazon customers who use Rekognition are required to provide 5 legally adequate privacy notices and obtain necessary consent from end users. Id. 6 First, the Court notes that Amazon’s Service Terms are not incorporated by reference in 7 the SAC and were instead submitted by Amazon via a declaration, so it is unclear whether the 8 Court can even consider them. See Shaver v. Operating Engineers Loc. 428 Pension Tr. Fund, 9 332 F.3d 1198, 1201 (9th Cir. 2003) (“Generally, on a 12(b)(6) motion, the District Court should 10 consider only the pleadings”) (citing Lee v. City of Los Angeles, 250 F.3d 668, 688–89 (9th Cir. 11 2001)). But even if it could, the Court is not convinced that Amazon’s inclusion of a catch-all 12 provision requiring its customers to comply with the law generally is enough to satisfy its legal 13 obligations under BIPA. For example, as discussed above, Amazon could program Rekognition 14 so that it will not run unless and until it provides BIPA-compliant notice and obtains BIPA- 15 compliant consent from end users, either through ProctorU’s interface or otherwise. See supra, 16 Section D. To the extent that Amazon believes additional actions on its part would be “unfair 17 and unreasonable” or “impossible to meet,” see Dkt # 45 at 28 (citing Midwest Bank & Tr. Co. v. 18 Roderick, 476 N.E.2d 1326, 1331–32 (Ill. App. 1985)), it may make those arguments at the 19 summary judgment stage. But the face of Plaintiffs’ complaint alleges sufficient facts to show 20 that Amazon, a private entity, collected and maintained their data without complying with 21 Section 15 of BIPA, thus surviving a motion to dismiss. 22 IV 23 CONCLUSION 24 For these reasons, the Court DENIES Amazon’s motion to dismiss. ORDER - 18 1 Dated this 26th day of July, 2023. 2 3 John H. Chun United States District Judge 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ORDER - 19
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
