One good thing that occurred during the pandemic was the expansion of telehealth. Telehealth existed already and probably would have been expanding anyway, but patient willingness to get care from home instead of risking exposure from an in-person visit paired well with provider interest in not going to or even having to maintain an office. As technology has expanded, the range of telehealth services available now includes some pretty cool stuff. For instance, a patient with a cochlear implant can be across the country from her providers with a laptop installed with special software and provide enough audiological data to facilitate the diagnosis of a post-implant hearing deficit.
By contrast, one of several dark sides of technology is how it can impinge on personal privacy. Data breaches of electronic medical records or other protected health information are scary, but there are many potential nefarious infringements. A few years ago, a popular smartphone app developed in Russia generated age progression images based on scanning a user’s face. If the scanned image was retained, then an unscrupulous possessor of the image could put it to bad use. The same goes for scanned images of fingerprints and retinas. Way back in 2008, Illinois enacted a Biometric Information Privacy Act (“IBIPA”) largely because of concern about the ramifications of “biometric-facilitated financial transactions, including finger-scan technologies at grocery stores, gas stations, and school cafeterias.” 740 ILCS 14/5(b). The idea was that “public welfare, security, and safety [would] be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” 740 ILCS 14/5(g). To help send the message, a private right of action for “aggrieved” people without any proof of injury was created.
We are not fans of consumer fraud-type class action litigation in part because an injury should be a predicate to civil recovery. Not only are there constitutional limits on justiciability, there is common sense. Personal injury plaintiffs, even those seeking medical monitoring, business tort plaintiffs, and just about every other civil plaintiff has to show a tangible physical or economic injury. To paraphrase Palsgraf, an injury in the air will not do. There is an exception to that when it comes to states that sue on behalf of their citizens in parens patriae actions. Although those cases have their own issues, at least they are not—or should not be—a vehicle to make professional plaintiffs and plaintiff lawyers lots of money over no actual losses. Of course, a harm to a civil right counts even if there is no accompanying physical injury or economic damages. Assuming here that there is still a right to privacy in the post-Dobbs world of diminished substantive due process—statutes and state constitutions can be a basis, at a minimum—one can see how another obtaining your private information without your permission would merit redress even without, for instance, reputational damage.
In Marino v. Gunnar Optiks LLC, 2024 IL App. (1st) 231826 (Ill. App. Aug. 30, 2024), the intermediate appellate court in Illinois ruled on a narrow appeal in a purported class action brought under IBIPA. For our perspective, the ruling has potentially broader implications for telemedicine and medical device manufacturers. The facts are not terribly complicated. A plaintiff claimed to have used the defendant’s website to shop for both prescription glasses and non-prescription glasses. The website used some sort of facial scanning to aid in fit and selection. Because the lawsuit was ginned up, there is no information in the opinion about whether plaintiff purchased any glasses or was somehow duped into using the facial scanning feature. Instead, there is a bare allegation that the defendant’s software collected her “biometric identifiers and biometric information” and violated certain provisions of IBIPA, presumably by its disclosure and retention practices, although she certainly could not have known anything about the latter. IBIPA exempts from its requirements “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payments or operations under [the federal privacy statute] HIPAA.” The court below dismissed the IBIPA claims as to the prescription glasses but not as to the non-prescription sunglasses based on its determination of the scope of the exemption. The manufacturer’s certified appeal was on the limited issue of whether “an individual who tries on non-prescription sunglasses utilizing a virtual try-on tool that captures certain biometric information considered a patient in a health care setting” under IBIPA.
At first glance, you might think “people buy non-prescription sunglasses at gas stations too, so nothing about buying them on-line would make the process health care.” Or, if you were lawyer with some knowledge of the regulation of medical devices, you might think “sunglasses are a medical device, so their use is a kind of healthcare and purchasing them with facial scanning occurs in a healthcare setting.” The Marino court’s analysis supporting its affirmance—that is, the use of the virtual try-on tool for non-prescription sunglasses was not exempt under IBIPA—largely turned on principles of statutory interpretation and which dictionary definitions made sense to the court. With all due respect to the panel and the Illinois legislature, we do not find that part of the decision terribly interesting.
[T]he health care exclusion applies, in our view, where what would otherwise be biometric identifiers are taken from an individual who is presently awaiting or receiving medical care in a time, place, or circumstance where efforts are being made to maintain, restore, or promote that individual’s well-being, especially as performed by trained and licensed professionals. In light of the broad current use of telehealth, the setting itself might be almost anywhere but the definition is limited by the requirement that the individual is awaiting or receiving medical care and the information is being collected as part of an effort to maintain or restore or promote that person’s well-being.
2024 IL App. (1st) 231826, *29. Sunglass shoppers are not covered by this exemption “because they are not presently awaiting or receiving medical care.” Id. at *30.
That seems a bit presumptuous and short-sighted—pun possibly intended—to us. What if the facial scan helps determine which sunglasses will best limit light to the eye of a person whose migraines are triggered by bright light? What if the shopper used the scan to help get prescription glasses—the exemption for which was not challenged on appeal—with the assistance of a healthcare professional and then proceeded to also get non-prescription sunglasses with gratuitous assistance from a healthcare professional? What if someone with prescription contact lenses consulted the website for prescription glasses, decided to stick with contacts, and then got non-prescription sunglasses that worked well with the contacts? That is the presumptuous part. The short-sighted part is that encouraging telehealth is good public policy and discouraging it is not. Good healthcare will often involve treating the whole patient, and not just the specific issue for which the patient sought care. In other words, not all beneficial interaction that a healthcare provider has with a patient will be precisely “medical care,” such as where a non-mental health provider helps support emotional well-being along with care directed to a condition within her specialty. It would be perverse for the requirements of and potential liability under something like IBIPA to apply to a healthcare professional’s capture or use of biometric information in an appointment that did not stick to the purely medical.
In reaching its conclusion, the Marino court elected not to follow three contrary Northern District of Illinois decisions on virtual try-on software for non-prescription eyewear. Part of what those cases found persuasive was that non-prescription sunglasses are regulated as medical devices by FDA. Marino rejected the importance of that fact because sunglasses are Class I medical devices, like adhesive bandages, crutches, and toothbrushes, which the court did not consider sufficiently medical to count. Id. at *38. Not to be too pedantic, but the qualifier “medical” is in the terms “Class I medical device,” “Class II medical device,” and “Class III medical device.” One of the parts of the definition of “medical device” under the FDCA is that the device is “intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.” Adhesive bandages, crutches, and toothbrushes clearly meet that definition. If a scan is used to determine the correct crutch height or underarm shape for a patient after a surgery, that sounds like a medical use. If a patient is directed to take a digital photograph of wound so that the healthcare provider can recommend what over-the-counter adhesive bandage would work best, that sounds like a medical use. We could go on.
It is worth noting that the sentence in IBIPA right after the sentence the court analyzed states that “Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.” 740 ILCS 14/10. Thus, the examples above would be exempt from IBIPA according to IBIPA language that the Marino court did not mention. Treating everything remotely connected to health as medical care has its own problems, for sure. However, there should be a balance between encouraging the use of biometric information in ways that are good for society and limiting the improper use of such information without consent. Throwing in potential class action liability for purported breaches that cause no actual harm does not help with that balance.