A recent federal court decision raises questions about the enforcement of contractual choice‑of‑law provisions in the context of a case brought under Illinois’s Biometric Information Privacy Act (BIPA).
In Hartman, et al. v. Meta Platforms, Inc., the U.S. District Court for the Southern District of Illinois denied Meta’s motion for summary judgment seeking to apply California law—rather than Illinois law—to a putative BIPA class action. The ruling reinforces a growing body of case law holding that Illinois courts will not enforce choice‑of‑law clauses when doing so would undermine the state’s fundamental biometric privacy protections and the public policy underlying them.
The Case at a Glance
The plaintiffs alleged that Meta improperly collected and stored their biometric identifiers and biometric information through Facebook Messenger and Messenger Kids. According to the complaint, Meta failed to provide the disclosures and obtain the written consents required by BIPA.
Meta argued that the choice of law analysis should begin and end with its Terms of Service, which states that California law governs any claims between Meta and its users, and since all users must agree to those terms to access Meta’s products, Meta contended that California law applied and therefore BIPA would not apply to the alleged conduct.
Applying Illinois’s choice‑of‑law framework, the court asked two key questions:
- Would applying California law violate a fundamental public policy of Illinois?
- Does Illinois have a materially greater interest in the dispute than California?
On both points, the court sided with the plaintiffs.
BIPA Reflects a Fundamental Illinois Public Policy
The court emphasized that BIPA embodies a core Illinois public policy: protecting individuals’ control over their biometric information. The Illinois legislature enacted BIPA in recognition that biometric identifiers—such as facial geometry and fingerprints—are uniquely sensitive. Unlike passwords, biometrics are immutable; once compromised, they cannot be changed. The resulting risk of identity theft and long‑term harm, the court noted, is precisely what BIPA was designed to prevent.
Meta argued that no true policy conflict existed because California’s Consumer Privacy Act (CCPA) is “California’s legislative analog to BIPA” and reflects a similar commitment to privacy. The court rejected that comparison for two critical reasons.
First, the CCPA applies only to California residents. If California law governed the dispute, Illinois residents would lose statutory biometric protections altogether. Second, the CCPA does not provide a private right of action for biometric privacy violations (outside of narrow data‑breach scenarios). By contrast, BIPA’s private right of action is central to its enforcement scheme and was intended to have “substantial force” as both a deterrent and a remedial mechanism.
In the court’s words, applying California law would “rob Plaintiffs of control over their individual biometric information” and realize the very harm the Illinois legislature sought to prevent.
Illinois’s Interest Outweighs California’s
The court also concluded that Illinois has a materially greater interest in the litigation than California. While California has a legitimate interest in providing predictability for companies headquartered within its borders, that interest did not outweigh Illinois’s interest in protecting its residents’ statutory privacy rights (which, according to the court, the application of California law would negate).
As the court explained, the welfare of state residents generally carries more weight than the contractual expectations of a national corporation. Meta’s California domicile, standing alone, was insufficient to tip the balance—particularly where the alleged injuries were suffered by Illinois residents and implicated a statute specifically enacted for their protection.
Key Takeaways for Companies Handling Biometric Data
This decision adds to a growing consensus: companies cannot rely on boilerplate choice‑of‑law provisions to sidestep BIPA.
Several lessons stand out:
- Choice‑of‑law clauses are not bulletproof. Courts will closely scrutinize these provisions, especially in adhesion contracts, when their enforcement would undermine fundamental state policies.
- BIPA’s private right of action matters. The absence of an equivalent enforcement mechanism in another state’s law can be outcome‑determinative in the choice‑of‑law analysis.
- State interests trump corporate domicile. A company’s headquarters location will not outweigh the interest of a state in enforcing legislation designed to protect its residents.
With Illinois law now confirmed as governing, the case will proceed to the merits of the plaintiffs’ BIPA claims. For companies that collect or use biometric data nationwide, the message is unmistakable: compliance with BIPA cannot be contracted away.