Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

<img class="alignright wp-image-6022" src="https://dataprivacymonitor.bakerhostetlerblogs.com/wp-content/uploads/sites/5/2020/01/digital-data-facial-recognition-asian-womanGettyImages-1149705530_1200x630_72dpi.jpg" alt="" width="438" height="230" />

One decision, two far-reaching effects. This aptly describes the Supreme Court’s Jan. 21, 2020, <a href="https://www.supremecourt.gov/search.aspx?filename=/docket/docketfiles/html/public/19-706.html">decision to deny</a> Facebook’s petition for certiorari in Patel v. Facebook. The Supreme Court’s denial spelled an end to Facebook’s nearly five-year quest to dismiss this case, which began in August 2015 when three Facebook users filed a consolidated putative class action alleging that Facebook’s “Tag Suggestions Feature” violated the <a href="http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004">Illinois Biometric Information Privacy Act</a> (BIPA).

On Jan. 29, 2020, <a href="https://www.nytimes.com/2020/01/29/technology/facebook-privacy-lawsuit-earnings.html">the New York Times reported</a> that Facebook had agreed to settle the case for $550 million.

BIPA BACKGROUND

Enacted in 2008, BIPA imposes restrictions on how private entities may collect and use the biometric information of Illinois residents. In general, the term “biometrics” may refer to a variety of measurements based on biological characteristics. Biometric identifiers, however, are specific, measurable characteristics used to identify individuals, such as fingerprints or retina scans. BIPA defines “biometric identifier” to mean “... a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” whereas the broader term “biometric information” is defined as “... any information ... based on an individual’s biometric identifier used to identify an individual.”

BIPA requires a private entity that collects, stores or uses an individual’s biometric identifier or biometric information to provide notice to, and obtain consent from, the individual prior to collection. In addition, BIPA requires such private entities to develop and implement a written policy regarding the retention and destruction of biometric information and make the policy publicly available. BIPA also restricts how an entity may further disclose biometric identifiers and information it collects. Notably, BIPA includes a private right of action allowing for civil suits to be brought against companies for alleged violations.

THE BIPA CLASS ACTION AGAINST FACEBOOK

In August 2015, three Facebook users filed a consolidated putative class action alleging that Facebook’s “Tag Suggestions Feature” violated their privacy rights under BIPA. They alleged that Facebook’s Tag Suggestions Feature captured, used and stored their biometric identifiers (in this case, face geometry) without their consent, in violation of BIPA. that the complaint described the feature as using “state-of-the-art facial recognition technology” to extract biometric identifiers from uploaded photos; recognize and identify faces; and suggest an individual’s name or automatically tag the individual. Facebook argued that BIPA excludes photographs, and information derived from photographs, from its definitions of “biometric identifier” and “biometric information” and, accordingly, does not apply to the data used by Tag Suggestions.

Facebook moved to dismiss the complaint, arguing in part that the plaintiffs lacked Article III standing because they had not alleged that they suffered a concrete and particularized injury resulting from Facebook’s alleged BIPA violations. In May 2016, the Northern District of California <a href="https://dataprivacymonitor.bakerhostetlerblogs.com/wp-content/uploads/sites/5/2020/01/US-Disctict-Court-Motion-to-Dismiss-and-Summary-Judgement-in-N-Dist.-California.pdf">denied Facebook's motion</a>. Facebook appealed to the Ninth Circuit.

On Aug. 8, 2019, the Ninth Circuit <a href="https://dataprivacymonitor.bakerhostetlerblogs.com/wp-content/uploads/sites/5/2020/01/Opinion-Patel-v.-Facebook-Inc.-Ninth-Circuit.pdf">denied Facebook's appeal</a>, affirming that the plaintiffs had Article III standing to sue for procedural violations of BIPA even though they had not alleged actual harm resulting from Facebook’s conduct. The Ninth Circuit concluded “the privacy right protected by BIPA is the right not to be subject to the collection and use of biometric data” and thus “Facebook’s alleged violation of these statutory requirements would necessarily violate [the plaintiffs’] substantive privacy rights.”

Following the Ninth Circuit’s denial, in December 2019, Facebook petitioned the Supreme Court to determine whether a court can find Article III standing based on its conclusion that a statute protects a concrete interest, without determining whether that plaintiff suffered a personal, real-world injury from the alleged violation. The Supreme Court denied certiorari on Jan. 21, 2020.

The Supreme Court’s denial has at least two potentially interesting implications. First, it appears a plaintiff has standing to sue under BIPA without alleging actual harm. Second, as other states enact new privacy laws, they may be cautious about whether to include a private right of action for violations, and more likely to limit the scope of such rights. Indeed, the California Consumer Privacy Act has a limited private right of action, and the newly proposed Washington Privacy Act includes no private right of action.

Following SCOTUS Cert Denial, Facebook Settles BIPA Case for $550 Million