During a recent hearing, a federal judge in the Northern District of California made comments suggesting that violating individuals “right to say no” to the collection of biometric information under Illinois’ Biometric Information Protection Act (BIPA) may be sufficient for plaintiffs claims to go forward against Facebook. According to the judge, BIPA provides individuals with the right to object to the collection, storage, and transmission of their biometric information. The judge characterized this right to object as a “valuable commodity” and stated that failing to respect that right should not be considered merely a technical violation of the law. These comments suggest that the judge is leaning towards denying Facebook’s motion to dismiss for a lack of standing. Facebook’s argument rests on the Supreme Court’s recent decision in Spokeo, which held that standing requires a concrete injury. As we’ve previously written, defendants have frequently raised standing arguments in defense to the rising tide of BIPA litigation—where the typical allegations involve technical violations of BIPA’s consent and notice requirements but without the plaintiffs suffering actual harm, such as identity theft—with mixed results.
In this case, the plaintiffs originally filed a series of complaints in September 2015, which were later consolidated into a single class action. The consolidated complaint alleges that Facebook violated BIPA by collecting and storing users’ facial geometries from uploaded photographs without the requisite notice and consent. Other social media websites that offer photo-sharing services have faced similar allegations under BIPA. In addition, dozens of employers using employee fingerprints for time-keeping purposes have faced class actions under BIPA in 2017.
TIP: BIPA class actions continue to dominate legal headlines, and the judge’s signaling that procedural violations of BIPA alone may be sufficient to assert standing under Spokeowould mark a strong rebuke to one of the most common defenses against these claims. In order to avoid the wave of BIPA litigation, organizations collecting, storing, and using biometric data are encouraged to ensure that their policies and practices are in compliance with BIPA’s notice and consent requirements.