From Casetext: Smarter Legal Research

Fee v. Ill. Inst. of Tech.

United States District Court, Northern District of Illinois
Jul 15, 2022
21-cv-02512 (N.D. Ill. Jul. 15, 2022)

Opinion

21-cv-02512

07-15-2022

DANIEL FEE, individually and on behalf of all others similarly situated, Plaintiff, v. ILLINOIS INSTITUTE OF TECHNOLOGY, Defendant.


MEMORANDUM OPINION AND ORDER

Andrea R. Wood, United States District Judge

Plaintiff Daniel Fee is a former student at Defendant Illinois Institute of Technology (“IIT”). Like many IIT students, Fee took some exams online using a remote proctoring tool that employed facial-recognition technology to verify the student's identity. Fee, however, alleges that IIT failed to comply with the requirements set out in Illinois's Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., before collecting his biometric identifiers. Accordingly, he has brought the present action on behalf of himself and a putative class of similarly situated IIT students alleging violations of BIPA. Now before the Court is IIT's motion to dismiss Fee's First Amended Complaint (“FAC”) pursuant to Federal Rule of Civil Procedure 12(b)(6). (Dkt. No. 16.) For the reasons that follow, IIT's motion to dismiss is denied.

BACKGROUND

For the purposes of the motion to dismiss, the Court accepts all well-pleaded facts in the FAC as true and views those facts in the light most favorable to Fee as the non-moving party. Killingsworth v. HSBC Bank Nev., N.A., 507 F.3d 614, 618 (7th Cir. 2007). The FAC alleges as follows.

Fee is a former student at IIT, a private research university located in Chicago. (FAC ¶ 1, 21, 83, Dkt. No. 13.) IIT offers both in-person and online courses to its students. (Id. ¶ 2.) For many of its online courses, IIT requires its students to take exams using Respondus Monitor, an online remote proctoring tool. (Id.) Respondus Monitor's technology allows students to take exams online in a non-proctored environment. (Id. ¶ 27.) Relevant here, Respondus Monitor verifies the identity of the student taking an exam by using the student's webcam to capture their facial geometry and other biometric identifiers and conduct a “facial detection check.” (Id. ¶¶ 6772.)

While attending IIT, Fee took a class in Fall 2020 that required him to use Respondus Monitor for exams. (Id. ¶ 85.) According to Fee, IIT, by means of the Respondus Monitor tool, collected, stored, and used his biometric information without complying with the requirements of Illinois's BIPA. (Id. ¶¶ 13-15.) BIPA was enacted to “protect[] public welfare, security, and safety by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and biometric information.” (Id. ¶ 10 (quoting 740 ILCS 14/5(g)).) According to Fee, IIT violated BIPA by not maintaining a publicly available retention schedule and guidelines for permanently destroying students' biometric information; failing to inform Fee or its other students in writing that their biometric information was being collected; failing to inform Fee or its other students of the purpose and length of time for which their biometric information was being collected, stored, and used; not obtaining prior written authorization from Fee or its other students before collecting their biometric data; profiting from its collection and use of Fee and its other students' biometric information; and disclosing or disseminating the biometric information of Fee and its other students without their consent. (Id. ¶¶ 13-15; 110-12; 119-121, 129, 135.) Consequently, Fee has sued IIT on behalf of himself and a class of similarly situated IIT students who took exams using Respondus Monitor “during the five years prior to the filing of the Complaint through January 20, 2021.” (Id. ¶¶ 94-95.)

DISCUSSION

To survive a Rule 12(b)(6) motion, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). This pleading standard does not necessarily require a complaint to contain detailed factual allegations. Twombly, 550 U.S. at 555. Rather, “[a] claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Adams v. City of Indianapolis, 742 F.3d 720, 728 (7th Cir. 2014) (quoting Iqbal, 556 U.S. at 678). “In addition to the allegations in the complaint, courts are free to examine . . . matters of which a court may take judicial notice in evaluating a motion to dismiss under Rule 12(b)(6).” Facebook, Inc. v. Teachbook.com LLC, 819 F.Supp.2d 764, 770 (N.D. Ill. 2011) (internal quotation marks omitted).

