On November 21, 2017, the U.S. Court of Appeals for the Second Circuit held that a plaintiff bringing a putative class action under the Illinois Biometric Information Privacy Act (“BIPA”) could not establish an injury-in-fact and therefore lacked Article III standing, further adding to the legacy of the U.S. Supreme Court’s holding in Spokeo v. Robins and providing companies with additional firepower to fight against claims of bare procedural statutory violations of privacy statutes where individuals suffer no actual harm or risk of real harm. (Santana v. Take-Two Interactive Software, Inc.)

Take-Two, the developer of the video game series NBA 2K, has included a feature in several of its recent releases that allows players to scan their face into the video game to create a personalized avatar basketball player for use in the game.

Prior to scanning their face and creating an avatar, players are required to agree that “Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay.” The lawsuit alleged that this disclaimer did not provide sufficient notice under the BIPA.

BIPA requires that individuals are given written notice that biometric identifying data is being collected and are informed of the organization’s purpose and length of time for which the data will be collected, stored, and used. BIPA also requires that the organization make publicly available a written policy identifying the length of time that the organization will retain biometric identifying data and its rules regarding the destruction of such data.

The plaintiff alleged that Take-Two failed to inform him of the purpose and duration for which his data would be stored, failed to make a publicly available written policy regarding its retention/destruction schedule, and, as a result, collected and disseminated his biometric identifying data without his informed consent.

The Circuit Court affirmed the District Court’s dismissal for lack of Article III standing, holding that the alleged procedural violations failed to raise a material risk of harm that plaintiff’s biometric data would be misused, disclosed, or accessed by third parties. The Court held that, under Spokeo, plaintiff failed to show a “risk of real harm sufficient to confer injury-in-fact.” The Court also found plaintiff’s argument that he was deterred from using biometrics in the future insufficient to establish a risk of future harm.

The Court also took note that plaintiff was well-aware that Take-Two was collecting his biometric data. As a result, this decision may have limited application in cases where the individual may be unaware that his or her biometric data is being collected and stored. Nonetheless, this decision further prevents individuals from asserting procedural statutory violations that are completely divorced from actual harm or risk of real harm.