Takeaways from recent Meta BIPA decision: What companies need to know

By David J. Oberly, Biometric Privacy & Data Privacy Attorney

Recently, a California federal court issued a notable decision in a pending Illinois Biometric Information Privacy Act (BIPA) class action dispute involving Meta Platforms, Inc. (Meta) and its purported use of its users’ voice recordings in Delgado v. Meta Platforms, Inc., No. 23 CV 4181, 2024 WL 818344 (N.D. Cal. Feb. 27, 2024).

The Delgado decision illustrates the broad scope of exposure faced by companies for alleged non-compliance with BIPA, as well as the challenges and complexities in obtaining the dismissal of biometrics class actions prior to the commencement of costly discovery. At the same time, the decision provides several valuable lessons and takeaways that can be leveraged to mitigate the ever-increasing risk of BIPA class actions and, in the event a company finds itself named in a BIPA suit, forcefully defend against and defeat tenuous or meritless BIPA claims.

The decision

A user who inputted her voice when using features offered by Meta’s Facebook platform and Messenger application to, among other things, dictate text messages, make audio calls, and send audio recordings, filed suit against Meta, arguing that the social media company converted her audio into a voiceprint and thereafter used her voiceprint without complying with the mandates of BIPA. Meta moved for dismissal of the suit, arguing that:

• the plaintiff could not maintain an actionable BIPA claim pursuant to the choice of law provision contained in its terms of service;
• the plaintiff failed to plausibly allege that Meta collected her voiceprint, as opposed to her more general voice recording; and
• the complaint failed to plausibly allege violations of BIPA’s Section 15(c) transactional prohibition or the law’s Section 15(e) security requirement.

The court rejected the majority of Meta’s arguments, but granted the motion to dismiss in part.

In its decision, the court rejected Meta’s argument that the choice of law provision contained in Meta’s terms of service—stating that California law was to govern all disputes arising between the parties—served as a complete bar to the BIPA claims asserted against it. In so doing, the court relied heavily on a series of prior BIPA decisions declining to enforce contractual choice of law provisions where the forum state’s choice of law rules required application of § 187 of the Restatement (Second) Conflict of Laws.

The court also rejected Meta’s argument that the complaint failed to plausibly allege that the company collected “voiceprints” under BIPA, but instead only implicated voice recording data not governed by the Illinois law. Notably, the court reasoned that the plaintiff sufficiently alleged the collection and use of voiceprints based on allegations concerning: (1) a patent pertaining to methods for identifying users based on their voiceprints created from audio output; and (2) the company’s U.S. state privacy notice, which included disclosures notifying users that Meta may use audio recordings to identify users and may collect users’ “sensitive personal information,” including “voice recordings which may be used to identify you when you use relevant features.”

The Delgado court did, however, find that the plaintiff failed to set forth sufficient allegations to allege a plausible violation of BIPA Sections 15(c) and 15(e). Here, the court reasoned that the plaintiff only alleged that Meta used biometric data to improve its technology, which in turn improved the effectiveness of its products and made them more commercially valuable, which fell short of a plausible violation of Section 15(c)’s transactional prohibition. The court also found that the plaintiff’s allegations that Meta had been, and may again be, subject to cybersecurity attacks did not make it plausible that the company had violated any industry-wide standard of care for the security of biometric data, which was necessary to maintain an actionable Section 15(e) claim. As such, the court granted Meta’s motion to dismiss the Section 15(c) and 15(e) claims—but without prejudice and with leave for plaintiff to amend.