IIT contends that the FAC must be dismissed with prejudice because BIPA does not apply to it. Specifically, BIPA Section 25(c) provides that “[n]othing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder.” 740 ILCS 14/25(c). IIT claims that because it is an institution of higher education that makes and administers numerous student loans, it qualifies as a financial institution subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”).

BIPA does not otherwise define the term “financial institution,” and neither the Illinois Supreme Court nor any intermediate Illinois appellate court has discussed the scope of Section 25(c)'s exemption. Consequently, this Court's task in interpreting BIPA's financial-institution exemption is to determine how the Illinois Supreme Court would rule. Rodas v. Seidlin, 656 F.3d 610, 626 (7th Cir. 2011). In Illinois, “[t]he fundamental rule of statutory interpretation is to ascertain and give effect to the intent of the legislature.” Dome Tax Servs. Co. v. Weber, 136 N.E.3d 1121, 1124 (Ill.App.Ct. 2019). “The most reliable indicator of that intent is the language of the statute itself. In determining the plain meaning of statutory language, a court will consider the statute in its entirety, the subject the statute addresses, and the apparent intent of the legislature in enacting the statute.” Id. at 1123-24 (citation omitted). Where the statutory language is clear and unambiguous, it must be applied as written. Id. at 1124.

The Court agrees with IIT that BIPA's exemption for financial institutions subject to Title V of the GLBA means what it says and is therefore best understood by looking to Title V of the GLBA. Codified at 15 U.S.C. §§ 6801-6809, Title V of the GLBA “contains a number of provisions designed to protect the privacy of ‘nonpublic personal information' . . . that consumers provide to financial institutions.” Trans Union LLC v. FTC, 295 F.3d 42, 46 (D.C. Cir. 2002); see also 15 U.S.C. § 6801(a) (“It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.”). A “financial institution” subject to Title V of the GLBA is “any institution the business of which is engaging in financial activities as described in section 1843(k) of Title 12.” 15 U.S.C. § 6809(3)(A). And lending money is one of the financial activities described in 12 U.S.C. § 1843(k). Thus, IIT claims that because it regularly makes and administers student loans, it qualifies as a “financial institution” as defined by Title V of the GLBA.

In addition, the rules promulgated under Title V of the GLBA-which are expressly referenced in BIPA's Section 25(c)-provide further insight into the meaning of “financial institution.” Originally, the GLBA spread out authority over implementing and enforcing Title V among multiple federal agencies, including the Federal Trade Commission (“FTC”). See Trans Union, 295 F.3d at 47. Pursuant to that authority, in May 2000, the FTC published a final privacy rule “with respect to financial institutions and other persons under [its] jurisdiction,” which was ultimately codified at 16 C.F.R. part 313. Privacy of Consumer Financial Information, 65 Fed.Reg. 33,646 (May 24, 2000). That rule took a broad view as to what entities qualify as “financial institutions” and recognized that the term could encompass an institution of higher education. Id. at 33,678. Indeed, it provided that “[a]ny institution of higher education that complies with the Federal Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. [§] 1232g, and its implementing regulations, 34 CFR part 99, and that is also a financial institution subject to the requirements of this part, shall be deemed to be in compliance with this part if it is in compliance with FERPA.” 65 Fed.Reg. at 33,678 (emphasis added). Moreover, the FTC directly responded to comments from colleges and universities requesting that they not be included in the definition of “financial institution.” Id. at 33,648. It explained that it “disagreed with those commenters” because “[m]any, if not all, such institutions appear to be significantly engaged in lending funds to consumers.” Id.

In 2010, the Dodd-Frank Act transferred general Title V rulemaking authority to the Consumer Financial Protection Bureau (“CFPB”). 12 U.S.C. § 5512(b); Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 86 Fed.Reg. 70,020, 70,020 (Dec. 9, 2021). Accordingly, in 2011, the CFPB substantially adopted and republished at 12 C.F.R. part 1016 the privacy rules originally promulgated by the FTC. Privacy of Consumer Financial Information (Regulation P), 76 Fed.Reg. 79,025 (Dec. 21, 2011). Like the original FTC rule, the CFPB's rule also recognizes that “[a]ny institution of higher education that complies with the [FERPA]” shall be deemed in compliance with the CFPB's privacy rule where the institution “is also a financial institution described in § 1016.3(1)(3) of this part.” 12 C.F.R. § 1016.1(b)(ii).In turn, § 1016.3(1)(3), in relevant part provides that “an institution that is significantly engaged in financial activities is a financial institution.” 12 C.F.R. § 1016.3(1)(3)(i). Reading the relevant statutory and regulatory language together, there is little doubt that an institution of higher education like IIT can be considered a financial institution subject to Title V of the GLBA where it regularly extends and administers student loans.

In its briefs, IIT cites the substantially similar provision that, at the time, appeared in the FTC's privacy rule at 16 C.F.R. § 313.1(b). At the time IIT submitted its briefs, the language of 16 C.F.R. § 313.1(b) reflected the rule as originally published in 2000. However, after the present motion was fully briefed, the FTC amended its privacy rule to, among other things, make “[t]echnical changes to the rule to correspond to the reduced scope of the rule due to Dodd-Frank Act changes.” 86 Fed.Reg. at 70,021. One of the changes was to remove the language concerning institutions of higher education. Id. Similarly, in two decisions from courts in this District that Fee submitted to this Court as supplemental authority, the defendants also relied on the now-outdated FTC privacy rule. (Pl.'s Mots. for Leave to File Suppl. Authority, Dkt. Nos. 31-32); Powell v. DePaul Univ., No. 21-cv-3001 (N.D. Ill. Mar. 28, 2022) (deferring ruling on motion to dismiss and calling for supplemental briefs); Patterson v. Respondus, Inc., Nos. 20 C 7692, 21 C 1785, 21 C 2620, 2022 WL 860946 (N.D. Ill. Mar. 23, 2022) (denying motion to dismiss). In those decisions, the district courts addressed motions to dismiss predicated on Section 25(c)'s applicability to institutions of higher education in actions involving substantially similar facts as those here. Both district courts questioned the FTC's rulemaking authority with respect to Title V of the GLBA in light of the transfer of such authority to the CFPB under the Dodd-Frank Act, but neither addressed the CFPB's recent adoption and republication of a rule nearly identical to the FTC's original privacy rule. Consequently, Fee's supplemental authorities do not undermine (and, in fact, are consistent with) this Court's analysis of Title V of the GLBA's regulatory framework.

Fee argues that IIT's broad interpretation of “financial institution” as used in BIPA's Section 25(c) is contrary to the term's plain meaning. Instead, he asserts that “financial institution” should be read more narrowly for purposes of BIPA to encompass only entities traditionally understood to be financial institutions, such as banks. But Fee's proposed interpretation is unnatural and relies on reading the term “financial institution” in isolation from the “subject to Title V of the GLBA” language. See Iwan Ries & Co. v. City of Chicago, 160 N.E.3d 916, 920 (Ill. 2019) (“This court reviews the statute as a whole, construing words and phrases in the context of the entire statute and not in isolation.”). Had the legislature intended for the term “financial institution” to have a different meaning than Title V of the GLBA's definition of that same term, it would have spoken more clearly. See Waste Mgmt. of Ill., Inc. v. Ill. Pollution Control Bd., 826 N.E.2d 586, 590 (Ill.App.Ct. 2005) (“[W]hen the language of the statute is express and plain, a court must not search for subtle intentions of the legislature.”). Yet BIPA does not further elaborate on the exemption beyond the language set forth in Section 25(c), and therefore BIPA is reasonably understood to exempt any entity deemed to be a “financial institution” such that it must comply with Title V of the GLBA and its related regulations.

Further, treating Section 25(c) as applying to all entities regarded as financial institutions subject to Title V of the GLBA is consistent with BIPA's purposes. Specifically, the legislature enacted BIPA to “protect[] Illinois residents' privacy interests in their biometric information.” Heard v. Becton, Dickinson & Co., 524 F.Supp.3d 831, 837 (N.D. Ill. 2021). Similarly, Title V of the GLBA's stated policy is the protection of the nonpublic personal information of the customers of financial institutions. Thus, the legislature “likely excluded financial institutions because they are already subject to a comprehensive privacy protection regime under federal law.” Bryant v. Compass Grp. USA, Inc., 503 F.Supp.3d 597, 601 (N.D. Ill. 2020). In addition, “the legislature may have . . . concluded that failing to exclude those financial institutions subjected to GLBA's reporting standards risked federal preemption of BIPA.” Stauffer v. Innovative Heights Fairview Heights, LLC, 480 F.Supp.3d 888, 902 (S.D. Ill. 2020).

