No Arbitration for OfferUp Vendor Accused of Violating Biometric Privacy Law

A London-based technology vendor that supplied face-recognition software to the OfferUp app cannot force a plaintiff to arbitrate his claim that the technology violated Illinois’ biometric privacy law, a federal appellate court ruled.

A panel of the 7th Circuit Court of Appeals decided on Wednesday that Onfido Inc. could not piggyback onto a provision in OfferUp’s terms of service agreement that requires customers to resolve any disputes against the company through binding arbitration. The three circuit judges said in the ruling that Onfido was not named in the terms of service and offered no evidence that it relied on OfferUp’s customer agreement when it conducted business.

“A nonsignatory to a contract typically has no right to invoke an arbitration provision contained in that contract,” the opinion says.

Chicago-area resident Fredy Sosa filed the class action complaint against Onfido in Cook County court, but it was removed to the U.S. District Court of Illinois. He alleges that the tech vendor violated the Illinois Biometric Information Privacy Act, which prohibits businesses from storing biometric data, such as fingerprints or the shape of a person’s face, without the customer’s written permission.

Onfido’s complaint says he was prompted to upload a photograph of himself and his driver’s license when he created an account on OfferUp, an app that is used to buy and sell merchandise. He says the company did not inform him that his photo would be transmitted to a “Known Faces” database maintained by Onfido, where it would be compared to hundreds of thousands of other faces. He is seeking to be the lead plaintiff in a class-action lawsuit that would seek redress for all OfferUp customers whose rights were similarly violated.

The lawsuit says the Illinois biometric privacy law also establishes standards for companies that store biometric information. One of those standards is a requirement that the company disclose how long it will store the data, in addition to how it will be used.

Although the Illinois biometric privacy law was passed in 2008, the number of lawsuits filed for alleged violations exploded after the Illinois Supreme Court ruled in 2019 that the mere fact that there was a violation of the law gives a plaintiff standing to file a lawsuit, according to a blog post by Mark Olthoff, a shareholder with the Polsinelli law firm in Kansas City, Missouri.

A 2020 Illinois appellate court decision dragged insurers into the fracas. The court ruled that an insurer was required to defend a policyholder from a biometric privacy lawsuit under the general liability provision in the policy, Olthoff said.

The Claims Journal reported in May the Illinois Supreme Court ruled that West Bend Mutual Insurance Co. was required to cover an award of damages for privacy violations by an insured tanning salon.

Sosa’s lawsuit against Onfido is still in preliminary stages. No insurer is mentioned in the pleadings so far, but the appellate court ruling will move the case toward trial.

Onfido appealed after U.S. District Judge Marvin E. Aspen on Jan. 5 denied the company’s motion to compel arbitration of Sosa’s claim.

The company argued that the terms of service agreement approved by Sosa protected third-party service providers. Also, the company said it was protected because it was acting as an agent for OfferUp.

Aspen disagreed, saying that the arbitration provision mentioned OfferUp, but didn’t anything about other providers.

“We agree with the district court in all respects,” the 7th Circuit opinion says.

Attorneys for the parties did not respond to requests for comment on Friday.