On August 8, 2019, the U.S. Court of Appeals for the Ninth Circuit issued yet another decision adopting relaxed standing requirements in privacy litigation, this time in a decision permitting a plaintiff to pursue claims under Illinois’s Biometric Information Privacy Act (BIPA). In Patel v. Facebook, the Ninth Circuit rejected arguments from Facebook Inc. (Facebook) that claims under the BIPA require assertions of real-world harm, and that BIPA claims only apply to conduct within Illinois. The ruling creates a circuit split on the standard for establishing Article III standing in BIPA litigation, which could prompt the U.S. Supreme Court to take up the issue.

Background

Facebook permits users to “tag” their Facebook friends in uploaded photos. A feature Facebook launched in 2010, “Tag Suggestions,” uses facial-recognition technology to determine which of a user’s Facebook friends are in a particular photo. Based on these suggestions, users can choose to “tag” or identify their friends in the photo. Facebook does this by analyzing faces in the photo and creating face signatures based on, for example, the distance between the eyes, nose, and ears. It then compares these “face signatures” to those previously collected and stored in a database to generate Tag Suggestions.

The lawsuit began in 2015 when Facebook users living in Illinois filed a complaint alleging that Facebook subjected them to facial-recognition technology in violation of BIPA. BIPA generally prohibits any private entity from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s biometric identifier or biometric information unless the entity first:

  • informs the subject in writing that a biometric identifier or biometric information is being collected or stored;
  • informs the subject in writing of the specific purpose and length of term of that collection, storage, and use; and
  • receives a written release from the subject.

The primary issue on appeal was whether the plaintiffs established Article III standing based on Facebook’s collection, use, and storage of their biometric information. Facebook had moved to dismiss the complaint for lack of Article III standing, arguing that the plaintiffs failed to allege any concrete injury because they merely alleged violations of BIPA’s procedural requirements and failed to specify how they were harmed by these alleged statutory violations. Plaintiffs opposed the motion, and then moved to certify a class. The district court rejected Facebook’s motion and granted plaintiffs’ motion for class certification.

To establish Article III standing, a plaintiff generally must have suffered an injury in fact that is concrete and particularized, as well as actual or imminent. The alleged injury must not be conjectural or hypothetical. As established in Spokeo, Inc. v. Robins, violation of a statutory right does not automatically establish Article III standing on its own. Instead, Ninth Circuit uses a two-step approach and analyzes whether (1) the statutory provisions at issue were established to protect the plaintiff’s concrete interests (as opposed to purely procedural rights), and if so, (2) whether the specific procedural violations alleged actually harm, or present a material risk of harm to, such interests.

The Ninth Circuit’s Decision in Patel v. Facebook

Using this two-step approach, the Ninth Circuit affirmed the lower court’s ruling and held that the plaintiffs alleged a concrete and particularized harm sufficient to confer Article III standing. The court looked to the common law roots of the right to privacy and asserted that “an invasion of an individual’s biometric privacy rights ‘has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.’” The court was also persuaded by BIPA’s legislative history and the Illinois Supreme Court’s interpretation of the BIPA in Rosenbach v. Six Flags Entertainment Corp. (see our client alert here) to conclude that the statutory provisions at issue were established to protect concrete interests instead of procedural rights, and their violation actually harms or poses a material risk of harm to those privacy interests.

Along with its Article III standing argument, Facebook argued that BIPA was not intended to have extraterritorial effect, requiring a court to consider whether the events at issue occurred in Illinois. Facebook argued that the district court erred in certifying the class because Facebook’s collection and use of biometric information occurred in servers outside Illinois, and therefore each class member should have to provide individualized evidence that the events in her case occurred primarily and substantially in Illinois. The Ninth Circuit rejected this extraterritoriality argument, finding it “reasonable to infer that the [Illinois] General Assembly contemplated BIPA’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state.”

