In late November, the Second Circuit issued a summary order in Vigil v. Take-Two Interactive Software, Inc,[1] which affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act (“BIPA”) for lack of standing.[2] In doing so, the court followed established Second Circuit precedent and highlighted the continuing difficulties plaintiffs face in establishing standing for certain technical violations of data privacy statutes, when those violations are unaccompanied by allegations of a breach or likelihood of improper access. The case also serves as a reminder that as states pass statutes covering new types of technology and data, companies will need to remain vigilant in protecting a wider range of information than before.
Case Background and District Court Opinion
Take-Two Interactive Software Inc. (“Take-Two”) published a video game which includes a feature allowing players, such the plaintiffs, to scan their faces for use in the game.[3] The plaintiffs alleged that, using this feature, players scanned their faces and provided it as “biometric information” to Take-Two. Plaintiffs then alleged that Take-Two did not follow certain notice, consent, storage, security and dissemination provisions of BIPA regarding the face scan. Specifically, the plaintiffs alleged:
- Take-Two did not provide notice about its retention schedule or guidelines for destroying the biometric data;
- Take-Two failed to obtain proper consent by informing the plaintiffs in writing that biometric data would be collected and the purposes and length of that collection;
- Take-Two failed to obtain proper consent by obtaining a written release;
- Take-Two disclosed and disseminated data without obtaining adequate consent; and
- Take-Two failed to transmit the biometric data securely.[4]
Plaintiffs also alleged various other tort theories of liability stemming from these violations, including claims that they were now apprehensive about engaging in future biometric-facilitated transactions.[5] Take-Two moved to dismiss the complaint based on a lack of Article III and statutory standing.
The district court (Hon. John G. Koeltl) dismissed the claims with prejudice, relying on Spokeo, Inc. v. Robins[6] and Strubel v. Comenity Bank,[7] to conclude that the plaintiffs had not adequately alleged a “material risk of harm to” the “concrete interests” protected by the statute.[8] The court also rejected the related tort claims stemming from the statutory violations as attempts to “manufacture an injury-in-fact.”[9]
Second Circuit Decision
The Second Circuit affirmed the district court’s decision to dismiss the case, only remanding to instruct the district court to enter the dismissal as without prejudice rather than with prejudice. In affirming the dismissal, the Second Circuit followed its recent post-Spokeo decisions in Katz v. Donna Karan Co. LLC,[10] and Crupar-Weinmann v. Paris Baguette Am., Inc.[11] These cases flesh out the Second Circuit’s two-step inquiry to determine when violations of statutory procedural rights constitute a “concrete” injury for the purposes of Article III. The two-step inquiry first requires determining the “scope and purpose of the procedural right provided by the statute.”[12] Then at the second step, the court must evaluate whether the violation presents a material “risk of harm” to the purpose of the statute. In Donna Karan and Paris Baguette, bare violations of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) regarding safeguards for printing consumer credit card information on receipts did not constitute an injury under Article III.
As to the first-step of the analysis in Take-Two, the Second Circuit essentially assumed, without deciding, the district court’s interpretation of the purpose of the statute, namely, that “BIPA’s purpose is to prevent the unauthorized use, collection, or disclosure of an individual’s biometric data.”[13] Although the Second Circuit’s assumption failed to provide potentially useful further guidance on how to determine a statute’s “scope and purpose,” it is still instructive on how this assumption shapes the second step of the inquiry.
Specifically, at the district court level, plaintiffs had argued more broadly that BIPA’s purpose was to protect individuals’ right to privacy in their biometric information. Such a broad purpose may have made it more likely that technical violations of the statute would be actionable as a material “risk of harm” to the statute’s purpose. Separately, the plaintiffs argued that the Illinois legislature was concerned that users would not use biometric identifier-facilitated transactions absent adequate safeguards. Thus, recognizing this alleged statutory purpose would have made the plaintiffs’ tort-based allegations regarding their apprehension of using biometric services more colorable.
However, the narrower interpretation regarding the misuse of data under BIPA adopted by the district court and the Second Circuit made it difficult for the plaintiffs to identify a material risk of harm at the second step of analysis. This standard adopted by the district court and Second Circuit required plaintiffs to allege facts establishing a material risk of the “unauthorized use, collection, or disclosure” of the data. None of the allegations met that threshold.
