Opinion
21 C 3001
11-04-2022
MEMORANDUM OPINION AND ORDER
Robert W. Gettleman United States District Judge
Plaintiff Cody Powell, a student at DePaul University, on behalf of himself and all others similarly situated, brought a First Amended Putative Class Action Complaint (“complaint”) against defendant DePaul in the Circuit Court of Cook County, Illinois, alleging that defendant's use of Respondus Monitor, an online remote proctoring tool designed and administered by Respondus Inc., violates Illinois' Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et. seq., by capturing, using, and storing students' facial recognition and other biometric identifiers and biometric information. Defendant removed the case to this court and then moved to dismiss under Fed.R.Civ.P. 12(b)(6) for failure to state a claim, arguing that BIPA's express terms specify that it does not apply to financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”) and rules promulgated under that Act. Because defendant participates in the U.S. Department of Education's Federal Student Aid Program, it is considered a financial institution subject to Title V of the GLBA. As a result, BIPA does not apply and defendant's motion to dismiss is granted.
Neither party has included a summary of the allegations of the complaint in any of the six briefs filed with respect to the pending motion. Although this court has deprecated this practice in the past as poor lawyering, it is somewhat understandable in the instant case, which presents a purely legal argument. Nonetheless, a brief description of the complaint would have been helpful.
According to the complaint, defendant is a private university located in Chicago, Illinois. It offers undergraduate and graduate programs to more than 21,000 students both in person and through online learning programs. In offering online courses, defendant requires that many student exams be conducted using the Respondus Monitor online proctoring tool. According to plaintiff, Respondus Monitor “captures, uses, and stores vast amounts of data, including facialrecognition data, facial detection data, recorded patterns of keystrokes, eye monitoring data, gaze monitoring data, and camera and microphone recordings to effectively surveil students taking online exams.” Plaintiff alleges that defendant does not disclose or obtain written consent before collecting, capturing, storing, or disseminating user's biometric data, and fails to disclose what it does with that biometric data after collection, in violation of BIPA's retention and destruction requirements.
DISCUSSION
Defendant has moved under Fed.R.Civ.P. 12(b)(6) to dismiss the complaint for failure to state a claim. Such a motion challenges the sufficiency of the complaint, not its merits. Fed.R.Civ.P. 12(b)(6); see Gibson v. City of Chi., 910 F.2d 1510, 1520 (7th Cir. 1990). To survive a Rule 12(b)(6) motion, the complaint must not only provide the defendant with fair notice of a claim's basis but must also be facially plausible. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009); see also Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. “A motion under Rule 12(b)(6) can be based only on the complaint itself, documents attached to the complaint, documents that are critical to the complaint and referred to in it, and information that is subject to proper judicial notice.” Geinosky v. City of Chicago, 675 F.3d 743, 745 n. 1 (7thCir. 2012).
BIPA was enacted “to help regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Rosenbach v. Six Flags Ent. Corp., 129 N.E. 3d 1197, 1203 (Ill. 2019). It imposes numerous restrictions on how private entities collect, retain, disclose, and destroy such information. Id. at 1199. Section 25 (c) of the act provides, however, that “[n]othing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the rule promulgated thereunder.” 740 ILCS 14/25(c). “BIPA does not apply to financial institutions already subject to GLBA.” Staffer v. Innovative Heights Fairview Heights, LLC, 480 F.Supp.3d 888, 903 (S.D. Ill. 2020).
Defendant argues that, like all other colleges and universities with federally authorized financial aid programs, it is a financial institution that is subject to Title V of the GLBA and must comply with its implementing rules. Title V regulates how financial institutions treat nonpublic personal information about consumers. 15 U.S.C. §§ 6801-09. The GLBA defines a financial institution as “any institution the business of which is engaging in financial activities.” Id. at 6809(3)(A).
To support its argument that it is a financial institution subject to the GLBA, defendant notes that both the Federal Trade Commission (“FTC”) and the Department of Education (“DOE”) have recognized that institutions of higher education such as defendant are considered financial institutions under the GLBA and must comply with it and the rules enacted thereunder. In February 2020, the DOE issued public guidance reiterating that the GLBA required financial institutions to have information privacy protections, and that the FTC “has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA.” DOE letter of Feb. 28, 2020, regarding “Enforcement of Cybersecurity Requirements under the Gramm-Leach-Bliley Act.”In 2000, the FTC, when it had both enforcement and rulemaking authority under the GLBA, issued its “Privacy of Consumer Financial Information, Final Rule, 65 Fed.Reg. 33,648 (May 24, 2000), indicating that it considered colleges and universities to be financial institutions where “such institutions appear to be significantly engaged in lending funds to consumers.”
