For nearly four years now, attorneys have remained relentless in their quest to expand the outer limits of Illinois’ Biometric Information Privacy Act (BIPA) to the extent the courts are willing to allow it. During this period, many defendants struggled to get BIPA’s collective complaints dismissed.
One particular defense, however, has developed into an extremely robust tool for companies engaged in biometric privacy class lawsuits: the BIPA “financial institution” exemption. Contrary to what the name suggests, the benefits of this entity-level exclusion extend to a range of entities well beyond traditional banks and financial institutions. A recent BIPA notice issued by a court in the Northern District of Illinois demonstrates the expansive scope of the exemption and provides several key elements for defendants to defend against – and outright deny – BIPA’s claims at a time when the exposure to biometric privacy class action lawsuits continues to grow.
The Powell Decision
On November 4, 2022, an Illinois District Court dismissed Powell vs. DePaul Univ., no. 21-C-3001, 2022 US Dist. LEXIS 201296 (ND Ill. Nov. 4, 2022), which was an educational biometric privacy case, on a perhaps unintuitive finding that the university involved was a financial institution and as such specifically exempt from complying with the law Illinois Biometric Information Privacy Act (BIPA).
In Powella student brought a class action lawsuit against the defendant (a university) in an Illinois state court alleging that it violated BIPA by using an online remote monitoring tool that allows distance learners to capture, store and disseminate their students’ biometric data, including but not limited to their facial recognition and detection data, without disclosing it to students, obtaining their consent or informing them of how it disposes of their data .
The defendant remanded the lawsuit to a district court in the Northern District of Illinois and moved to dismiss it for failure to declare a claim under Federal Rule of Civil Procedure 12(b)(6). The defendant argued that the dismissal was appropriate because it is a financial institution subject to Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA) and is therefore exempt from BIPA.
Adopted in 2008, the Illinois BIPA restricts the collection, use, safeguarding, manipulation, storage, retention and destruction of biometric identifiers by private entities and provides a private right of action, allowing Illinois residents to sue private entities seeking damages for the violation of the law. Under BIPA, a private entity that collects biometric information “must develop a written policy, made available to the public, setting out a retention schedule and guidelines for the permanent destruction of biometric identifiers and biometric information where the purpose initial collection or obtaining of such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever comes first.
BIPA requires the private entity to first notify a person in writing that it collects, captures, buys, receives through commerce, or otherwise obtains that person’s biometric identifier and the purpose and duration for which it collects and stores this information and then obtains the informed information from that person’s written consent. However, BIPA specifically exempts from its scope financial institutions or their affiliates that are already subject to GLBA Title V and its reporting standards. A financial institution, as defined by the GLBA, is “any institution whose business is engaged in financial activities”.
In that case, the Court found that the defendant was such an institution because it “participates in federal student aid programs and provides direct loans to consumers.” Therefore, the Court determined that the defendant should be excused from complying with BIPA.
In arriving at its decision, the Court carefully considered the regulatory and judicial authorities on the matter. Specifically, the Court relied on the Federal Trade Commission (FTC), noting that it considers colleges and universities that “are significantly engaged in the lending of funds to consumers” to be financial institutions subject to the title. V of the GLBA.
The Court then considered the Department of Education (DOE) public guidance issued in 2020, in which the DOE stated that “GLBA required financial institutions to have information privacy protections, and that the FTC has the authority to enforce requirements and has determined that institutions of higher education. . . are financial institutions under GLBA.
The Court further relied on the privacy rules of the Consumer Financial Protection Bureau (CFPB), which considers universities that “are significantly engaged in financial activities” to be financial institutions.
Finally, the Court reviewed five prior decisions involving circumstances similar to this dispute, all of which held that the BIPA exemption applied to higher education institutions “that are significantly engaged in financial activities such as granting or the administration of student loans”.
Armed with these analytical underpinnings, the Court turned to the facts of the lawsuit, taking judicial notice of the Defendant’s Participation Agreement with the DOE, among other publicly available documents. The documents revealed that the defendant participates in federal student aid programs and administers direct student loans. According to the GLBA’s definition, these functions qualified the defendant to be a financial institution, which led the Court to dismiss the lawsuit.
Analysis and takeaways
The exemption of financial institutions from the BIPA extends far beyond traditional financial institutions
The key to remember Powell decision is that a private entity may be exempted from complying with the BIPA requirements on the basis of the financial institution exemption, even if its activity is not that of a financial institution in the traditional sense of that term . The BIPA exemption is quite broad, even exempting higher education institutions from complying with BIPA when participating in federal student aid programs and administering student loans.
From a broader perspective, any entity subject to GLBA’s confidentiality requirements, commonly referred to as the Financial Privacy Rule, is permitted to use the exemption as a complete defense in BIPA class litigation. On this issue, the courts agree that the proper definition of “financial institution” applicable in the context of BIPA is that set forth in the GLBA to describe entities regulated by the GLBA, as opposed to the common law meaning of the term.
This is a significant issue for defendants who face increasing BIPA liability, as the definition of a financial institution under the GLBA is extremely broad, encompassing any institution whose business is engages in financial activities, such as lending, exchanging, transferring, investing for others, or saving money or securities; provision of financial, investment or economic advisory services; and underwriting, trading or keeping a market in securities, among others.
Ensure that motions to dismiss under the Financial Institutions Exemption are supported by sufficient, case-specific evidence
That said, defendants involved in BIPA lawsuits will not be able to obtain a class action dismissal simply because they are GLBA-regulated entities. Instead, defendants must be able to clearly establish their right to invoke this exemption. This task is particularly critical in the context of the prosecution of first motions to dismiss, where the scope of evidence that can be considered by a judge in deciding the motion is limited.
As illustrated in Powell, the university in this case supported its motion to dismiss by attaching judicially discernible documentation indicating its participation in federal student aid programs requiring compliance with the GLBA. The court found that this evidence established the university’s status as a financial institution under the GLBA, which in turn necessitated the dismissal of the lawsuits brought against it by BIPA.
As such, those requesting the dismissal of a BIPA dispute under their status as a financial institution under the Financial Institution Exemption should ensure that their requests are properly supported by sufficient evidence to enable the court to conclude that BIPA’s financial institution exemption applies specifically to the particular institution. activities undertaken by the defendant in order to maximize the likelihood of a successful outcome to a motion to permanently terminate the litigation.