On August 8, 2019, a panel of the Ninth Circuit Court of Appeals affirmed a California district court’s decision allowing plaintiffs to proceed on claims against Facebook under the Illinois Biometric Information Privacy Act (“BIPA”), 740 Ill. Comp. Stat. 14/ (2008). Patel v. Facebook, Inc., 2019 U.S. App. LEXIS 23673. The ruling marks the first federal appellate court decision affirming a broad Article III standing precedent for plaintiffs asserting claims under BIPA – which may impact both BIPA cases as well as data breach cases under the California Consumer Privacy Act (“CCPA”). The appeals court also held that the potential for large statutory damages did not constitute grounds to refuse to certify the proposed class.

Background on BIPA and the Facebook Litigation

BIPA was passed to extend privacy laws to biometric identifiers; it protects Illinois residents’ biometric identifiers, defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Companies collecting such information must, in relevant part, (i) provide notice to residents that the information is being collected and explain how it will be used and how long it will be stored, and (ii) obtain an executed written release. 740 Ill. Comp. Stat. 14/15. BIPA also includes a private right of action, as well as provisions for actual and liquidated damages of $1,000 to $5,000 per violation depending on whether such violation involved negligence, intent or recklessness. In enacting BIPA, the Illinois General Assembly focused on the uniqueness of biometrics as an identifier, finding that unlike social security numbers, biometric data is biologically unique to the individual and not easily altered. 740 Ill. Comp. Stat. 14/5.

As discussed in a prior Ropes & Gray Alert, in the last decade, several state and federal courts have provided materially differing opinions on the threshold issue of standing under BIPA. It was not until earlier this year that the Illinois Supreme Court addressed the issue of statutory standing in Rosenbach v. Six Flags Entm’t Corp., — N.E.3d —, 2019 IL 123186 (Ill. 2019). Significantly, the Illinois Supreme Court held that plaintiffs do not need to sustain actual damage beyond a statutory violation to possess standing.

In federal court, however, the question of whether alleged mere non-compliance with BIPA’s notice and consent provisions – without any resulting harm – is sufficient “injury in fact” for Article III standing has continued to be litigated, including in the Facebook action addressed by the Ninth Circuit. The Facebook plaintiffs had initiated their suit in August 2015 based on allegations that Facebook violated BIPA by failing to provide notice to users or obtain their consent to collect and store information obtained by the company’s “Tag Suggestions” feature. According to the plaintiffs, this feature uses facial-recognition technology to analyze faces in photos uploaded to the site and extracts various geometric data points of a face to create a template stored on Facebook’s servers. In June 2016, Facebook moved to dismiss the complaint for lack of Article III standing on the ground that plaintiffs had not alleged any concrete injury. While Facebook’s motion to dismiss was pending, plaintiffs moved to certify a class under Rule 23 of the Federal Rules of Civil Procedure. The district court denied Facebook’s motion to dismiss and certified a class of “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011.”

The Ninth Circuit Panel’s Opinion

On August 8, 2019, Judge Ikuta issued her opinion for a unanimous panel. In the opinion, Judge Ikuta applied a traditional two-prong approach to analyze whether plaintiffs had suffered an injury-in-fact sufficient to confer Article III standing. Under the first prong, the opinion analyzed whether BIPA’s provisions were enacted to protect plaintiffs’ concrete interests. Relying on common law privacy rights, Fourth Amendment jurisprudence, and the Illinois Supreme Court’s decision in Rosenbach, the panel reasoned that the “development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”

Turning to the second prong, the panel evaluated whether the specific procedural violations alleged by plaintiffs “actually harm, or present a material risk of harm” to their privacy interests. The court likewise found this prong satisfied. Specifically, the opinion determined that plaintiffs had alleged a “concrete injury-in-fact sufficient to confer Article III standing” on the basis that BIPA protects a privacy right against the collection and use of biometric data, and Facebook’s alleged violation of these statutory requirements “would necessarily violate the plaintiffs’ substantive privacy interests.”

Significantly, the Ninth Circuit panel also affirmed the district court’s order certifying a class under Rule 23. Facebook had invoked an extraterritoriality defense, arguing that the district court would need to conduct “countless mini trials” to determine if the events in each plaintiff’s case occurred “primarily and substantially within” Illinois. The court disagreed, emphasizing that the Illinois legislature contemplated BIPA’s application to individuals located in Illinois even if relevant activities occurred outside the state; moreover, it considered that the relevant facts to determine the statute’s extraterritorial application could be decided on a class-wide basis.

The Ninth Circuit panel also concluded that the district court did not abuse its discretion in determining that a class action was superior to individual actions, despite the potential for extremely large statutory damages even in the absence of actual harm. Although Facebook had argued that the large potential for statutory damages defeated the superiority requirement of Rule 23(b), the court reasoned that nothing in the text or legislative history of BIPA indicated that the Illinois legislature did not intend for the award of large statutory damages and cited a Sherman Act case that involved potential liability of $750 million.

Takeaways

If the panel’s decision in Patel v. Facebook is not overturned en banc or on further appeal, it could have important implications for BIPA as well as Article III standing in the Ninth Circuit in data privacy class actions. Federal class actions alleging BIPA violations can be expected to increase both in Illinois and across the country, given the expansive view of statutory and constitutional standing taken by the Illinois Supreme Court in Rosenbach and the Ninth Circuit – and the quick dismissal of extraterritoriality concerns. Indeed, filings in Illinois state courts have increased after the Rosenbach decision. Open questions nevertheless remain as to whether any violation of BIPA will be sufficient to confer standing, and whether other federal appeals courts will follow the Ninth Circuit in conferring Article III standing over BIPA violations, and whether a potential dormant commerce clause challenge will prevent BIPA from setting a de facto national standard. Outside of the Ninth Circuit, other federal courts have held that instances of alleged non-compliance with BIPA’s notice and consent provisions do not constitute “injury in fact” for Article III standing;1 but such decisions pre-dated the Illinois Supreme Court’s decision in Rosenbach.

The Ninth Circuit’s standing analysis is also likely to have implications for future class action involving privacy laws, especially where statutory violations are alleged. Class action plaintiffs are likely to argue that the Ninth Circuit’s reasoning should be applied to find constitutional standing for other privacy claims without any need for demonstrating actual harm, and that the potential for large statutory damages is not a basis to deny class certification. Particularly in light of the statutory damage provisions in the CCPA which will become effective in relevant part on January 1, 2020, the Patel panel’s approach would be particularly problematic in the event of a large-scale data breach that does not actually produce any tangible harm.

Given the uptick of companies using Internet of Things devices that use biometric identifiers, and the significant statutory damages available under BIPA, companies, if they have not already, should start preparations now to comply with the requirements of BIPA.