Finally, in a ruling that should concern the defense bar, the Ninth Circuit refused to decertify the class, ruling that whether potentially enormous liability can justify denying a class certification depends on legislative intent, and “[w]here neither the statutory language nor legislative history indicates that the legislature intended to place a cap on statutory damages, denying class certification on that basis would ‘subvert [legislative] intent.’” Here, the court found that nothing in BIPA or its legislative history showed that a large damages award would contravene the legislature’s intent.

Circuit Split

Ninth Circuit’s ruling in Patel puts it directly at odds with the Second Circuit’s 2017 decision in Santana v. Take-Two Interactive Software, Inc. There, the Second Circuit rejected BIPA claims from players of NBA 2K video games, holding that the players were not injured enough by the video game’s scans of their faces to confer Article III standing. This Circuit split increases the possibility that the U.S. Supreme Court will take up the standing issue yet again to decide whether arguably unharmed plaintiffs are permitted to bring claims in federal court.

Takeaways

The case will now go back to the lower court for a possible trial, unless Facebook seeks review by the Supreme Court. If the ruling stands, it is likely to embolden more plaintiffs to bring BIPA cases now that the challenge of establishing Article III standing has been mitigated, at least in the Ninth Circuit, which is of major significance as many major technology companies are subject to suit within the Ninth Circuit. The Ninth Circuit also has signaled that it is not concerned about runaway statutory damages awards in privacy litigation. Companies that collect biometric information on Illinois residents, whether for commercial purposes or employment purposes, should carefully assess their practices with respect to biometric information against BIPA requirements to reduce the risk of potentially costly litigation. BIPA lawsuits have become extremely attractive to plaintiffs’ lawyers given businesses’ widespread collection of biometric information and the potentially enormous statutory damages available under BIPA.

Photo of Laura Foggan Laura Foggan

Laura Foggan is a partner in Crowell & Moring’s Washington, D.C. office, and chair of the firm’s Insurance/Reinsurance Group. She has been described by LawDragon 500 Magazine as “one of the most successful advocates for the insurance industry to ever practice.” Laura was…

Laura Foggan is a partner in Crowell & Moring’s Washington, D.C. office, and chair of the firm’s Insurance/Reinsurance Group. She has been described by LawDragon 500 Magazine as “one of the most successful advocates for the insurance industry to ever practice.” Laura was recently recognized as a Global Elite Thought Leader for Insurance & Reinsurance by Who’s Who Legal (2019), who praised her as a “dynamic and creative thinker” who has “very high standards and delivers superior work.” She is a Chambers-ranked Band 1 practitioner and included in the Best Lawyers in America directory, and consistently named one of Washington D.C.’s “Top 100 Lawyers” and “Top 50 Women Lawyers” and a “Super Lawyer” for Insurance Coverage by Super Lawyers Magazine. Laura represents clients in a variety of litigation and counseling matters.

Photo of Jeffrey L. Poston Jeffrey L. Poston

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years…

Jeff Poston is a partner in Crowell & Moring’s Washington, D.C. office, where he serves as co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and is a member of the Litigation Group. A seasoned trial lawyer with more than 25 years of experience leading investigations and litigation for corporate clients, Jeff counsels and defends clients in complex data protection matters involving class-actions and regulatory enforcement actions, as well as commercial disputes. Jeff also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

Photo of Nathanial J. Wood Nathanial J. Wood

Nathanial Wood is a partner in Crowell & Moring’s Litigation Group in the firm’s Los Angeles office. His practice focuses on the litigation of complex commercial matters, including privacy and cybersecurity and class actions. Nathanial has substantial experience representing clients at all phases…

Nathanial Wood is a partner in Crowell & Moring’s Litigation Group in the firm’s Los Angeles office. His practice focuses on the litigation of complex commercial matters, including privacy and cybersecurity and class actions. Nathanial has substantial experience representing clients at all phases of the litigation process, from pre-litigation counseling through trial and appeals.

Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards.

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.