On January 21, the Supreme Court declined Facebook’s request to review a Ninth Circuit decision that a violation of Illinois’s biometric privacy statute alone was sufficient to establish standing for Facebook users to bring suit against the company. As a result, the potential billion-dollar trial will move forward, and the wave of lawsuits under Illinois’s Biometric Information Privacy Act (BIPA) is likely to continue. Companies operating in Illinois or acquiring biometric information from Illinois residents, including companies developing facial models from photographs of Illinois residents, should carefully evaluate their data collection, use, and retention policies and practices in light of the heightened litigation risk environment.
BIPA, which went into effect in 2008, has become the epicenter of biometric privacy litigation since the Illinois Supreme Court decided in January 2019 that a statutory violation was sufficient to trigger standing under the law, even if a plaintiff could not show actual harm such as identity theft. BIPA requires companies that collect or obtain biometric information (facial scans, fingerprints, iris scans, etc.): to inform individuals that their information is being collected; articulate the purpose for which it is being collected; articulate the length of time that biometric information will be collected, used, and stored; develop a written, publically available retention policy; and acquire written consent from the individual before collecting biometric information or sharing biometric information with third parties. BIPA provides for a private right of action and allows damages of $1,000 for each “negligent” violation and $5,000 for each “intentional” or “reckless” violation.
In Facebook, Inc. v. Patel, plaintiffs brought a class action alleging, amongst other things, that Facebook applied facial recognition technology to develop facial templates based on uploaded photos without consent, and thus violated BIPA’s restrictions on biometric information collection, storage, and use. A central issue in the case is whether the allegation that Facebook violated BIPA is, in and of itself, sufficient to establish a concrete injury-in-fact for the purposes of standing. The Ninth Circuit held that although a violation of a statutory right is not sufficient in and of itself to establish injury-in-fact, BIPA is intended to protect an individual’s “concrete privacy interests”, and the alleged violations actually harm or pose a material risk of harming those privacy interests. In short, a plaintiff can establish Article III standing by merely alleging a statutory violation of BIPA.
The Ninth Circuit’s ruling in Patel is in tension with the Second Circuit’s holding in Santana v. Take-Two Interactive Software, Inc.—a case with facts similar to those in Patel—that a statutory violation of BIPA alone was insufficient to establish Article III standing. District courts evaluating BIPA claims in other circuits have aligned with the approach of the Second Circuit. The Supreme Court’s decision allows the circuit split to develop further and leaves the door open for Patel’s more lenient standing requirement to be applied in other privacy disputes.
In the meantime, companies collecting, using, and storing biometric information will face increased risk of BIPA lawsuits, which may be both complex and costly. The contours of BIPA’s extraterritorial application remains a nuanced and fact-dependent issue, and while the Ninth Circuit upheld the District Court’s certification of a class in Patel, it acknowledged that it may be appropriate to decertify the class “if circumstances lead to the conclusion that extraterritoriality must be evaluated on an individual basis.” To ensure they are well positioned to defend against potential BIPA lawsuits, companies utilizing biometric information should develop BIPA-compliant policies and conform their practices to meet BIPA’s requirements.