First, the Court of Appeals made a common-sense observation about the nature of the alleged consent violations. It said that given the invasiveness of the scanning feature, “[n]o reasonable person… would believe that the . . . feature was conducting anything other than [] a scan” of biometric information as defined by BIPA for in-game use.[14] This meant there was no unauthorized collection of the data. Next, the Second Circuit found no unauthorized use of the data, because even if there were notice violations, the plaintiffs did not plead that Take-Two actually would or did wrongfully use the collected information.[15]
Third and finally, the court addressed whether there was any unauthorized disclosure of the data. Although admitting that Take-Two’s failure to transmit the data securely presented a “thornier issue,” the Second Circuit still found no material risk of harm.[16] The court observed that there were no allegations that third parties will improperly access (or, implicitly, had improperly accessed) the data. However, in so holding the Second Circuit clarified that it was not adopting the “wide-sweeping conclusion” that “violations of such prophylactic measures confer standing only where there has been a data breach.”[17] The Second Circuit also agreed with the district court’s holding that plaintiffs’ apprehension of using future applications that collect biometric information did not create a cognizable injury.
Despite affirming the district court and noting that plaintiffs failed to cure their deficient pleadings “despite multiple opportunities to amend” the Second Circuit remanded with instructions to amend the judgment and enter a dismissal without prejudice.[18] The court observed that a threshold dismissal based on Article III standing prevents the court from having subject matter jurisdiction, so it could not enter a dismissal of the matter with prejudice.[19] The district court had alternatively dismissed the complaint for failure to state a claim, but the Second Circuit reiterated that district courts can only rule on such a motion before addressing Article III standing when it does not constitute a “definitive ruling on the merits.”[20]
Takeaways
- The importance of a statute’s “scope and purpose.” On the one hand, this case shows the continued difficulty of meeting the standing requirement of showing a material risk of harm where the violation of a procedural right is merely hypothetical. As states continue to fine tune their statutory privacy schemes, legislatures may begin to include more precise language suggesting broad statutory rights to privacy generally or, more narrowly, to certain categories of information. This can, in turn, have a significant impact on whether a violation of the procedural right is actionable.
- Alleging the risk of harm absent breach remains difficult for private plaintiffs. The Second Circuit specifically rejected a bright-line rule that plaintiffs can only establish standing for claims of privacy statute violations when there is a breach. Yet, in practice, private plaintiffs clearly face difficulties in establishing Article III standing absent a breach. Here, the defendants allegedly transmitted unencrypted, sensitive biometric information—a decision that would surely be unacceptable if it were financial information.[21] However, in light of the changing national consciousness of the risks associated with breaches, as well as the increasing emphasis on privacy, it is unclear whether this high bar becomes a lower one over time. Plaintiffs may also do a better job of mustering evidentiary support about the risks associated with certain kinds of information and the inevitability of a breach for improperly protected systems.
- State Courts May Remain Open. Because the opinion only addressed Article III standing for federal court jurisdiction, state courts may remain as a viable alternative forum for the Vigil plaintiffs to bring their claims, depending on local state laws regarding standing. Yet, even if plaintiffs can and do pursue this option, it will of course limit the risk of nationwide class actions.
[1] 2017 WL 5592589 (2d. Cir. Nov. 21 2017).
[2] 740 Ill. Comp. Stat. 14/1 et seq.
[3] Vigil v. Take-Two Interactive Software, Inc., 235 F.Supp.3d 499, 506 (S.D.N.Y. 2017).
[4] Id. at 507.
[5] Id.
[6] 136 S.Ct. 1540, (2016).
[7] 842 F.3d 181 (2d Cir. 2016).
[8] Vigil, 235 F.Supp.3d at 510-11.
[9] Id. at 515
[10] 872 F.3d 114 (2d Cir. 2017).
[11] 861 F.3d 76 (2d Cir. 2017).
[12] Vigil, 2017 WL 5592589 at *2.
[13] Id.
[14] Id. at *3.
[15] Id. Notably, however, this differed from the district court’s implicit view that no violation of the notice and consent provisions could ever create standing, because the only effect of following those provisions would be to dissuade usage of the service altogether—before any data collection occurred.
[16] Id. at *3-*4.
[17] Id. at *4.
[18] Id.
[19] Id.
[20] Id. at *4-*5.
[21] Indeed, the FTC has pursued actions for these types of violations.