Skip to Main Content
Our Commitment to Diversity

Spokeo Fails Facebook: Privacy Violation Held to Constitute Concrete Harm Under Illinois Biometric Information Privacy Act

Date: 2 March 2018
U.S. Privacy, Data Protection and Information Management Alert
By: Kenn Brotman, Nora E. Becerra, Carl E Volz, Molly K. McGinley

On Monday, February 26, 2018, the United States District Court for the Northern District of California denied defendant Facebook’s motion to dismiss In re Facebook Biometric Information Privacy Litigation, finding plaintiffs had standing to bring their claims under the Illinois Biometric Information Privacy Act (“BIPA”).

BIPA creates a private right of action for plaintiffs to bring suit for the unauthorized use of their biometric identifiers, including retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. [1] In re Facebook is a consolidated action involving three class action law suits against Facebook for its purported use of biometric information to offer its “Tag Suggestions” program, which identifies individuals in the photographs on the basis of facial geometry. The plaintiffs seek to represent a class of Facebook users from Illinois who have uploaded and shared photographs on the social network since 2010, when Facebook implemented “Tag Suggestions.”

In their complaint, plaintiffs allege that the “Tag Suggestions” program violates BIPA because Facebook did not: “[1] properly inform plaintiffs or the class in writing that their biometric identifiers (face geometry) were being generated, collected or stored; [2] properly inform plaintiffs or the class in writing of the specific purpose and length of time for which their biometric identifiers were being collected, stored, and used; [3] provide a publicly available retention schedule and guidelines for permanently destroying the biometric identifiers of plaintiffs and the class (who do not opt-out of ‘Tag Suggestions’); and [4] receive a written release from plaintiffs or the class to collect, capture, or otherwise obtain their biometric identifiers.” [2]

Facebook moved to dismiss the complaint, arguing that plaintiffs had failed to allege a concrete harm because the users did not set forth any adverse effects from having their faces recorded and recognized by Facebook’s tagging algorithm and thus lacked standing to bring their claims under Spokeo v. Robins. [3] Specifically, Facebook argued that Spokeo requires that plaintiffs allege a concrete harm caused by Facebook’s use of facial recognition data. Because none of the plaintiffs had alleged harm resulting from their facial identification and tagging by the software, Facebook argued they failed to meet the Article III standing requirements set forth in Spokeo.

In its recent decision, the U.S. District Court for the Northern District of California rejected Facebook’s argument, finding that “[a] violation of the BIPA notice and consent procedures infringes the very privacy rights the Illinois legislature sought to protect by enacting BIPA” and that violation of privacy “is quintessentially an intangible harm that constitutes a concrete injury in fact.” [4] The court went on to elaborate on Article III standing under BIPA, stating that the Act’s “provisions, along with the plain text of BIPA as a whole, leave little question that the Illinois legislature codified a right of privacy in personal biometric information… [and] [t]here is equally little doubt about the legislature’s judgment that a violation of BIPA’s procedures would cause actual and concrete harm.” [5]

In ruling for plaintiffs, the District Court distinguished cases in which other courts held that alleged violations of BIPA, without more, do not constitute an injury sufficient to confer Article III standing. Most notably, the court found that, unlike plaintiffs in McCollough v. Smarte Carte, Inc. [6] and Vigil v. Take-Two Interactive Software, Inc., [7] the plaintiffs in In re Facebook did not have a reasonable expectation that their biometric identifiers were being collected or used for a certain purpose.

In McCollough, biometric information purportedly was collected when a customer placed his or her finger on a fingerprint scanner in order to lock and unlock a locker. There, the court noted, “a customer would understand that Smarte Carte collects and retains their fingerprint data for at least the duration of the rental. The system would not work otherwise.” [8] Similarly, in Vigil, a case involving the alleged collection of face scans to create personalized avatars by a video game software company, the plaintiffs stood within 6 to 12 inches of the camera and slowly moved their heads 30 degrees to the left and to the right in order for the face scan to be collected. The player also consented by pressing “continue” after reading a notice stating that the face scan might be recorded. Thus, where the average customer “indisputably knew that their biometric data would be collected before they accepted the services offered by the businesses involved,” they “had sufficient notice to make a meaningful decision about whether to permit the data collection.” [9] This was a critical factual distinction upon which the court’s decision turned.

Accordingly, while future BIPA plaintiffs may argue that all BIPA claims necessarily allege injury sufficient to confer Article III standing, the Facebook holding is limited to the specific factual circumstances under which the alleged biometric identifiers were collected. Furthermore, this case supports the proposition that a plaintiff may not have Article III standing to assert a claim for a technical violation of BIPA where he or she was aware of, and effectively consented to, the collection of biometric information. [10]

[1] Complaint, USDC ND Cal., case 3:15-cv-03747-JD, ECF Dkt. No. 40 ¶ 2.

[2] Id., ECF Dkt. No. 40 ¶ 5.

[3] 136 S. Ct. 1540 (2016).

[4] Case No. 3:15-cv-03747-JD, 2018 WL 1050154, at *4, 2/26/18 Order, ECF Dkt. No. 294, p.6.

[5] Id.

[6] Case No.16 C 03777, 2016 WL 4077108 (N.D. Ill. Aug.1, 2016).

[7] 235 F. Supp. 3d 499, 513 (S.D.N.Y. 2017).

[8] McCollough, 2016 WL 4077108, at *1.

[9] Case No. 3:15-cv-03747-JD, 2018 WL 1050154, at *5, 2/26/18 Order, ECF Dkt. No. 294, p.9.

[10] It is also notable that the decision in In re Facebook did not address whether plaintiffs sufficiently allege that they are “aggrieved parties” under BIPA as mandated by the recent Illinois Appellate Court decision in Rosenbach v. Six Flags, 2017 IL App (2d) 170317 (holding that alleging only a technical violation of BIPA was insufficient to render a party “aggrieved,” as required to maintain an action under the Act).

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Find more items tagged as: Data Protection, Privacy, and Security
Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel