I Think I Know You From Somewhere: Federal Courts Continue to Limit Standing in Biometric Privacy Cases

Defendants continue to prevail when challenging standing in federal cases involving the Illinois Biometric Privacy Act (“BIPA”). In an important BIPA case, the Northern District of Illinois ruled in favor of Google in an opinion that clarifies federal standing requirements under the statute .740 ILCS 14/1 et seq.; Rivera v. Google, Inc., Case No. 16-cv-02714 (filed N.D. Ill. Mar. 1, 2016). In Rivera v. Google, the plaintiffs alleged that between 2015 and 2016 someone took photographs of them and then uploaded the photos into Google’s cloud-based service, where the photos were scanned in violation of BIPA to identify age, race, gender, and location and to match those to other photos in Google’s database. On December 29, 2018, Judge Edmond E. Chang granted Google’s summary judgment motion, finding that the plaintiffs failed to allege a concrete injury and, therefore, did not have Article III standing.

BIPA was enacted in 2008 and is the first state law concerning the growing number of businesses collecting biometric data. It was spearheaded by the ACLU of Illinois in response to the bankruptcy sale of a company called Pay By Touch, which used biometric technology to allow consumers to link their accounts to their fingerprints and then pay for items with their fingerprint. When Pay By Touch went out of business in 2008, it attempted to sell its database of biometric information. This caused a wave of concern, and as a result, the Illinois legislature passed BIPA. BIPA protects biometric data such as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 ILCS 14/1 et seq. Private entities that collect this data must adhere to requirements for collection, destruction, and disclosure of this data. Id. The statute requires entities that collect and retain this data to obtain informed consent and to make certain disclosures upon collection. Id. Further, the statute provides for a private right of action for violations of the statute, with damages of up to $1,000 per negligent violation and $5,000 per intentional or reckless violation. Id.

After losing on a motion to dismiss based on the argument BIPA specifically excludes photographs, Google filed a motion for summary judgment. In relevant part, Google argued that plaintiffs lacked Article III standing under Spokeo v. Robins, an influential Supreme Court decision clarifying that while a “bare procedural violation” was not automatically sufficient to establish standing, some violations of the law could meet the concreteness requirement under Article III.

The court granted judgment in favor of Google, agreeing the plaintiffs did not suffer concrete injuries sufficient to confer Article III standing. The plaintiffs conceded they had not suffered any financial, physical, or emotional injury, except feeling “aggrieved.” The court assumed, for the motion, that defendants had not satisfied the “notice-and-consent” requirements.  Spokeo indicated the “substantial risk” of future harm could be sufficient to establish standing. Accordingly, the court set out to determine whether the statutory harm or the risk of future harm cited by plaintiffs was sufficiently concrete under Article III.

The court first noted that biometric information had never been accessed by a third party, so cases from the data breach context and cases where the information was sold or otherwise provided to third parties were deemed inapplicable. The court then considered whether the unauthorized collection and retention of the information satisfied the Article III requirements.  However, the Seventh Circuit had already established that mere retention of an individual’s biometric information was not a concrete injury under Article III. Gubala v. Time Warner Cable, Inc., 846 F.3d 909, 912-13 (7th Cir. 2016).

Accordingly, the court analyzed whether collection of an individual’s biometric information established a “substantial risk” of future harm. The court found that it did not. Unlike other cases in which courts found harm,[1] there was no substantial risk of identity theft, and the lack of consent did not increase the risk of harm in any way. Furthermore, Google’s creation of plaintiffs’ face templates without their knowledge did not constitute a concrete harm. The court looked to Fourth Amendment and privacy tort case law for guidance, but found no recognized privacy interest in a person’s face. The plaintiffs did not have a reasonable expectation of privacy in their faces, because “we expose our faces to the public such that no additional intrusion into our privacy is required to obtain a likeness of it, unlike physical placement of a finger on a scanner or other object, or the exposure of a sub-surface part of the body like a retina.” Because the plaintiffs had not sustained a concrete injury, the court dismissed the case for lack of jurisdiction.

On January 3, 2019, Judge Chang again dismissed a BIPA case for want of Article III standing, McGinnis v. Cold Storage, Case No. 17-cv-8054 (filed Nov. 7, 2017). In McGinnis, the plaintiff alleged he and other employees were required to scan their fingerprints at the beginning of each work day, without the disclosures and consent required by BIPA. The court held that the “privacy interests” and “mental anguish” alleged by the plaintiff were not sufficient to establish Article III standing under Spokeo. The court emphasized the plaintiff did not allege that the fingerprints had been disclosed to a third party and was aware that his fingerprint was being collected. Citing Gubala again in his analysis, Judge Chang dismissed the case.

Although these cases may be appealed, they will make it more difficult for plaintiffs to sue under BIPA in federal court. And while the standing conversation continues to dominate federal BIPA cases, Judge Chang previewed the substantive obstacles yet to come for plaintiffs.  Judge Chang noted in Rivera that “[t]o be crystal clear, the Court reiterates that it is assuming . . . that Plaintiffs’ face templates are biometric identifiers or information” as defined by BIPA.  We will also probably see BIPA cases assigned to Judge Chang, a move plaintiffs in the Northern District of Illinois might challenge.

The real impact, however, will be seen when the Illinois Supreme Court rules on Rosenbach v. Six Flags Entertainment Corporation, a case in which the Second Appellate District found that technical violations of BIPA were not sufficient to establish standing under Illinois standing requirements. If the Supreme Court reverses, more of these actions may be filed in state court, a friendlier forum. 2017 IL App (2d) 170317.

For more information, contact Reena Bajowala or another member of our Data Security and Privacy Group.     

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.