For these reasons, the Court also rejects Fee's contention that treating Section 25(c)'s exemption as commensurate with Title V of the GLBA's definition of “financial institution” would violate the Illinois Constitution's prohibition of special legislation. Section 13 of article IV of the Illinois Constitution prohibits the legislature “from conferring a special benefit or privilege upon one person or group and excluding others that are similarly situated.” Crusius v. Ill. Gaming Bd., 837 N.E.2d 88, 94 (Ill. 2005). “While the legislature has broad discretion to make statutory classifications, the special legislation clause prevents it from making classifications that arbitrarily discriminate in favor of a select group.” Id. But so long as “the statutory classification is rationally related to a legitimate State interest,” it will survive a special legislation challenge. Petition of Vill. of Vernon Hills, 658 N.E.2d 365, 367-68 (Ill. 1995). Here, the legislature could have rationally excluded financial institutions subject to Title V of the GLBA either because it concluded that Title V's privacy regulations were sufficient or out of a concern over federal preemption. Stauffer, 480 F.Supp.3d at 902; Bryant, 503 F.Supp.3d at 601.

Next, the Court disagrees with Fee's contention that IIT's interpretation of Section 25(c) results in an exemption so expansive that it swallows BIPA's rule. Fee raises the prospect that, given the prevalence of consumer financing and credit in retail contexts, IIT's interpretation could exempt private entities like grocery stores and gas stations even though those were the very entities that the legislature sought to regulate by passing BIPA. One court has previously rejected a similar argument as “a bit hyperbolic,” since the financial-institution exemption is only for those financial institutions “that are already covered by another law similar to the BIPA that requires [them] to explain their information-gathering practices and how they safeguard sensitive data to their customers.” Stauffer, 480 F.Supp.3d at 902. Moreover, the CFPB's Title V regulations squarely foreclose many of the consequences of which Fee warns. For example, the regulations state that “[a] retailer is not a financial institution if its only means of extending credit are occasional ‘lay away' and deferred payment plans or accepting payment by means of credit cards issued by others.” 12 C.F.R. § 1016.3(1)(2)(iv)(A). In any case, it is not for the Court to read limitations into Section 25(c)'s plain language simply because it believes that such limitations may be desirable. Hendricks v. Bd. of Trs. of Police Pension Fund of City of Galesburg, 38 N.E.3d 969, 974 (Ill.App.Ct. 2015) (“A court may not depart from the plain language of the statute and read into it exceptions, limitations, or conditions that are not consistent with the express legislative intent.”). The legislature made a deliberate choice to reference both Title V of the GLBA and its regulations in drafting Section 25(c), and it should be treated as understanding the scope of the exemption it created. If it comes to determine that the exemption is untenable, then the legislature is fully capable of remedying the issue itself.

Finally, Fee contends that IIT is exempt from the GLBA's regulations based on its compliance with the FERPA. That argument is based on an earlier version of the FTC's rule- which has since been republished by the CFPB-providing that any institution of higher education that complies with the FERPA will be deemed in compliance with Title V's regulations concerning the treatment of nonpublic personal information. 12 C.F.R. § 1016.1(b)(2)(ii). Of course, that language does not exempt an institution of higher education from the GLBA, it simply provides them an alternative way of demonstrating compliance with certain of its regulations. Further, an institution of higher education subject to Title V of the GLBA must still comply with other Title V regulations such as those governing financial institutions' standards for implementing and maintaining safeguards to protect the security of customer information. See 16 C.F.R. §§ 314.1-314.6.

