Amazon has turned aside another attempt to use Illinois’ stringent biometrics privacy law to extract a potentially big payout from the company, after a federal appeals court again shut down a class action lawsuit over claims Illinois’ residents voices were allegedly wrongly recorded when financial services firm John Hancock used Amazon Web Services and another company to verify customers’ identities over the phone.
In the ruling, the appeals court judges said they were joining with other courts in limiting the reach of the Illinois Biometric Information Privacy Act (BIPA), determining the BIPA law can’t be used to sue companies anytime an Illinois resident or someone located in Illinois engages in e-commerce anywhere.
On May 12, a three-judge panel of the U.S. Third Circuit Court of Appeals in Philadelphia agreed a federal district judge in Delaware had been correct to dismiss the lawsuit.
The case had landed at the Third Circuit following a long and winding procedural history.
The case was first filed in 2019 in Madison County Circuit Court by attorneys with the firm of Schlichter Bogard & Denton, of St. Louis.
The case sought a potentially big payout from Amazon Web Services, the cloud infrastructure hosting arm of the Amazon family of companies. AWS offers companies web-hosting and computing power space to companies that lack the ability to invest in their own digital infrastructure.
According to some published estimates, AWS accounts for as much as 40% of the cloud infrastructure market and hosts 6% of all global websites, including some of the world’s busiest platforms.
The lawsuit was filed on behalf of named plaintiffs, identified as Christine McGoveran, of Wood River in Madison County; Joseph Valentine, of Antioch, in Lake County; and Amelia Rodriguez, of Chicago, in Cook County.
However, the plaintiffs sought to expand the action to include potentially thousands of others with similar claims.
The lawsuit centered on claims lodged by the plaintiffs that AWS and a voice identity verification company, Pindrop Security, had improperly recorded their voices when they called financial services firm, John Hancock.
According to court documents, the calls were routed to John Hancock through servers, reportedly located in Virginia. At that point, court documents said Pindrop’s software was used to verify their identities using their spoken voices, allegedly recorded over the phone.
Neither Pindrop nor John Hancock were named as defendants in that version of the lawsuit.
According to the complaint, the plaintiffs claimed that alleged recording violated the BIPA law. Specifically, the lawsuit accused the companies of allegedly violating BIPA’s requirements that companies obtain expressed consent and provide notice before scanning their so-called biometric identifiers, which can include voice recordings or so-called “voiceprints.”
Under the BIPA law, the plaintiffs demanded payments of up to $5,000 per alleged violation. When multiplied across thousands of potential class members, the total could quickly run into the many millions of dollars.
The lawsuit was transferred to Southern Illinois federal district court, where a judge dismissed the case “because the only activity occurring in Illinois was Plaintiffs’ use of their phones,” according to the Third Circuit’s ruling.
The plaintiffs then filed a substantially similar complaint in federal court in Delaware, this time adding Pindrop as a co-defendant. The federal judge in Delaware dismissed both that new lawsuit and an amended version.
In those rulings, U.S. District Judge Stephanos Bibas found Pindrop couldn’t be sued under an exception in the BIPA law exempting companies engaged in financial services from lawsuits.
And the judge said the claims against AWS must also be tossed under “extraterritoriality grounds.” The judge essentially ruled the Illinois BIPA law can’t be used to sue companies for alleged conduct that occurs outside of Illinois’ state boundaries.
The plaintiffs then appealed to the Third Circuit, but their lawsuit met with the same fate.
Judge David J. Porter wrote the court’s opinion. Judges Tamika Montgomery-Reeves and Emil J. Bove concurred in the decision.
The judges agreed that the claims against Pindrop can’t get past the financial services exception.
And the judges agreed that the reach of the Illinois law should be restrained. They noted their reasoning is in line with the findings of federal appeals court in the Chicago-based U.S. Seventh Circuit Court of Appeals and the San Francisco-based Ninth Circuit.
They said the case comes down to the question of whether “Amazon’s alleged misconduct … ‘occurred primarily and substantially in Illinois.'”
And in this case, the judges said, the evidence shows it did not, even if Illinois residents originated their calls in Illinois.
“Plaintiffs argue that the District Court erred by focusing on ‘the geographic location of Amazon’s servers rather than the location of the harmed Plaintiffs.'” the Third Circuit judges wrote. “But the District Court’s emphasis was spot on. Amazon had no interaction with Illinois whatsoever. Amazon received calls (routed from AT&T) on its servers in Northern Virginia. From there, it sometimes asked Pindrop, a Georgia company, to authenticate those calls using the caller’s voiceprint.
“Then it sent reports and connected calls to John Hancock, a Massachusetts company. No Amazon employee in Illinois had access to any biometric data and Amazon did not store any biometric identifiers. Even if it had stored biometric identifiers, it could not have done so in Illinois because the relevant servers were in Virginia.”
AWS was represented in the case by attorneys with the firm of Morgan Lewis & Bockius, with offices in Chicago, New York and other cities.
In a blog post following the ruling, the Morgan Lewis & Bockius firm said: “The (Third Circuit’s) decision provides important guidance for companies relying on cloud-based call center platforms, customer-authentication tools, and other voice-enabled technologies, reinforcing that a plaintiff’s presence in Illinois alone is insufficient to bring out-of-state technology activity within BIPA’s reach.”
