Ninth Circuit Holds BIPA Class-Action Plaintiffs Have Article III Standing
Recently, the Ninth Circuit Court of Appeals issued an opinion in the case of Patel v. Facebook, Inc., 2019 WL 3727424 (9th Circ. 2019), allowing a class-action lawsuit filed in the Northern District of California to proceed. The Court held that the plaintiffs have Article III standing to bring the suit because Facebook’s alleged violations of Illinois’s Biometric Information Privacy Act (“BIPA”) constitute a sufficiently concrete injury-in-fact. The Court also upheld the district court’s grant of the plaintiffs’ motion for class certification, finding that the Federal Rules of Civil Procedure’s predominance and superiority requirements were met. Patel represents a continued expansion of the law in favor of plaintiffs bringing suits under BIPA.
Illinois enacted BIPA in 2008 after concluding that “[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” BIPA established various regulations concerning the retention, collection, disclosure, and destruction of “biometric identifiers” (defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”) and associated “biometric information” based on these identifiers.
At issue in Patel is Facebook’s use of facial recognition technology in association with its “Tag Suggestions” feature. Facebook employs technology to scan each photograph uploaded to Facebook and detect whether the photographs contain images of faces. The program then creates a “face signature” for each face detected in a photo by extracting geometric data points, and then compares the “face signatures” to Facebook’s database of “user face templates” that are matched to user profiles. When a photo’s face signature matches an existing face template, Facebook may then suggest “tagging” the identified user in the photo. According to the company, Facebook creates and stores user face templates for all users who have been tagged in at least one photo, who have not opted out of the “Tag Suggestions” feature, and who “satisf[y] other privacy-based and regulatory criteria.”
The class representatives in the case, who are Illinois residents, allege that Facebook’s collection, use, and storage of their user face templates without maintaining a written retention policy or obtaining written releases violated sections 15(a) and 15(b) of BIPA. Section 15(a) of the Act requires that private entities in possession of biometric identifiers or information “develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.” Under Section 15(b), before obtaining a person’s biometric identifier or information, a private entity must first: (1) inform the person or their legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) inform the person or their legally authorized representative in writing of the specific purpose and length of time for which a biometric identifier or biometric information is being collected, stored, and used; and (3) obtain a written release executed by the person or their legally authorized representative.
Article III Standing
Facebook countered with a motion to dismiss premised on the argument that the plaintiffs’ allegations that Facebook violated BIPA’s statutory provisions, without more, did not establish that they had suffered a concrete injury sufficient to confer Article III standing. The plaintiffs then filed a motion under Federal Rule of Civil Procedure 23 to certify a class of “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011.” The district court denied Facebook’s motion to dismiss and granted the plaintiffs’ motion to certify the class, and Facebook appealed the ruling to the Ninth Circuit.
The Ninth Circuit noted that to establish Article III standing, plaintiffs must allege that they have suffered an “injury in fact,” which is “an invasion of a legally protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical.” While concrete injuries need not be tangible, allegations that a defendant has violated a right created by a statute by themselves are not enough. To determine whether Facebook’s alleged violation of BIPA caused a concrete injury to the plaintiffs, the Ninth Circuit employed the two-step test it established in Robins v. Spokeo, Inc., 867 F.3d 1108 (9th Cir. 2017): “(1) whether the statutory provisions at issue were established to protect [the plaintiff’s] concrete interests (as opposed to purely procedural rights), and if so, (2) whether the specific procedural violations alleged in this case actually harm, or present a material risk of harm to, such interests.”
Facebook argued that the plaintiffs’ allegations amounted to mere procedural violations of BIPA rather than injuries to concrete interests because there were no allegations that the plaintiffs’ biometric identifiers or information were breached or misused. However, the Ninth Circuit disagreed, finding that BIPA was enacted in order to protect Illinois residents’ concrete right to privacy. The Court provided a lengthy discussion of the history of the right to privacy, from its roots in the common law to recent Supreme Court decisions applying the Fourth Amendment to technological intrusions on personal privacy. It also considered the judgment of the Illinois legislature, stating that BIPA’s legislative history and the Illinois Supreme Court’s recent decision in Rosenbach v. Six Flags Entm’t Corp., 2019 WL 323902 (Ill. 2019), which we discussed in an early Client Alert, also support the Ninth Circuit’s conclusion “that the capture and use of a person’s biometric information invades concrete interests.” In Rosenbach, the Illinois Supreme Court held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under [BIPA], in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”
After determining that BIPA was established to protect the plaintiffs’ concrete right to privacy, the Ninth Circuit turned to the question of whether Facebook’s collection, use, and storage of the plaintiffs’ face templates, without maintaining a retention schedule or obtaining written releases, had actually harmed or presented a material risk of harm to the plaintiffs’ privacy interests. The opinion concludes that as “the privacy right protected by BIPA is the right not to be subject to the collection and use of such biometric data, Facebook’s alleged violation of these statutory requirements would necessarily violate the plaintiffs’ substantive privacy interests.” It further quotes the Rosenbach opinion, in which the Illinois Supreme Court stated that the procedural protections in BIPA “are particularly crucial in our digital world” because “[w]hen a private entity fails to adhere to the statutory procedures . . . the right of the individual to maintain his or her biometric privacy vanishes into thin air.”