While this Court concludes that an institution of higher education can be deemed a financial institution subject to Title V of the GLBA, for IIT in fact to qualify for BIPA Section 25(c)'s exemption the Court must also conclude that IIT regularly extends and administers student loans. Although the FAC is devoid of allegations concerning IIT's lending activities, IIT asks the Court to take judicial notice of the fact that it participates in the U.S. Department of Education's Title IV student financial aid programs. Title IV refers to Title IV of the Higher Education Act, 20 U.S.C. § 1070 et seq., which “governs the administration of over $150 billion in annual federal financial assistance awards for higher education.” Leveski v. IIT Educ. Servs., Inc., 719 F.3d 818, 819-20 (7th Cir. 2013). Further, IIT asks the Court to take judicial notice of the fact that the U.S. Department of Education's Federal Student Aid Office lists IIT as a participant in Title IV federal student aid programs. Fed. Student Aid, Federal School Code Lists, https://fsapartners.ed.gov/knowledge-center/library/resource-type/Federal%20School%20Code%20Lists (last visited Mar. 11, 2022) (School Code 001691). And the Federal Student Aid Office deems Title IV participants subject to Title V of the GLBA. Fed. Student Aid, GEN-15-18, Protecting Student Information, https://fsapartners.ed.gov/knowledge-center/library/dear-colleague-letters/2015-07-29/protecting-student-information (July 29, 2015) (“Under Title V of the [GLBA], financial services organizations, including institutions of higher education, are required to ensure the security and confidentiality of customer records and information.” (emphasis added)). Although the Court may take judicial notice of these facts, see, e.g., Denius v. Dunlap, 330 F.3d 919, 926 (7th Cir. 2003) (taking judicial notice of information from the website of the National Personnel Records Center), it cannot conclude that they prove that IIT is a financial institution subject to Title V of the GLBA.

As an initial matter, the Federal Student Aid Office's conclusion that Title IV participants are subject to Title V of the GLBA is not entitled to deference, as the U.S. Department of Education has not been given rulemaking or enforcement authority with respect to the statute. See 15 U.S.C. §§ 6804-6805; 86 Fed.Reg. at 70,020; see also United States v. Mead Corp., 553 U.S. 218, 226-27 (2001) (“[Administrative implementation of a particular statutory provision qualifies for [Chevron, USA, Inc. v. Nat. Res. Def. Council, Inc., 467 U.S. 837 (1984)] deference when it appears that Congress delegated authority to the agency generally to make rules carrying the force of law, and that the agency interpretation claiming deference was promulgated in the exercise of that authority.”); Vulcan Constr. Materials, L.P. v. Fed. Mine Safety & Health Rev. Comm'n, 700 F.3d 297, 312 (7th Cir. 2012) (“Under [Skidmore v. Swift & Co., 323 U.S. 134 (1944)], a court will respect an agency's interpretation of the statute it administers, but only to the extent that the agency's interpretation possesses the ‘power to persuade.'” (emphasis added) (quoting Skidmore, 323 U.S. at 140)). Moreover, the fact that IIT is a participant in federal student aid programs does not, by itself, establish that IIT is regularly extending or administering student loans. To reach that conclusion, the Court requires further factfinding concerning IIT's lending activities. For example, the Court does not yet know how many IIT students receive federal student aid, whether IIT itself makes loans to its students, or the nature and extent of IIT's involvement with respect to its students' loans (federal or otherwise). Consequently, the Court cannot conclude at the motion to dismiss stage that IIT is an institution of higher education that regularly makes and administers student loans such that it qualifies for BIPA Section 25(c)'s exemption for financial institutions subject to Title V of the GLBA.

In sum, the Court concludes that BIPA's Section 25(c) applies to institutions of higher education that are significantly engaged in financial activities, such as making or administering student loans. Nonetheless, whether IIT qualifies for BIPA's exemption presents a question of fact better addressed at a later stage in the proceedings. For that reason, IIT's motion to dismiss is denied.

CONCLUSION

For the foregoing reasons, IIT's motion to dismiss (Dkt. No. 16) is denied.


Summaries of

Fee v. Ill. Inst. of Tech.

United States District Court, Northern District of Illinois
Jul 15, 2022
21-cv-02512 (N.D. Ill. Jul. 15, 2022)
Case details for

Fee v. Ill. Inst. of Tech.

Case Details

Full title:DANIEL FEE, individually and on behalf of all others similarly situated…

Court:United States District Court, Northern District of Illinois

Date published: Jul 15, 2022

Citations

21-cv-02512 (N.D. Ill. Jul. 15, 2022)

Citing Cases

Harvey v. Resurrection Univ.

Fed. Trade Comm'n, Privacy of Consumer Financial Information, Final Rule, 65 Fed.Reg. 33,648 (May 24, 2000).…