Available at: https://fsapartners.ed.gov/knowledge-center/library/electronic-announcements/2020-02-28/enforcement-cybersecurity-requirements-under-gramm-leach-bliley-act.
At the request of Judge Dow (to whom this case was originally assigned), the parties have presented extensive arguments as to whether these agency statements are entitled to deference under Chevron v. National Resource Defense Counsel, 460 U.S. 837 (1984) and its progeny. Despite the fact that at the time of its statement the FTC had both enforcement and rulemaking authority, the parties agree that the statements are not entitled to Chevron deference because they appear in letters and responses to public comments. Nonetheless, the statements of these agencies are entitled to careful consideration and have the power to persuade because they are thorough and well-reasoned. See Skidmore v. Swift & Co., 323 U.S. 134, 140 (1944). The court finds the FTC's position, issued at a time that it had both enforcement and rulemaking authority, particularly persuasive because it evidences longstanding, consistent, and well-reasoned interpretation of the statute that it had been tasked to administer.
Moreover, in 2010, the Dodd-Frank Act transferred general Title V rulemaking authority to the Consumer Financial Protection Bureau (“CFPB”). 112 U.S.C. § 5512(b). In 2011 the CFPB adopted and republished the privacy rules originally promulgated by the FTC. Both rules state that “[a]ny institution of higher education that complies with the Federal Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, and that is also a financial institution described in § 1016.3(1)(3) of this part, shall be deemed to be in compliance with this part if it is in compliance with FERPA.” 12 C.F.R. § 1016.3(1)(3)(i). Section 1016.3(1)(3) provides that “financial institution means any institution the business of which is engaging in financial activities .... For purposes of this paragraph (1)(3), an institution that that is significantly engaged in financial activities is a financial institution.”
At least five courts have reached this exact issue and all have concluded that the exemption in BIPA section 25(c) applies to institutions of higher education that are significantly engaged in financial activities such as making or administering student loans. In Deurr v. Bradley University, 2022 WL 1487747 at *6-7, (C.D. March 10, 2022), Judge Darrow concluded that under Illinois' rules of statutory construction the GLBA's definition of financial institution applies to section 25 of BIPA, and that defendant Bradley University fell within that definition as a result of its participation in the federal student aid programs requiring GLBA compliance. Judge Lefkow reached the same conclusion in Doe v. Northwestern University No. 21-cv- 1579 Dkn. No. 31 at 3 (N.D. Ill. Feb. 22, 2022). See also Doe v. Elmhurst Univ., 2020 L 1400 (Ill. Cir. Ct. Nov 18c, 2021). In Patterson v. Respondus, Inc., 2022 WL 7100547 (N.D. Ill. October 11, 2022), the court concluded that institutions of higher education that are significantly engaged in financial activities such as making or administering student loans would qualify as a financial institution within the meaning of the GLBA and are exempt under BIPA, but denied the defendant university's motion to dismiss because the facts presented did not establish that the university itself was “significantly” engaged in lending funds to consumers. Id. at * 9. Judge Wood reached the same conclusion in Fee v. IIT, 2022 WL 2791818 at * 5 (N.D. Ill. July 15, 2022).
In the instant case, plaintiff admits that the publicly available documents of which the court has taken judicial notice, including defendant's Participation Agreement with the DOE, confirm that defendant “engages in student aid and lending funds.” He argues that the documents do not establish that the “business of defendant is engaging in financial activities.” Instead, plaintiff argues that the business of defendant is higher education. Each of the cases cited above rejected this argument, and this court also rejects it. As noted in Patterson, “CFPB regulations include examples that suggest the word ‘significantly' means something less than primary,” the definition that plaintiff suggests. Patterson, 2022 WL 7100547 at *8. Consequently, because the documents presented show that defendant participates in the federal student aid programs and provides direct loans to consumers, the court concludes that defendant is a financial institution subject to Title V of the GLBA and exempt from BIPA.
Finally, again at Judge Dow's request, the parties briefed whether the exemption in § 25 constitutes an affirmative defense. Plaintiff argues that it does, presumably because plaintiffs generally are not required to plead around affirmative defenses. Richards v. Mitcheff, 696 F.3d 635, 637 (7th Cir. 2012). Even if plaintiff is correct, the Seventh Circuit has held that “a 12(b)(6) dismissal based on an affirmative defense is appropriate only where the defense is conclusively established by the complaint, concessions made by the plaintiff, or any other material appropriate for judicial notice.” In the instant case, the materials presented to the court by defendant showing its participation the federal student aid programs are not challenged by plaintiff. Those materials, of which the court takes judicial notice, demonstrate that the exemption in § 25 applies. Consequently, the court grants defendant's motion to dismiss.
CONCLUSION
For the reasons described above, defendant's motion to dismiss [41] is granted.