The District Court for the Northern District of California recently issued what could be a very significant decision on a number of important digital law issues. These include: the enforceability of “clickwrap” as compared to “web wrap” website terms of use, the enforceability of a choice-of-law provision in such terms of use, and a preliminary interpretation of the Illinois Biometric Information Privacy Act (BIPA). In its opinion, the court found Facebook’s terms of use to be enforceable, but declined to enforce the California choice of law provision and held that the plaintiffs stated a claim under BIPA. (See In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal. May 5, 2016)).

As a result, the ruling could affect cases involving the enforceability of terms of use generally, and certainly choice of law provisions commonly found in such terms. The court’s interpretation of BIPA is likely to be a consideration in similar pending biometric privacy suits. The decision should also prompt services to review their user agreements or otherwise reexamine their legal compliance regarding facial recognition data collection and retention.

As we noted in a prior post, Facebook has been named as a defendant in a number of lawsuits claiming that its facial recognition-based system of photo tagging violates BIPA. Plaintiffs generally allege that Facebook’s Tag Suggestions program amassed users’ biometric data without notice and consent by using advanced facial recognition technology to extract biometric identifiers from user photographs uploaded to the service. The various Illinois-based suits were eventually transferred to the Northern District of California and consolidated.

In its motion to dismiss the consolidated action, Facebook argued that the plaintiffs failed to state a claim under BIPA and that the California choice-of-law provision in its user agreement precluded the application of the Illinois statute.

As an initial matter, the court ruled that Facebook’s user agreement was enforceable because the plaintiffs assented to the terms when they initially signed up for Facebook, and also agreed to the current user agreement after having continued to use Facebook after receiving notice of the current terms. Before reaching its conclusion, however, the court took some potshots at Facebook’s online contracting process. While the exact methods of electronic contracting for each of the multiple plaintiffs were slightly different, the court examined most closely the method in use for the plaintiff Licata: “By clicking Sign Up, you are indicating that you have read and agree to the Terms of Use and Privacy Policy,” with the terms of use presented by a conspicuous hyperlink. Expressing its skepticism of this relatively common method of online contracting, the court found that the use of a single “Sign Up” button to activate an account and accept the terms (as opposed to a separate clickbox to manifest the user’s assent to the terms that is distinct from the “Register” button) “raises concerns about contract formation.” In the end, the court conceded that Ninth Circuit precedent “indicated a tolerance for the single-click ‘Sign Up’ and assent practice,” and that the Ninth Circuit itself had cited with approval a decision from the Southern District of New York that had found enforceable Facebook’s contracting process. The court also commented that the dual-purpose box the plaintiff Licata had to click, located alongside hyperlinked terms, was “enough to create an enforceable agreement” – different enough from certain “web wrap” or “browsewrap” scenarios where a website owner attempts to impose terms upon users based upon mere passive viewing of a website.

However, despite upholding Facebook’s electronic contracting process, the court declined to enforce the California choice-of-law provision in the user agreement and applied Illinois law because it found that Illinois had a greater interest in the outcome of this BIPA-related dispute.

As to the substantive arguments, the court found Facebook’s contention that BIPA excludes from its scope all information involving photographs to be unpersuasive. In essence, BIPA regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information. While the statute defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” it also specifically excludes photographs from that definition. Facebook (and even Shutterfly in its attempt to dismiss a similar suit regarding its photo tagging practices) attempted to use this tension or apparent ambiguity within the statute to escape its reach. However, viewing the statute as a whole, the court stated that the plaintiffs stated a claim under the plain language of BIPA:

“Read together, these provisions indicate that the Illinois legislature enacted BIPA to address emerging biometric technology, such as Facebook’s face recognition software as alleged by plaintiffs…. ‘Photographs’ is better understood to mean paper prints of photographs, not digitized images stored as a computer file and uploaded to the Internet. Consequently, the Court will not read the statute to categorically exclude from its scope all data collection processes that use images.”

The court also rejected Facebook’s argument that the statute’s reference to a “scan of hand or face geometry” only applied to in-person scans of a person’s actual face (such as during a security screening) and that creating faceprints from uploaded photographs does not constitute a “scan of face geometry” under the statute. The court found this “cramped interpretation” to be against the statute’s focus and “antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology.”

However, in allowing the suit to go forward, the court cautioned that discovery might elicit facts that could change the outcome:

“As the facts develop, it may be that “scan” and “photograph” with respect to Facebook’s practices take on technological dimensions that might affect the BIPA claims. Other fact issues may also inform the application of BIPA. But those are questions for another day.”

This makes the second court that has refused to shelve a BIPA-related case at the motion to dismiss stage (the first being the Illinois court in Norberg v. Shutterfly, a dispute that was settled this past April). The Facebook decision is notable in that the court refused to categorically rule that photo tagging, a function offered by multiple tech companies, fell outside the ambit of BIPA. Companies that offer online or mobile services that involve the collection of covered biometric information will ultimately have to decide how to react to this latest ruling, perhaps considering changes to their notice and consent practices, or deciding to not collect or store biometric data at all, or else take a wait and see approach as the Facebook litigation proceeds.

We will continue to closely watch the ongoing litigation, developments and best practices surrounding biometric privacy.