Biometric Information Privacy Act
McGoveran v. Amazon Web Services Inc.
Date: May 12, 2026
Issue: Whether Pindrop Security Inc. qualifies as a financial institution exempt from biometric privacy claims under Illinois Biometric Information Privacy Act (BIPA).
Case Summary: In a unanimous decision, a Third Circuit panel affirmed dismissal of a class action against Amazon Web Services Inc. and Pindrop Security Inc., holding that Pindrop qualifies as a financial institution exempt from BIPA claims related to biometric data.
Enacted in 2008, BIPA regulates collection, use, storage, retention, and disclosure of biometric identifiers and information by private entities in Illinois, subject to certain statutory exemptions.
In 2019, a class of Illinois residents (Plaintiffs) sued Amazon Web Services and Pindrop after calling financial services company John Hancock. John Hancock routed those calls through Amazon Connect, a service supported by Amazon and Pindrop, and used voice-recognition technology to authenticate callers based on voiceprints. Plaintiffs alleged Amazon and Pindrop collected and used biometric data without obtaining required consent under Sections 15(a)–(d) of BIPA.
Amazon removed the case to federal court, where the Southern District of Illinois dismissed for lack of personal jurisdiction, finding that relevant conduct in Illinois was limited to Plaintiffs’ phone use. Plaintiffs then filed a similar action in the District of Delaware, which dismissed the case on the ground that BIPA does not apply extraterritorially because it lacks clear language extending beyond Illinois.
After Plaintiffs amended their complaint, the District of Delaware dismissed all claims against Pindrop under BIPA’s financial institution exemption and dismissed all claims against Amazon except a Section 15(b) claim alleging collection of biometric data without written consent. Following a second amended complaint, the court granted summary judgment to Amazon.
On appeal, the panel affirmed dismissal of claims against Pindrop. The panel explained that BIPA incorporates the Gramm-Leach-Bliley Act’s definition of a financial institution, which includes entities engaged in activities closely related to banking. Because Federal Reserve regulations classify identity-authentication services used in financial transactions as closely related to banking, and because Plaintiffs alleged that Pindrop authenticated John Hancock customers during financial account calls, the panel held that Pindrop qualifies for the exemption.
The panel rejected Plaintiffs’ arguments that Pindrop functioned only as a technology provider, that the district court improperly relied on facts outside pleadings, and that the exemption could not be resolved at the motion-to-dismiss stage.
The panel also affirmed summary judgment for Amazon. It held that BIPA does not apply where alleged conduct occurs primarily outside Illinois. The panel emphasized that Amazon processed calls on servers in Northern Virginia, Pindrop conducted authentication services from Georgia, and John Hancock operated from Massachusetts. Because Plaintiffs failed to show that alleged misconduct occurred primarily and substantially in Illinois, the panel concluded that BIPA’s extraterritoriality doctrine bars the claims.
Finally, the panel affirmed dismissal with prejudice of Plaintiffs’ Section 15(d) claim after Plaintiffs reasserted it in their second amended complaint.
Bottom Line: The panel held that Pindrop qualifies for BIPA’s financial institution exemption and that BIPA does not apply where alleged biometric data collection occurs primarily outside Illinois.
Document: Opinion
