On February 26, 2018, the United States District Court for the Northern District of California denied Facebook, Inc.’s motion to dismiss the plaintiffs’ consolidated class action complaint for failure to allege a concrete injury in fact under Federal Rule of Civil Procedure 12(b)(1). Plaintiffs alleged Facebook’s “Tag Suggestions” violated the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., by collecting users’ biometric data secretly and without consent. Facebooks’ Tag Suggestions program uses “state-of-the-art facial recognition technology” to create and store digital representations called “templates” of people’s faces based on the geometric relationship of an individual’s unique facial features, such as, “the distance between [a person’s] eyes, nose and ears.” The basis of the court’s review was whether the complaint’s allegations were insufficient on their face to invoke federal jurisdiction. Citing Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016) (“Spokeo I”), the court stated that an intangible harm, such as the violation of a procedural right granted by statute, can be sufficient in some circumstances to constitute injury in fact. The court extended this analysis to apply to state statutes based on Ninth Circuit case law. The dispositive inquiry, according to the court, was whether the statutory provisions were established to protect the plaintiffs’ concrete interest, and the specifically alleged procedural violations “actually harm or present a material risk of harm” to those interests. In summary fashion, the court concluded that BIPA codified a right of privacy in personal biometric information. According to the California court, BIPA vests Illinois residents with the “right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent.” The court held that abrogating the procedural rights mandated by BIPA necessarily amounts to a “concrete injury.” Based on this analysis, the court concluded that Facebook’s alleged disregard for Illinois’ notice and consent procedures under BIPA caused the precise harm the legislature sought to prevent—the right of an individual to maintain her biometric privacy. Facebook argued that collecting biometrics without notice or consent requires “real-world harms” to support Article III standing. The court disagreed relying on Spokeo I and Ninth Circuit cases that recognize violation of a statutory procedural right in itself can be a sufficient injury.
The court’s decision also distinguished cases cited by Facebook to contest the plaintiffs’ standing. The court viewed Gubala v. Time Warner Cable, Inc., 846 F.3d 909 (7th Cir. 2017) as distinguishable because it involved an alleged violation of the Cable Communications Policy Act based on the defendant retaining the plaintiff’s “social security number,” which is data excluded from the definition of a “biometric” under BIPA. The court also distinguished McCullough v. Smarte Carte, Inc., No. 16 C 03777, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016) and Vigil v. Take-Two Interactive Software, Inc., 235 F.Supp.3d 499 (S.D.N.Y. 2017), because the plaintiffs in those cases “knew” their biometric data would be collected before they accepted the services offered by the businesses involved—a “far cry” from the circumstances here—where the court opined that Facebook offered plaintiffs no notice and no opportunity to say no. The court declined to consider Facebook’s extrinsic evidence submitted to support that BIPA’s notice and consent provisions were actually satisfied, stating that notice and consent were in dispute, and inextricably intertwined with the merits of the plaintiffs’ claims which should be decided on summary judgment or at trial.
This decision is at odds with Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317, and other Illinois cases where courts did not find a privacy right inherent in BIPA. These include Sekura v. Krishna Schaumburg Tan, Inc., No. 16 CH 04945 (Cook County Ill. Jan. 16, 2018) (Atkins, J.), and Rottner v. Palm Beach Tan, Inc., No. 15 CH 16695 (Cook County Ill. Mar. 2, 2018) (Gamrath, J.). These Illinois courts rejected general claims of “invasion of privacy” or “actual injury” premised on alleged violations of BIPA’s notice and consent provisions. Notably, the Facebook decision did not address Rosenbach.
The case is In re Facebook Biometric Info. Privacy Litig., Docket No. 3:15-cv-03747, and the decision is found here.