Court Rules a Mere Procedural Violation of Biometric Law Enough for Standing

Published On March 13, 2018 | By Anna Hsia | Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

A federal court in California recently denied Facebook’s motion to dismiss an Illinois Biometric Information Privacy Act (“BIPA”) action on Spokeo grounds. The court held that a procedural violation of BIPA’s notice and consent requirements could manifest concrete injury because Illinois enacted the law to protect citizens’ privacy and the plaintiffs alleged they were not aware of the practices in dispute.

We’ve previously blogged about how the Supreme Court’s Spokeo v. Robins case impacts privacy class actions. In Spokeo, the Supreme Court ruled that a plaintiff must show “concrete and particularized” injury to maintain Article III standing. Defendants have used Spokeo to obtain dismissals of privacy actions including those alleging violations of the TCPA and actions under BIPA.

Plaintiffs in In re: Facebook Biometric Information Privacy Litigation alleged that Facebook violated BIPA by unlawfully collecting and storing biometric data without providing notice and obtaining consent. Facebook users can “tag” other Facebook users and non-users by identifying them in photos uploaded to Facebook. Plaintiffs alleged the “Tag Suggestions” program scans uploaded photographs, identifies faces in the photographs, and automatically suggests tags for those faces. Plaintiffs contended that Facebook secretly used facial recognition technology to extract biometric identifiers and store templates of faces, thereby violating BIPA’s requirement to obtain notice and written consent to collect and retain biometric data.

Facebook moved to dismiss, arguing that the named plaintiffs had no Article III standing, because the named plaintiffs had done nothing more than allege a mere procedural violation of BIPA. Facebook argued that such a procedural violation was not a “concrete and particularized” injury, as plaintiffs alleged no real-world harms.

The court disagreed, observing that “an alleged procedural violation [of a statute] can by itself manifest concrete injury where Congress conferred the procedural right to protect a plaintiff’s concrete interests and where the procedural violation presents ‘a real risk of harm’ to that concrete interest.” Finding that the Illinois legislature enacted BIPA to protect an Illinois citizen’s right to privacy in his or her biometric information, a violation of BIPA’s notice and consent procedures would itself cause “actual and concrete harm,” because the individual could not maintain his or her biometric privacy.

The court distinguished other BIPA cases dismissed under Spokeo, finding that in those matters, the plaintiffs’ allegations established that plaintiffs “indisputably knew that their biometric data would be collected before they accepted the services offered by the businesses involved.” Here, because plaintiffs alleged that they did not know of Facebook’s practices, the complaint sufficed for Article III standing purposes.


About The Author

Anna Hsia maintains a diverse practice litigating complex business disputes and counseling clients on privacy issues. With broad litigation experience in unfair competition, false advertising, class actions, and other complex litigation, Anna guides clients through disputes in federal and state courts. As a Certified Information Privacy Professional, Anna has assisted clients with product development and compliance with privacy regulations such as the TCPA, HIPAA, COPPA, state-specific privacy regulations, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.