Analysis & Takeaways

Choice of law as a defense to BIPA class actions

The first major takeaway from Delgado pertains to the court’s ruling on Meta’s choice of law defense. Under California’s choice of law rules, the Delgado court was required to apply the principles set forth in § 187 of the Restatement (Second) of Conflict of Laws. Applying the Restatement approach, the court rebuffed Meta’s efforts to enforce the choice of law provision contained in the parties’ contract. To date, all other BIPA disputes to assert a choice of law defense have resulted in the same outcome where the forum state followed the Restatement approach. From a broader perspective, as a general rule, choice of law as a defense to BIPA class actions will most likely not be viable in jurisdictions that follow the Restatement approach, as the Restatement analysis dictates that Illinois law must be applied in BIPA disputes due to Illinois’s fundamental policy of protecting its citizens’ right to privacy in their biometric data under BIPA.

Importantly, however, where the forum state does not follow the Restatement approach—but instead adheres to a general rule favoring the enforceability of choice of law provisions—defendants may be able to obtain complete dismissals of BIPA class actions in their entirety. This is precisely the result that occurred in Thakkar v. ProctorU, Inc., 642 F. Supp. 3d 1304 (N.D. Ala. 2022). In that case, the court held that because the parties’ choice of law provision (providing that Alabama law was to govern all disputes) was enforceable under Alabama’s choice of law rules, the plaintiffs could not state an actionable BIPA claim upon which relief could be granted as a matter of law, necessitating dismissal of the class action in its entirety and with prejudice. Notably, Alabama does not follow the Restatement approach, but instead adheres to the general rule that such contractual choice of law provisions are valid and enforceable unless they are against Alabama public policy.

As many readers know, choice of law provisions can be used to dispositively defeat bet-the-company BIPA class actions under certain circumstances. With that said, there are many nuances that need to be fleshed out by companies to maximize the likelihood that their contractual choice of law language will be deemed enforceable if the need ever arises in BIPA litigation—including but not limited to the threshold issue of the choice of law rules governing the state selected by the parties in their choice of law clause. As such, companies should consult with experienced biometrics counsel to assist in reviewing and drafting legally-compliant choice of law contract language that will put them in the best position to leverage a choice of law defense to dispose of BIPA disputes if necessary.

Scope of data encompassed within terms “Biometric Identifier” and “Biometric Information”

Another major takeaway from Delgado pertains to the court’s discussion of what constitutes a “biometric identifier” or “biometric information” for purposes of BIPA.

In seeking dismissal of the Delgado class action, Meta argued that voiceprints—an enumerated form of biometric identifier—were not implicated based on the allegations in the complaint because the plaintiff failed to allege that Meta actually identified her using the voice recordings it collected. The court rejected this argument, instead agreeing with the line of cases analyzing BIPA in which courts have defined biometric identifiers as data unique to an individual that could be used to identify someone, rather than as data that was used to identify someone. The court further explained that a plaintiff is not required to specifically allege that a defendant, in fact, used their biometric data to determine their identities. Instead, all that is needed are allegations that a defendant’s collection of biometric data made the defendant capable of determining the plaintiff’s (and other class members’) identities.

Thus, as a general rule, where a private entity has collected an individual’s face geometry, voiceprint, or other form of biometric identifier/information, and also possesses other personal information of that individual such that the capability exists to determine the identity of the individual associated with that biometric data, that data is regulated by BIPA and, in turn, triggers compliance with Section 15 of the law.

Scope of Section 15(c) violations

The Delgado decision also offers valuable insight as to the scope and contours of BIPA Section 15(c) claims.

Section 15(c) bars private entities from selling, leasing, or otherwise profiting from biometric identifiers or biometric information. In its opinion, the Delgado court explained that Section 15(c) regulates transactions with two components: (1) access to biometric data is shared or given to another; and (2) in return for that access, the entity receives something of value. Section 15(c) does not, however, require any direct sale of biometric data.

The first component may be met where, for instance, the biometric data is so integrated into a product or service that consumers necessarily gain access to biometric data by using the product/service. As to the second component, the term “otherwise profit” is not limited to a pecuniary benefit. Instead, Section 15(c) prohibits the commercial dissemination of biometric data for some sort of gain, whether pecuniary or not.

