Ninth Circuit Rejects Article III Standing Argument for BIPA Claims
Labor & Employment/Data Privacy & Security Alert 09/06/19 Gary R. Clark, Meghan C. O'Connor, Sarah A. Erdmann
In discussing the Illinois Supreme Court’s pivotal Rosenbach v. Six Flags Entertainment Corp. decision in prior client alerts (here and here), we noted a host of unresolved questions related to the surge of class action litigation under Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”). One such question - whether standing under Article III of the U.S. Constitution exists for BIPA claims if the plaintiff has no tangible injury - was recently answered by the Ninth Circuit in Patel et al. v. Facebook, Inc., No. 18-15982.
With companies rapidly adopting new technologies that enable employees and customers to utilize a biometric identifier (e.g. a fingerprint scan, retina scan or facial recognition scan) to log into an app or device (e.g. a time clock), Illinois' BIPA (and what it requires) has been in the spotlight lately. At its core, BIPA prohibits private entities from collecting, storing, or using biometric information, unless the entity adopts written policies, issues written notice, obtains individual written consent, and takes specific precautions to protect the information. See 740 ILCS 14/1 et seq. The law also requires certain disclosures if biometric information is shared with a third party. 740 ILCS § 14/15(d).
Rosenbach and the Meaning of “Aggrieved” Individual
Early on, there was doubt that a plaintiff could pursue a BIPA claim if he/she did not actually suffer an injury-in-fact as a direct result of a company’s BIPA violation. The Illinois Supreme Court dispelled any such doubt in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, in which it held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”
Astute observers noted that Rosenbach only answered what it meant to be “aggrieved” under BIPA’s statutory provision creating a private cause of action and did not address whether federal or state constitutional standing existed for such claims when there is no tangible injury as a result of the violation. This led some to question whether Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016), might compel the dismissal of BIPA claims without a tangible injury due to the absence of Article III standing.
Patel Addresses Standing Question
In Patel et al. v. Facebook, Inc., No. 18-15982, the Ninth Circuit tackled this question head-on for a class action challenging Facebook’s use of facial recognition technology. In Patel, the plaintiffs were Illinois residents that claimed Facebook violated BIPA when it used facial recognition technology to create “face templates” that could be used to make tagging suggestions for photos uploaded to Facebook accounts. The Patel plaintiffs claimed that Facebook’s use of facial recognition technology and creation of the tagging template involved collecting, storing, and using biometric identifiers – including a scan of “facial geometry” - without first obtaining the necessary consent and release and having a policy related to retention. The plaintiffs sought to certify a Fed. R. Civ. P. 23 class of all Illinois residents who likewise had facial recognition technology applied to the photographs they uploaded to Facebook.
Facebook moved to dismiss on the basis that Article III standing did not exist for the BIPA claims alleged by these plaintiffs; it argued the violation was merely procedural in nature (i.e., the failure to receive the requisite notice and consent document) with no actual, tangible injury. The Ninth Circuit strongly disagreed with this assertion and handed down a decision suggesting that Article III standing challenges related to BIPA claims (and privacy claims in general) are unlikely to succeed going forward.
The panel applied a two-step approach it had developed in Spokeo (on remand), which required consideration of: “(1) whether the statutory provisions at issue were established to protect [the plaintiffs’] concrete interests (as opposed to purely procedural rights), and if so, (2) whether the specific procedural violations alleged in this case actually harm, or present a material risk of harm, to such interests.” Answering these questions, the panel held that BIPA was enacted to protect the right to privacy for Illinois residents with regard to their biometric identifiers. More specifically, the court held that BIPA is intended to give Illinois residents the right to control the collection, storage, and use of their biometric identifiers, including the right to avoid the collection, storage, and use of them and that “the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.” Based on this, the panel found that the invasion of this right was itself a tangible and concrete injury-in-fact. Consequently, Article III standing existed for the claims.
What Does This Mean Going Forward?
First, while federal and state courts in Illinois have no obligation to follow this Ninth Circuit precedent, its holding is in philosophical lockstep with the Rosenbach decision from the Illinois Supreme Court and, thus, likely persuasive to an Illinois court.
Second, the court’s reasoning in finding a tangible and concrete injury-in-fact for the BIPA violations alleged in Patel is arguably applicable to other statutorily protected privacy rights that do not involve biometric identifiers. For example, this holding is presumably transferrable to the recently passed Artificial Intelligence Video Review Act in Illinois, which requires companies to provide notice to job candidates before utilizing AI technologies to evaluate their facial expressions, body language and speech patterns in interviews. If Article III standing exists under BIPA, why would it not for job candidates that fail to receive the required notice or for other privacy laws broader than BIPA?
Third, it is interesting to note the emphasis the Ninth Circuit placed on the Illinois legislature’s statements regarding the purpose of BIPA, explaining that biometrics are not like other unique identifiers. While passwords, account numbers, and even social security numbers can be changed, biometric data are “biologically unique to an individual.” Once compromised, there is no recourse; you cannot go to the DMV to get new fingerprints. Will other courts and legislatures considering biometric-related litigation and privacy legislation elevate this distinction between standard, unique personal information identifiers and identifiers that are biologically unique to an individual?
Does BIPA Apply Extra-Territorially?
An additional issue addressed by the Ninth Circuit in Patel is whether BIPA can apply extra-territorially to out-of-state actors. The court found that it can, if the relevant events occurred “primarily and substantially" in Illinois. This, of course, raised the question of where does a BIPA violation occur? Does it occur in Illinois when the Illinois resident uploads the picture to Facebook or does it occur in another state when Facebook’s servers apply facial recognition technology to create a template?
While the Patel court did not answer this precise question, it did note that any attempt to apply BIPA to out-of-state actors necessarily requires that the victims be Illinois residents and that the relevant events that constitute the BIPA violation primarily and substantially occur in Illinois. This is distinct from certain state data breach notification laws that do not require a breach or security incident to occur primarily or substantially in the state in order for the state’s breach notification law to apply. Instead, a number of state breach laws apply to breaches and incidents affecting state residents regardless of where the breach or security incident occurred. Companies should be prepared to analyze potential notification obligations under applicable state and federal law in addition to BIPA when dealing with biometric information.
What Are the Takeaways From This?
If you are a company collecting, storing, or using the biometric identifiers of Illinois residents within the state of Illinois, you are clearly covered by the law, regardless of where your company is domiciled. If, however, you are a company collecting, storing, or using biometric identifiers for Illinois residents from a location outside of Illinois, the question of whether BIPA covers your actions is still unresolved. Such companies should consult with legal counsel and follow the Patel case closely.
It is also important to note that the panel did not consider whether the plaintiffs established the necessary elements for the alleged BIPA violations; we should expect more on this front in terms of an ultimate resolution, which may include resolving first-impression BIPA issues as well as the potential for a settlement or change in Facebook’s facial recognition/tagging practices for current features (e.g., an opt-in to the Tag Suggestions feature) and features under development.
As always, we will be tracking any BIPA related developments, including any decisions that shed light on one or more of the outstanding BIPA questions. Also, stay tuned for other states passing similar laws as several jurisdictions are discussing legislation related to the protection of biometric data.
For questions about BIPA developments and compliance, please contact your local Quarles & Brady attorney or: