Privacy

Court Rules a Mere Procedural Violation of Biometric Law Enough for Standing

Published: Mar. 13, 2018

Updated: Oct. 05, 2020

A federal court in California recently denied Facebook’s motion to dismiss an Illinois Biometric Information Privacy Act (“BIPA”) action on Spokeo grounds. The court held that a procedural violation of BIPA’s notice and consent requirements could manifest concrete injury because Illinois enacted the law to protect citizens’ privacy and the plaintiffs alleged they were not aware of the practices in dispute.

We’ve previously blogged about how the Supreme Court’s Spokeo v. Robins case impacts privacy class actions. In Spokeo, the Supreme Court ruled that a plaintiff must show “concrete and particularized” injury to maintain Article III standing. Defendants have used Spokeo to obtain dismissals of privacy actions including those alleging violations of the TCPA and actions under BIPA.

Plaintiffs in In re: Facebook Biometric Information Privacy Litigation alleged that Facebook violated BIPA by unlawfully collecting and storing biometric data without providing notice and obtaining consent. Facebook users can “tag” other Facebook users and non-users by identifying them in photos uploaded to Facebook. Plaintiffs alleged the “Tag Suggestions” program scans uploaded photographs, identifies faces in the photographs, and automatically suggests tags for those faces. Plaintiffs contended that Facebook secretly used facial recognition technology to extract biometric identifiers and store templates of faces, thereby violating BIPA’s requirement to obtain notice and written consent to collect and retain biometric data.

Facebook moved to dismiss, arguing that the named plaintiffs had no Article III standing, because the named plaintiffs had done nothing more than allege a mere procedural violation of BIPA. Facebook argued that such a procedural violation was not a “concrete and particularized” injury, as plaintiffs alleged no real-world harms.

The court disagreed, observing that “an alleged procedural violation [of a statute] can by itself manifest concrete injury where Congress conferred the procedural right to protect a plaintiff’s concrete interests and where the procedural violation presents ‘a real risk of harm’ to that concrete interest.” Finding that the Illinois legislature enacted BIPA to protect an Illinois citizen’s right to privacy in his or her biometric information, a violation of BIPA’s notice and consent procedures would itself cause “actual and concrete harm,” because the individual could not maintain his or her biometric privacy.

The court distinguished other BIPA cases dismissed under Spokeo, finding that in those matters, the plaintiffs’ allegations established that plaintiffs “indisputably knew that their biometric data would be collected before they accepted the services offered by the businesses involved.” Here, because plaintiffs alleged that they did not know of Facebook’s practices, the complaint sufficed for Article III standing purposes.