Ninth Circuit Finds Article III Standing For Procedural Violation Of Biometric Privacy Law

The Ninth Circuit Court of Appeals has written the latest chapter of the ongoing saga of Article III standing for violations of the Illinois Biometric Information Privacy Act (“BIPA”).  BIPA requires, among other things, that before collecting a person’s biometric information, a company must provide certain notices to the person and obtain a written release.  Under BIPA, companies that collect biometric information must also establish a retention schedule so that biometric information is not stored for longer than needed.

In light of the Supreme Court’s decision in Spokeo v. Robbins, however, several district courts had ruled that a bare procedural violation of BIPA, absent any additional harm, was insufficient to confer standing in federal court, because such a procedural violation does not constitute an injury-in-fact.  Yet the January 25, 2019 Illinois Supreme Court decision Rosenbach v. Six Flags Entertainment Corp. appeared to elevate a procedural violation of BIPA over the threshold of concrete harm, albeit in the context of statutory interpretation.

In Patel v. Facebook, the Ninth Circuit took a view similar to the Illinois Supreme Court, affirming a district court ruling that a procedural violation of BIPA is sufficient to confer Article III standing, because the procedural violation, in and of itself, constitutes the concrete harm necessary to satisfy the injury-in-fact requirement of Article III.

The case involves allegations regarding Facebook’s Tag Suggestions feature, which was added in 2010.  When Facebook users upload a photo, they can “tag” the people in the photo, which then links to that person’s Facebook profile.  The Tag Suggestions feature uses facial recognition technology to analyze a photo when it is uploaded and compare any faces in the photo to Facebook’s database of user face templates.  If the feature detects that the photo depicts a Facebook friend of the user who uploaded the photo, it suggests that the user tag the friend in the  photo.

The plaintiffs in the case allege violations of BIPA because Facebook collected a scan of their face geometry from uploaded photos to build its user face templates database without obtaining a written release and without establishing a BIPA-compliant retention schedule.  Facebook moved to dismiss the case for failure to meet the requirements of Article III standing, but the district court denied the motion.

On appeal, the Ninth Circuit affirmed the district court.  First, the court noted that a concrete injury does not necessarily have to be a tangible injury.  To determine whether an intangible injury is nevertheless concrete, the court considers “both history and legislative judgment.”  It also noted that the violation of a statutory right that protects against the risk of real harm may be sufficient to constitute an injury-in-fact, even absent any additional harm beyond the statutory violation.  To determine whether a statutory violation is a concrete injury, the court asks (1) whether the statutory provisions at issue were established to protect the plaintiff’s concrete interests, and if so (2) whether the specific procedural violations alleged actually harm, or present a material risk of harm to such interests.

The court answered both questions “yes” under plaintiffs’ allegations in the case.  It stated that privacy rights were well established in the common law and that technological advancements can present a real threat to those rights.  It also found the “judgment of the Illinois General Assembly” to be “instructive and important” on the matter.  It found that the Illinois General Assembly passed the procedural protections of BIPA as a means to protect a substantive right to biometric privacy.  It therefore concluded that the procedural protections in BIPA “were established to protect an individual’s ‘concrete interests’ in privacy, not merely procedural rights.”

It then turned to the question of whether the alleged procedural violations actually harmed or presented a material risk of harm to the plaintiffs’ privacy interests.  It concluded that they did.  Because the statutory right at issue is the right to retain control over one’s biometric information,  Facebook’s alleged conduct necessarily harmed that right.  In coming to its conclusion, the court cited to Rosenbach for the proposition that “when a private entity fails to adhere to the statutory procedures [in BIPA] the right of the individual to maintain his or her biometric privacy vanishes into thin air.”

Because the plaintiffs satisfied both prongs of the relevant test, the court ruled that they had sufficiently alleged a concrete injury-in-fact to satisfy the requirements of Article III standing.

Whether other circuits will rule similarly remains to be seen.  It is possible that the Supreme Court will ultimately have to resolve the issue.  But in the meantime, whether a BIPA litigant can successfully bring a claim in federal court (or whether a BIPA defendant can successfully remove a claim to federal court), may very well depend on where the claim is filed.

About The Author
Tagged with: , ,
Posted in Data Security, Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates


Cozen O’Connor Blogs