Rule 23 Certification
The opinion then moves on to a brief discussion of Facebook’s appeal of the certification of the class under Federal Rule of Civil Procedure 23. Facebook argued that Illinois’s extraterritoriality doctrine is incompatible with Federal Rule 23(b)(3)’s requirement that “questions of law or fact common to class members predominate over any questions affecting only individual members.” According to Facebook, because “the Illinois legislature did not intend for BIPA to have extraterritorial effect . . . the district court would have to conduct countless mini-trials to determine whether the events in each plaintiff’s case occurred ‘primarily and substantially within’ Illinois,” defeating the Federal Rule’s predominance requirement. However, the Ninth Circuit found that such “mini-trials” would not be necessary because the “threshold questions of BIPA’s applicability” could be decided on a class-wide basis from the outset. The Court also dismissed Facebook’s argument that “the possibility of a large, class-wide statutory damages award” in the case conflicts with Federal Rule 23(b)(3)’s requirement that a class action be “superior to other available methods for fairly and efficiently adjudicating the controversy,” because it found no indication in BIPA’s text or legislative history that the Illinois legislature intended to place a cap on statutory damages. Plaintiffs claim that Facebook is liable to each member of the class for damages of up to $5,000 per violation of the statute.
Patel represents another expansion of the law in favor of plaintiffs in BIPA litigation because it opens the door to the filing of BIPA suits in jurisdictions outside of Illinois and supports the proposition that plaintiffs may recover damages for injury to their right to privacy under BIPA even where there is no evidence that their biometric data is at risk of being compromised or misused. In a brief filed in the case, the U.S. Chamber of Commerce argued that the district court’s decision ran counter to the Supreme Court’s decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016), which held that allegations of bare procedural violations of a statute that do not result in actual harm are insufficient to establish Article III standing. However, in finding that the alleged harm to the plaintiffs’ right to privacy in Patel constituted more than a mere procedural violation of BIPA, the Ninth Circuit provided BIPA plaintiffs a work-around to Article III standing challenges established by the Supreme Court’s decision in Spokeo. In response to the Patel opinion, Facebook has requested a rehearing before the full Ninth Circuit Court of Appeals and has also indicated it could appeal the decision to the Supreme Court.
The Ninth Circuit’s opinion also represents a divergence from the Second Circuit’s opinion in Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12 (2d Cir. 2017), where the Court held that the plaintiffs lacked Article III standing because the defendant video game developer’s violations of BIPA in connection with the use of face-scanning technology did not present a material risk that the plaintiffs’ biometric data would be misused or disclosed. However, at the time the Santana opinion was issued, the Illinois Supreme Court had not yet issued its opinion in Rosenbach, which provided a roadmap for the Ninth Circuit’s opinion in Patel by stating that BIPA was designed to ensure that individuals’ “privacy rights in their biometric identifiers and biometric information are properly honored and protected to begin with, before they are or can be compromised.”
Additionally, it will be interesting to see whether the Seventh Circuit analyzes the issue of Article III standing in BIPA suits through the lens of the right to privacy following the decision issued in Patel. In its recent opinion in Miller v. Sw. Airlines Co., 926 F.3d 898 (7th Cir. 2019), published in June, the Seventh Circuit found that plaintiff airline employees had Article III standing to bring claims under BIPA in the context of a labor dispute over biometric timekeeping systems. However, as the Court held that “the prospect of a material change in workers’ terms and conditions of employment” gave the claims a concrete dimension sufficient to establish standing, it never reached the issue of whether the risk of disclosure of biometric data by itself is sufficient to establish standing. The opinion’s brief analysis of the standing issue also lacked any discussion of injury to the plaintiffs’ right to privacy, an issue it will likely have to address in future decisions. We are closely monitoring the developments in this crucial area of law and will continue to keep you apprised of any further updates.
For further information regarding BIPA or privacy laws generally, contact Joseph Kish at email@example.com or 312.644.3538.
- CYBER RISK CLIENT ALERT: The Constitutional Argument Against BIPA
- CYBER RISK CLIENT ALERT: The SHIELD Act Requires Corporations to Implement Cyber-Security Measures
- New Michigan DIFS Order Raises More Questions for Auto Insurers
- Proposed Hours of Service Rules: Balancing Safety and Economy
- PROFESSIONAL LIABILITY CLIENT ALERT: Attorney Liability Under the FDCPA
- Five Words & Phrases Defense Attorneys Should be Mindful of in Trucking Litigation
- CYBER RISK CLIENT ALERT: BIPA Cutbacks Stalled in Springfield - For Now.
- PROFESSIONAL LIABILITY CLIENT ALERT: The Development of Michigan's Attorney Judgment Rule
- Another BIPA Violation Alleged in Illinois
- Professional Liability
- Class Action
- Complex Commercial Litigation
- Insurance Coverage
- Insurance & Reinsurance Litigation & Counseling
- Cyber Risk & Liability
- Toxic Tort
- Professional Development
- Social Media & Privacy
- Workers' Compensation
- Medical Negligence & Healthcare Liability
- Pharmaceutical & Medical Device Litigation
- Product Liability
- Construction Litigation & Counseling
- Employment Litigation & Counseling
- Discrimination, Harassment & Hostile Workplace Claims