In November, we identified an emerging trend involving Article III standing in cases brought under Illinois’ Biometric Information Protection Act (“BIPA”). The Northern District of California’s recent decision in Patel v. Facebook Inc., No. 3:15-cv-03747-JD, 2018 U.S. Dist. LEXIS 30727 (N.D. Cal. Feb. 26, 2018), denying Facebook’s motion to dismiss for lack of subject matter jurisdiction, demonstrates that the trend is persisting.
BIPA requires entities collecting, using, and storing biometric data (such as face, retina, and fingerprint scans) to, among other things, inform and obtain consent from the owners of the data. BIPA also requires the entity to establish a retention schedule such that the biometric data is destroyed when the purpose for its use has been satisfied or within three years, whichever occurs first. Users must be informed of this retention schedule.
Facebook Plaintiffs Have Standing
Patel originated as three separate cases filed in Illinois. After the parties stipulated transfer of the cases to California, they were consolidated into a single class action. The named plaintiffs allege that Facebook, through its “tag suggestions,” which employs “state-of-the-art facial recognition technology,” secretly collected plaintiffs’ biometric data without their consent.
Facebook moved to dismiss the class action complaint for lack of subject matter standing, arguing that plaintiffs’ alleged injury was not sufficiently concrete under Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016). Pursuant to Spokeo, a plaintiff must demonstrate standing to sue by alleging the “irreducible constitutional minimum” of (1) an “injury in fact” (2) that is “fairly traceable to the challenged conduct of the defendants” and (3) “likely to be redressed by a favorable judicial decision.”
After clarifying that Spokeo “did not announce new standing requirements,” but instead “sharpened the focus on when an intangible harm such as the violation of a statutory right is sufficiently concrete to rise to the level of an injury in fact,” the Northern District of California in Patel found that Illinois’ legislature clearly desired to vest in Illinois residents “the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent.” According to the court, that right “vanishes into thin air” when an on-line company like Facebook disregards the procedures—such as requiring consent and establishing a retention schedule—set forth in BIPA. The Court wrote, “The precise harm the Illinois legislature sought to prevent is then realized,” and that harm, though intangible, “quintessentially” constitutes a concrete injury, satisfying Article III standing.
Comparing Patel With Previous BIPA Decisions
At first blush, the Patel decision may appear inconsistent with recent decisions on Article III standing in BIPA cases, most notably, the Second Circuit’s recent decision in Santana v. Take-Two Interactive Software, No. 17-303, 2017 U.S. App. LEXIS 23446 (2d Cir. Nov. 21, 2017). In Take-Two, the plaintiffs alleged the video game developer violated BIPA when it failed to inform them of (1) the collection of their biometric data, and (2) its biometric data retention schedule, when the plaintiffs provided facial scans to create a 3-D rendition of their faces in order to generate personal avatars. Unlike in Patel, the Take-Two court affirmed the lower court’s decision in granting Take-Two’s motion to dismiss for lack of Article III standing. The Take-Two court explained that the alleged violations of BIPA, as stated by the plaintiffs, “fail[ed] to raise a material risk of harm.”
Essential to the Take-Two decision was the court’s rejection of allegations that Take-Two collected consumers’ biometric data without authorization. To create the avatar, the plaintiffs were required to agree to terms and conditions explaining that their avatar would be visible to other users and may be recorded. Then the plaintiffs had to place their faces within 6 to 12 inches of the camera and slowly turn their heads to the left and right for approximately 15 minutes. The court held that “no reasonable person” would believe that Take-Two was conducting anything other than a facial scan. Also notable was that the plaintiffs did not allege Take-Two lacked sufficient protocols, that its policies were inadequate, or that it was unlikely to abide by its internal procedures. The Second Circuit found that the plaintiffs’ allegations amounted to “only a bare procedural violation.”
Similar reasoning was applied in McCollough v. Smarte Carte, Inc., 2016 U.S. Dist. LEXIS 100404 (N.D. Ill. Aug. 1, 2016). In Smarte Carte, plaintiff Adina McCollough used her fingerprint to rent a locker at Chicago’s Union Station. In order to rent the locker, she was prompted to place her finger on a fingerprint scanner; thereafter, a rendition of her fingerprint appeared on a touchscreen. In order to unlock the locker, McCullough again had to place her finger on the scanner and her print displayed on the screen. A matched fingerprint unlocked the locker. McCollough claimed Smarte Carte violated BIPA by not informing her that her biometric data was being collected and by not obtaining her consent. Like Take-Two, the Smarte Carte court held that McCollough “undoubtedly understood” that her fingerprint was being retained so that she could retrieve her belongings from the locker and thus there was no concrete injury and no Article III standing.
The Patel court distinguished these cases, explaining that the harm alleged in Take-Two and Smarte Carte was a “far cry” from plaintiffs’ allegations in Patel, reasoning that, in both Take-Two and Smarte Carte, “plaintiffs had sufficient notice to make a meaningful decision about whether to permit the data collection.” In Patel, however, the plaintiffs alleged they were afforded “no notice and no opportunity to say no.” The court’s decision to deny Facebook’s motion to dismiss seemed to turn on that critical distinction.
The Emerging (Persistent) Trend
Comparing Patel, Smarte Carte, and Take-Two, the emerging trend we identified last year is holding up. Where a plaintiff can show she had no meaningful opportunity to withhold consent for the collection of her biometric data, she will likely have Article III standing. However, unless she can show her biometric data was stolen or was at risk of being stolen, where a plaintiff gives her biometric information knowingly and willingly, the technical failure to obtain consent or otherwise inform the user will likely be insufficient to assert Article III standing.