On Monday, February 26, 2018, the United States District Court for the Northern District of California denied defendant Facebook’s motion to dismiss In re Facebook Biometric Information Privacy Litigation, finding plaintiffs had standing to bring their claims under the Illinois Biometric Information Privacy Act (“BIPA”).

BIPA creates a private right of action for plaintiffs to bring suit for the unauthorized use of their biometric identifiers, including retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. [1] In re Facebook is a consolidated action involving three class action law suits against Facebook for its purported use of biometric information to offer its “Tag Suggestions” program, which identifies individuals in the photographs on the basis of facial geometry. The plaintiffs seek to represent a class of Facebook users from Illinois who have uploaded and shared photographs on the social network since 2010, when Facebook implemented “Tag Suggestions.”

In their complaint, plaintiffs allege that the “Tag Suggestions” program violates BIPA because Facebook did not: “[1] properly inform plaintiffs or the class in writing that their biometric identifiers (face geometry) were being generated, collected or stored; [2] properly inform plaintiffs or the class in writing of the specific purpose and length of time for which their biometric identifiers were being collected, stored, and used; [3] provide a publicly available retention schedule and guidelines for permanently destroying the biometric identifiers of plaintiffs and the class (who do not opt-out of ‘Tag Suggestions’); and [4] receive a written release from plaintiffs or the class to collect, capture, or otherwise obtain their biometric identifiers.” [2]

Facebook moved to dismiss the complaint, arguing that plaintiffs had failed to allege a concrete harm because the users did not set forth any adverse effects from having their faces recorded and recognized by Facebook’s tagging algorithm and thus lacked standing to bring their claims under Spokeo v. Robins. [3] Specifically, Facebook argued that Spokeo requires that plaintiffs allege a concrete harm caused by Facebook’s use of facial recognition data. Because none of the plaintiffs had alleged harm resulting from their facial identification and tagging by the software, Facebook argued they failed to meet the Article III standing requirements set forth in Spokeo.

In its recent decision, the U.S. District Court for the Northern District of California rejected Facebook’s argument, finding that “[a] violation of the BIPA notice and consent procedures infringes the very privacy rights the Illinois legislature sought to protect by enacting BIPA” and that violation of privacy “is quintessentially an intangible harm that constitutes a concrete injury in fact.” [4] The court went on to elaborate on Article III standing under BIPA, stating that the Act’s “provisions, along with the plain text of BIPA as a whole, leave little question that the Illinois legislature codified a right of privacy in personal biometric information… [and] [t]here is equally little doubt about the legislature’s judgment that a violation of BIPA’s procedures would cause actual and concrete harm.” [5]

In ruling for plaintiffs, the District Court distinguished cases in which other courts held that alleged violations of BIPA, without more, do not constitute an injury sufficient to confer Article III standing. Most notably, the court found that, unlike plaintiffs in McCollough v. Smarte Carte, Inc. [6] and Vigil v. Take-Two Interactive Software, Inc., [7] the plaintiffs in In re Facebook did not have a reasonable expectation that their biometric identifiers were being collected or used for a certain purpose.

In McCollough, biometric information purportedly was collected when a customer placed his or her finger on a fingerprint scanner in order to lock and unlock a locker. There, the court noted, “a customer would understand that Smarte Carte collects and retains their fingerprint data for at least the duration of the rental. The system would not work otherwise.” [8] Similarly, in Vigil, a case involving the alleged collection of face scans to create personalized avatars by a video game software company, the plaintiffs stood within 6 to 12 inches of the camera and slowly moved their heads 30 degrees to the left and to the right in order for the face scan to be collected. The player also consented by pressing “continue” after reading a notice stating that the face scan might be recorded. Thus, where the average customer “indisputably knew that their biometric data would be collected before they accepted the services offered by the businesses involved,” they “had sufficient notice to make a meaningful decision about whether to permit the data collection.” [9] This was a critical factual distinction upon which the court’s decision turned.

Accordingly, while future BIPA plaintiffs may argue that all BIPA claims necessarily allege injury sufficient to confer Article III standing, the Facebook holding is limited to the specific factual circumstances under which the alleged biometric identifiers were collected. Furthermore, this case supports the proposition that a plaintiff may not have Article III standing to assert a claim for a technical violation of BIPA where he or she was aware of, and effectively consented to, the collection of biometric information. [10]