This past week, a California district court again declined Facebook’s motion to dismiss an ongoing litigation involving claims under the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”), surrounding Tag Suggestions, its facial recognition-based system of photo tagging. In 2016, the court declined to dismiss the action based upon, among other things, Facebook’s contention that BIPA categorically excludes digital photographs from its scope. This time around, the court declined to dismiss the plaintiffs’ complaint for lack of standing under the Supreme Court’s 2016 Spokeo decision on the ground that plaintiffs have failed to allege a concrete injury in fact. (Patel v. Facebook, Inc., No. 15-03747 (N.D. Cal. Feb. 26, 2018) (cases consolidated at In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal.)). As a result, Facebook will be forced to continue to litigate this action.
This dispute is being closely watched as there are a number of similar pending BIPA suits relating to biometrics and facial recognition and other defendants are looking at which of Facebook’s defenses might hold sway with a court.
In ruling the plaintiffs had standing, the court stated that, with BIPA, the Illinois legislature codified a right of privacy in personal biometric information, and that “a violation of BIPA’s procedures would cause actual and concrete harm.” According to the court, the statute deemed procedural protections for biometric data “crucial” in the new digital age, particularly since biometric identifiers cannot be changed if compromised:
“When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.”
“Consequently, the abrogation of the procedural rights mandated by BIPA necessarily amounts to a concrete injury. This injury is worlds away from the trivial harm of a mishandled zip code or credit card receipt. A violation of the BIPA notice and consent procedures infringes the very privacy rights the Illinois legislature sought to protect by enacting BIPA. That is quintessentially an intangible harm that constitutes a concrete injury in fact.”
The court ultimately rejected Facebook’s argument that the collection of biometric information without notice or consent can never support Article III standing without “real-world harms,” as the court pointed to holdings within the circuit finding that “privacy torts do not always require additional consequences to be actionable.” The court also distinguished some prior decisions in other federal courts that had dismissed BIPA claims for lack of standing, including a holding where the Second Circuit had little trouble affirming the dismissal of BIPA claims against a videogame maker related to a personalized avatar feature because the defendant had satisfied BIPA’s notice and consent provisions and plaintiffs could not allege a material risk of harm to a concrete interest protected by the statute. In the prior dismissals, the court noted, the plaintiffs “indisputably knew” that their biometric data would be collected before they accepted the services offered by the businesses involved, as opposed to the plaintiff’s allegations in the instant case that claim that Facebook afforded plaintiffs no notice or opportunity to say no.
While the ultimate outcome of this case is uncertain, as many substantive issues have yet to be fully aired, the ruling was a clear victory for privacy advocates, particularly those who have cautioned that facial recognition and authentication techniques that employ biometrics implicate important privacy and data security concerns. The ruling was not entirely a surprise, as the Ninth Circuit recently found standing in a Video Privacy Protection Act (VPPA) case (yet dismissed the action on other grounds), holding that the statute “generally protects a consumer’s substantive privacy interest in his or her video viewing history” and the plaintiff need not allege any further harm to have standing.
The Facebook litigation is an important bellwether on the scope and reach of the Illinois biometric privacy law. As noted above, other BIPA defendants are closely monitoring the case. In addition, many organizations that are trying to understand the range of their obligations under BIPA – and are looking to implement practical methods of compliance – are also watching this case for lessons to be learned. Finally, a number of states are considering biometric privacy laws, and given that the “lack of standing” argument under BIPA relates in part to BIPA’s specific statutory language, they hope to learn from this and other cases as to how best to craft their legislation (and decide whether such legislation might contain a private right of action or merely delegate enforcement powers to the state attorney general).