The Delgado court further explained that those cases in which courts had found a plausible Section 15(c) violation involved defendants that provided a third party with access to data, or to a product that heavily incorporated biometric data, in exchange for consideration. For example, in one case the court found a Section 15(c) claim existed where the plaintiff’s allegations supported the inference that biometric data itself was so incorporated into the defendant’s product that by marketing the product, it was commercially disseminating biometric data. In another case, a defendant’s creation and sale of access to a database of biometric information generated from photographs of plaintiffs was found to form a valid basis for a Section 15(c) violation.

In Delgado, however, the court found that the plaintiff did not allege any facts similar to those prior decisions in which a plausible Section 15(c) violation was found. As such, the court dismissed the Section 15(c) claim for failure to state a claim under Federal Civil Rule 12(b)(6) (but with leave to amend).

Taken together, as a general rule for Section 15(c) claims, it is insufficient to allege, without more, that a company used biometric data to improve its technologies, which in turn improved the effectiveness of its products and made them more commercially valuable. Further, Section 15(c) claims may also be vulnerable to attack—and subject to dismissal for failure to state a claim—where the plaintiff does not allege that: (1) any product was created from his or her biometric data; (2) the defendant marketed a product containing his or her biometric data; or (3) the defendant so incorporated the plaintiff’s biometric data into its technology that the sale of its products necessarily constitutes the sale of access to the plaintiff’s biometric data.

Difficulty of procuring BIPA dismissal at pleading stage (on Motion to Dismiss)

The final key takeaway from Delgado pertains to the challenges faced by defendants in procuring dismissals from BIPA class actions at the pleading stage (i.e., on a motion to dismiss).

To date, BIPA disputes have been extremely difficult to defeat at the outset of litigation, which is attributable to a range of factors that include deference given to plaintiff’s vague, oftentimes conclusory allegations when ruling on a motion to dismiss, and courts’ willingness to interpret BIPA’s statutory language in a manner that heavily favors plaintiffs.

More than that, defendants face an uphill battle in obtaining dismissals at the pleading stage because courts are confined to considering only the allegations set forth in the complaint when ruling on a motion to dismiss. At the same time, courts are precluded from giving any consideration given to the actual factual circumstances underlying the dispute, such as how a defendant’s technology, in fact, operates.

Delgado exemplifies these challenges faced by BIPA defendants. In its motion to dismiss, Meta put forth several reasonable arguments as to why the complaint did not implicate the collection or use of voiceprints—or BIPA in any other respect for that matter. The court declined to consider these arguments in ruling on the motion to dismiss. Instead, after reiterating its requirement to treat as true all factual allegations as stated in the plaintiff’s complaint and to draw all reasonable inferences in the plaintiff’s favor, the court found that the plaintiff sufficiently alleged that Meta had collected her voiceprints. Of note, the court did so based solely on vague and seemingly irrelevant allegations pertaining to a Meta patent and the company’s U.S. state privacy notice—while also readily acknowledging the tenuous nature of these same allegations.

As such, to mitigate BIPA class action risk—even where arguments may exist that a company’s use of biometric data is not regulated by the Illinois law—companies should strongly consider taking a conservative approach to compliance and endeavor to satisfy all applicable BIPA requirements where it is feasible to do so.

About the author

David J. Oberly is Of Counsel in the Washington, D.C. office of Baker Donelson, and a member of the firm’s Biometric Privacy, Artificial Intelligence, and Data Protection, Privacy & Cybersecurity practices. Recognized as “one of the nation’s foremost thought leaders in the biometric privacy space” by LexisNexis, David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. In addition, David has deep experience in litigating bet-the-company BIPA class action disputes. He is also the author of Biometric Data Privacy Compliance & Best Practices—the first and only full-length treatise of its kind to provide a comprehensive compendium of biometric privacy law. He can be reached at doberly@bakerdonelson.com. You can follow David on X at @DavidJOberly.

DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.

Article Topics

biometric data  |  biometric identifiers  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  David Oberly  |  lawsuits  |  Meta