Earlier this week, the U.S. District Court for the Northern District of California (Hon. James Donato) held in Patel v. Facebook Inc.,[1] that plaintiffs had standing to pursue a putative data privacy class action against Facebook alleging that the company had “collected users’ biometric data secretly and without consent.”[2] The decision is the latest to weigh in on the injury allegations necessary for standing purposes under the Illinois Biometric Information Privacy Act[3] (“BIPA”), which regulates the collection and storage of biometric information, and provides a private right of action to a “person aggrieved by a violation.” In finding that standing was met, the Facebook decision arguably applied a lower injury threshold than other courts have interpreted to be the outer boundaries for pleading an Article III injury under BIPA.
Prior Decisions Interpreting BIPA
BIPA is one of the first state data privacy statutes regulating the collection and storage of biometrics and a possible precursor to other state statutes.
As we previously discussed, in November 2017, the Second Circuit in Vigil v. Take-Two Interactive Software, Inc,[4] affirmed the dismissal for want of Article III standing of a putative class action brought by gamers alleging that Take-Two Interactive Software violated BIPA by collecting biometrics when the gamers scanned their faces to create personalized gaming avatars. The process for creating the personalized avatars was invasive (gamers stared at a camera for around 15 minutes). The gamers also received notice that the “face scan will be visible” and were required to affirmatively click a button to proceed with the scan.[5] In those circumstances, the court found that plaintiffs had failed to allege a concrete harm, concluding (among other things) that while the notice and consent may have been technically deficient, the process required to create the avatars effectively informed the gamer-plaintiffs that their faces were being scanned and that there was “no material risk that Take-Two’s procedural violations have resulted in plaintiffs’ biometric data being used or disclosed without their consent.”[6]
In December 2017, an intermediate Illinois appellate court in Rosenbach v. Six Flags Entm’t Corp.,[7] found that the mere act by a theme park of collecting a fingerprint in violation of BIPA’s notice and consent requirements was insufficient to state a claim under state law. Instead, the court interpreted BIPA as requiring some allegation of an actual injury, noting in that case that there was no allegation of an injury to a privacy right.[8] We noted when discussing Rosenbach that the statutory injury inquiry may be essentially coextensive with the Article III injury inquiry; indeed, the state court decision in Rosenbach mirrored the decision by the U.S. District Court for the Northern District of Illinois in McCollough v. Smarte Carte, Inc.,[9] which concluded on materially similar facts that mere collection of fingerprint data in technical violation of BIPA is insufficient for Article III standing purposes.
In another case last year involving different circumstances, plaintiffs were able to assert cognizable claims under BIPA. The U.S. District Court for the Eastern District of Illinois in Monroy v. Shutterfly, Inc.,[10] allowed a suit to proceed against Shutterfly, a website operator that allows users to upload photos and allegedly automatically extracts biometric data from those photos, regardless of whether the individual depicted is a Shutterfly user or non-user. The court in a footnote found that a non-user had Article III standing to pursue claims on behalf of a class of non-users, reasoning that the named plaintiff “had no idea that Shutterfly had obtained . . . biometric data in the first place” and thus “credibly allege[d] an invasion of” privacy.[11]
The District Court’s Decision in Facebook
In Facebook, the named plaintiffs, who were Facebook users, on behalf of a putative class claimed that the company’s “Tag Suggestions” program violated BIPA.[12] Facebook users can upload pictures to Facebook’s website and then “tag” an individual in the photo with an identifier.[13] The plaintiffs alleged that Tag Suggestions uses facial recognition technology to extract and store biometric information from uploaded photos, with the purpose of “associate[ing] names with faces in photos and prompt[ing] users to tag those people.”[14] The plaintiffs claimed that “Facebook collected users’ biometric data secretly and without consent” in violation of the privacy rights protected by BIPA.[15]
The district court found that these allegations were enough to allege a concrete harm, reasoning that in passing BIPA, “the Illinois legislature codified a right of privacy in personal biometric information” and that “a violation of BIPA’s procedures would cause actual and concrete harm.”[16] The court rejected Facebook’s argument that plaintiffs must allege some “‘real-world harms,’ such as adverse employment impacts or even just ‘anxiety.’”[17] Instead, according to the court, “BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent.”[18] The court concluded that “[w]hen an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air.”[19]
The court found Vigil and McCollough to be “readily distinguishable” on the basis that the plaintiffs in those cases “indisputably knew that their biometric data would be collected before they accepted the services offered by the businesses involved” and thus “had sufficient notice to make a meaningful decision about whether to permit the data collection.”[20] According to the court, the distinction was “that Facebook afforded plaintiffs no notice and no opportunity to say no.”[21]
Finally, the court declined to explore (or describe) Facebook’s user agreement, data policy, and other extrinsic evidence, which the court could consider on a FRCP 12(b)(1) motion and which Facebook argued showed that it had in fact complied with BIPA’s notice and consent requirements.[22] Contrasting the “largely undisputed facts in McColllough and Vigil,” the court found that the facts were contested and thus that resolution of actual compliance should be reserved for summary judgment or trial.[23]
Takeaways
– The Circumstances of the Data Transaction Matter. Facebook and other decisions interpreting BIPA demonstrate that courts in data privacy actions will scrutinize the circumstances of the transaction itself to determine whether the data collection was obvious to a reasonable person, which can inform the injury inquiry.
– Facebook May Be Inconsistent with Other Decisions Interpreting BIPA. Facebook is arguably in tension with Vigil, McCollough, and Rosenbach, the last of which went uncited by the district court. Those three cases held that mere technical violations of BIPA’s notice and consent provisions were insufficient to allege a harm for Article III standing and/or state statutory purposes. It is not clear from the Facebook decision that plaintiffs alleged anything more than technical violations, namely, the collection without further dissemination of biometric data with insufficient notice and consent.
Interestingly, absent from Facebook is a discussion of the nature of the actual notice and consent. But actual notice and consent is arguably integral to assessing whether a violation was simply technical or something more; indeed, the district court in Facebook distinguished Vigil on the basis of “the specific fact of prior written notice and click-through consent” in that case.[24] The Shutterfly decision—also uncited by the court in Facebook—predicated its Article III injury finding on the allegation that non-users could not have had notice or consent of the biometric transaction at issue. It is not clear from the Facebook decision whether Facebook users truly had no notice of the data collection, as opposed to merely technically deficient notice.
– Expect More Data Privacy Litigation. Facebook will likely encourage private plaintiffs to bring suits under BIPA and analogous data privacy statutes. We expect that courts will continue to grapple with standing and injury issues as privacy and data breach litigation proliferates.
[1] No. 3:15-CV-03747-JD, 2018 WL 1050154 (N.D. Cal. Feb. 26, 2018).
[2] Id. at *1.
[3] 740 Ill. Comp. Stat. 14/1 et seq.
[4] 2017 WL 5592589 (2d. Cir. Nov. 21 2017).
[5] Id. at *1.
[6] Id. at *3.
[7] 2017 IL App (2d) 170317.
[8] Id. ¶¶ 20 n.1, 28.
[9] No. 16 C 03777, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016).
[10] No. 16 C 10984, 2017 WL 4099846, at *1-2 (N.D. Ill. Sept. 15, 2017).
[11] Id. at *8 n.5.
[12] 018 WL 1050154, at *1.
[13] Id.
[14] Id.
[15] Id.
[16] Id. at *4.
[17] Id.
[18] Id.
[19] Id.
[20] Id. at *5.
[21] Id.
[22] Id. at *2, 6.
[23] Id. at *6.
[24] Id. at *5.