One decision, two far-reaching effects. This aptly describes the Supreme Court’s Jan. 21, 2020, decision to deny Facebook’s writ of certiorari in Patel v. Facebook Inc. The Supreme Court’s denial represents the latest setback in Facebook’s nearly five-year quest to dismiss this action. In fact, on Jan. 30, 2020, just days after the denial, Facebook settled this action for $550 million.

To appreciate how quickly this case settled after the Supreme Court’s denial of certiorari, requires both an overview of the Illinois Biometric Information Privacy Act (BIPA) and the procedural posture of the case.


Enacted in 2008, BIPA was crafted to protect the biometric information of Illinois residents. In general, the term “biometrics” may refer to a variety of measurements based on biological characteristics. Biometric identifiers, however, are the distinctive, measurable characteristics used to label and describe specific individuals, such as fingerprints or retina scans. BIPA defines “biometric identifier” to mean “… a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” whereas the broader term “biometric information” is defined as “… any information … based on an individual’s biometric identifier used to identify an individual.”

BIPA requires a private entity that collects, stores or uses an individual’s biometric identifier or biometric information to provide notice to, and obtain consent from, the individual prior to collection. In addition, BIPA requires such private entities to develop and implement a written policy regarding the retention and destruction of biometric information and make the policy publicly available. BIPA also restricts how an entity may further disclose biometric identifiers and information it collects. Notably, BIPA includes a private right of action allowing for civil suits to be brought against companies for alleged violations. For each violation, the prevailing party may recover at least its actual damages or liquidates damages of $1000, whichever is greater.


In August 2015, three Facebook users filed a consolidated putative class action against Facebook alleging that Facebook’s “Tag Suggestions Feature” violates their privacy rights under BIPA. Plaintiffs alleged that Facebook’s Tag Suggestions Feature captured, used and stored their biometric identifiers (e.g., face geometry) without their consent, in violation of BIPA. Plaintiffs claimed that the feature functions by (i) scanning uploaded photographs; (ii) recognizing and identifying the faces that appear in the uploaded photographs; and (iii) suggesting, upon identification, that individual’s name or automatically tagging the individual.

Facebook moved to dismiss the complaint, arguing in part that plaintiffs lacked Article III standing because they had not alleged that they suffered a concrete and particularized injury resulting from Facebook’s alleged BIPA violations. In May 2016, the Northern District of California denied Facebook’s motion. Facebook appealed to the 9th Circuit.

On Aug. 8, 2019, the 9th Circuit denied Facebook’s appeal, affirming that plaintiffs had Article III standing to sue for procedural violations of BIPA even though they had not alleged actual harm resulting from Facebook’s conduct. The 9th Circuit concluded “the privacy right protected by BIPA is the right not to be subject to the collection and use of biometric data” and thus “Facebook’s alleged violation of these statutory requirements would necessarily violate [plaintiffs’] substantive privacy rights.”

Following the 9th Circuit’s denial, in December 2019, Facebook filed a writ of certiorari asking the Supreme Court to determine in part whether a court can find Article III standing based on its conclusion that a statute protects a concrete interest, without determining whether that plaintiff suffered a personal, real-world injury from the alleged violation. The Supreme Court denied certiorari last week.

The Supreme Court’s denial has at least two potentially interesting implications for privacy litigation. First, the Supreme Court has resolved any uncertainty regarding current BIPA jurisprudence. The law remains unchanged: a plaintiff still has standing to sue under BIPA without alleging actual harm. Therefore, defendants in BIPA class actions can no longer rely on the possibility of the Supreme Court changing the law to delay prosecution of BIPA class actions or as leverage in settlement discussions. Second, and perhaps consequentially, as other states enact various new privacy laws of their own, they may be cautious about whether to include a private right of action for violations, and more likely to limit the scope of such rights. Indeed, the California Consumer Privacy Act has a limited private right of action, and the newly proposed Washington Privacy Act includes no private right of action.