As the number of lawsuits based on claimed violations of the Illinois Biometric Information Protection Act (“BIPA”) increase, litigants have struggled to find guidance from the courts on this new area of law. The Ninth Circuit’s August 8, 2019 decision in Patel v. Facebook, Inc., No. 18-15982 (August 8, 2019) provides slightly more guidance. In Facebook, the Ninth Circuit affirmed the district court’s finding that allegations related to Facebook’s use and storage of “face templates” may violate BIPA. The Ninth Circuit focused on whether the plaintiff’s allegations constitute a concrete and particularized harm sufficient to confer Article III standing under the U.S. Constitution. This has been a threshold question for a number of years in data breach litigation. In short, Article III of the Constitution limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Under the U.S. Supreme Court decision in Clapper v. Amnesty Int’l USA, a plaintiff is required to show a data breach resulted in an “imminent risk of a concrete injury” to have standing under Article III. Initially, a number of courts dismissed data breach cases because they lacked standing as plaintiffs were not able to show a concrete injury and the alleged future injuries were too speculative related to a data breach.

However, the question of whether plaintiffs have standing in data breach cases may be drastically different in BIPA violation cases. It is well-established under Illinois law that a plaintiff may be “aggrieved” under BIPA when a data collector merely fails to provide proper notice and get consent that biometric information will be collected and used. Therefore, the Facebook decision may have been inevitable given the substantial body of law on Article III standing for data breach cases coupled with well-settled Illinois law addressing BIPA claims.

Facebook’s Creation Of Template For “Tag Suggestions” Application

The Ninth Circuit provided the following background concerning the plaintiffs’ usage of Facebook and how it gave rise to this action:

  • “When a new user registers for a Facebook account, the user must create a profile and agree to Facebook’s terms and conditions…”
  • “To interact with other users on the platform, a Facebook user identifies another user as a friend and sends a friend and sends a friend request.” The two users can share text and photographs when they become “Facebook friends.”
  • Facebook allows users to tag their Facebook friends in photos they post.
  • “In 2010, Facebook launched a feature called Tag Suggestions” that allows “facial-recognition technology to analyze whether the user’s Facebook friends are in photos uploaded by the user.”
  • Facebook scans the photos for images of faces to “extract the various geometric data points that make a face unique, such as the distance between the eyes, nose, and ears, to create a face signature or map.”
  • The face signatures are saved in a database stored on Facebook servers that allows matching to other saved photos which allows Facebook to make a suggestion to tag a person appearing in the photograph.

Ninth Circuit’s Finding That Plaintiffs Had Standing To Bring Suit

The class-action plaintiffs were living in Illinois and claim to have uploaded photos while in Illinois and claim the use of their photos to create a template violated BIPA. In particular, the plaintiffs claim BIPA was violated with Facebook’s “collecting, using, and storing biometric identifiers…from their photos without obtaining a written release and without establishing a compliant retention schedule.”

Facebook filed a motion to dismiss arguing the plaintiffs “had not alleged any concrete injury” and lacked standing under Article III.  Plaintiffs filed a motion to certify a class action while the motion to dismiss was pending. The Ninth Circuit first reviewed the district court denial of Facebook’s motion to dismiss.

As seen in a number of other privacy cases, the Ninth Circuit relied on well-settled law holding a plaintiff “must have suffered an ‘injury in fact’—an invasion of legally protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical.”  As part of this analysis, the Ninth Circuit further held “it is not enough for a plaintiff to allege a defendant has violated a right created by statute…”  Further, the Ninth Circuit adopted the following “two-step approach to determine whether the violation of a statute causes concrete injury:”

  • Whether the statutory provisions at issue were established to protect the plaintiff’s concrete interests (as opposed to purely procedural rights), and
  • Whether the specific procedural violations alleged in this case actually harm, or present a material risk of harm to, such interests.

In applying this two-step approach, the Ninth Circuit rejected Facebook’s argument that plaintiffs’ complaint should be dismissed to the extent it “describes a bare procedural violation of BIPA rather than injury to a concrete interest, and therefore plaintiffs failed to allege that they suffered an injury-in-fact that is sufficiently concrete for purposes of standing.” In agreeing with the plaintiffs, the Ninth Circuit held this first prong was met as it held “we conclude that an invasion of an individual’s biometric privacy rights ‘has a close relationship to a harm that has traditionally been regarded as providing as basis for a lawsuit in English or American courts.”  In short, the Ninth Circuit found “the development of a face template using facial recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”

As for the second prong, the Ninth Circuit found Facebook may have caused “actual harm” with a face template that will be retained “for all time.”  The Ninth Circuit held BIPA protects against the improper notice and use of biometric data which can lead to a violation of privacy rights. Based on the legislative intent behind BIPA, the Ninth Circuit found the plaintiffs “alleged a concrete injury-in-fact sufficient to confer Article III standing.”

The Ninth Circuit’s Decision May Have Been Inevitable In Light Of Illinois Law

The Illinois Supreme Court decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) may have forced the Ninth Circuit’s holding in Facebook. In Rosenbach, the Illinois Supreme Court analyzed the provision in the Biometric Act which states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The central question for the Supreme Court was whether the use of the term “aggrieved” in the Biometric Act requires a plaintiff assert that they suffered an injury in addition to having their biometric data collected.  In reversing the Illinois Court of Appeals, the Illinois Supreme Court found a violation of the Biometric Act when a data collector merely took information from a minor without proper consent.  The most important aspect of the Rosenbach decision is a data collector can be liable without breaching any information. Therefore, the Ninth Circuit quickly realized that BIPA claims were not going to face the same questions related to Article III standing that plagued data breach plaintiffs for years.  While the Facebook decision was inevitable, it is interesting to the extent it shows how two areas of privacy law are developing separately.