In an important opinion, the Ninth Circuit affirmed a lower court’s ruling that plaintiffs in the ongoing Facebook biometric privacy class action have alleged a concrete injury-in-fact to confer Article III standing and that the class was properly certified. (Patel v. Facebook, Inc., No. 18-15982 (9th Cir. Aug. 8, 2019)). Given the California district court’s prior rulings which denied Facebook’s numerous motions to dismiss on procedural and substantive grounds, and the Illinois Supreme Court’s January 2019 blockbuster ruling in Rosenbach, which held that a person “aggrieved” by a violation of the Illinois Biometric Information Privacy Act (“BIPA”) need not allege some actual injury or harm beyond a procedural violation to have standing to bring an action under the statute, the Ninth Circuit’s decision was not entirely surprising. Still, the ruling is significant as a federal appeals court has ruled on important procedural issues in a BIPA action and found standing. The case will be sent back to the lower court with the prospect of a trial looming, and given BIPA’s statutory damage provisions, Facebook may be looking at a potential staggering damage award or substantial settlement.     

As outlined in prior posts about the long-running Facebook biometric privacy class action, users are challenging Facebook’s “Tag Suggestions” program, which scans for and identifies people in uploaded photographs for photo tagging (note: the class consists of Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011)). The class alleges that Facebook collected and stored their biometric data without prior notice or consent and without a compliant data retention schedule in violation of BIPA. Other technology companies face or have faced BIPA actions over photo tagging or similar functions, but the Facebook class action has been the most closely-watched and fully-litigated.

Facebook had previously moved to dismiss the plaintiffs’ complaint for lack of Article III standing. The district court denied Facebook’s motion to dismiss and certified a class. Facebook renewed its arguments on appeal, contending that the plaintiffs’ claims merely alleged a bare procedural violation of BIPA rather than an injury to a concrete interest, and thus plaintiffs lacked standing. Plaintiffs, in response, argued that Facebook’s violation of BIPA’s statutory requirements amounted to a violation of their substantive privacy rights and so qualified as a concrete injury.

The Ninth Circuit affirmed the lower court’s ruling and held that plaintiffs asserted a concrete and particularized harm sufficient to confer Article III standing because “BIPA protected the plaintiffs’ concrete privacy interest, and violations of the procedures in BIPA actually harmed or posed a material risk of harm to those privacy interests.”

“We conclude that the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.  Similar conduct is actionable at common law.”

The court looked to the legislative history of BIPA to support the conclusion that the statutory provisions in BIPA were “established to protect an individual’s ‘concrete interests’ in privacy, not merely procedural rights.” It also cited favorably the Illinois Supreme Court’s Rosenbach decision, which held that an individual could be “aggrieved” by a BIPA violation because such a violation constitutes an “invasion” or “impairment” of an individual’s statutory rights.  The Ninth Circuit also concluded that, for standing purposes, the specific BIPA violations at issue presented a material risk of harm to plaintiffs’ privacy interests (citing its Eichenberger decision where the court had ruled that a plaintiff had standing to bring Video Privacy Protection Act claims due to the substantive privacy interest at issue):

“Because the privacy right protected by BIPA is the right not to be subject to the collection and use of such biometric data, Facebook’s alleged violation of these statutory requirements would necessarily violate the plaintiffs’ substantive privacy interests.”

There were several additional points of interest in the decision:

  • In its brief, Facebook had argued a lack of statutory standing and that the plaintiffs were not persons “aggrieved” by a BIPA violations and therefore could not bring an action. Choosing not to second guess the interpretation of the Illinois Supreme Court, the Ninth Circuit, in a footnote, stated that because Facebook’s interpretation of BIPA was rejected in Rosenbach, the argument was foreclosed.
  • Interestingly, the court did not cite or distinguish two pre-Rosenbach decisions from an Illinois federal district court that had dismissed two separate BIPA actions on Article III standing grounds.
  • The court also rejected Facebook’s argument that the class should be decertified on predominance grounds because the Illinois legislature did not intend for BIPA to have extraterritorial effect, and Facebook’s collection of faceprints should be deemed to have occurred on its out-of-state servers (and thus each class member would have to provide individualized proof that events in that class member’s case occurred primarily within Illinois). Instead, the court found that it was reasonable to infer that the Illinois legislature contemplated BIPA’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state.

Looking Ahead

Despite the court’s refusal to dismiss the action on procedural grounds, the panel did not consider whether plaintiffs established the elements of the alleged BIPA violations or would ultimately succeed on the merits (yet, the alleged lack of Article III and statutory standing was perhaps Facebook’s most meritorious defense).  Moreover, one can’t help but couple this ruling with Facebook’s recent agreement to settle FTC privacy-related charges for $5 billion and undertake certain corporate oversight privacy reforms. Following the announcement of the FTC settlement, certain privacy advocates and members of Congress decried it as inadequate and noted that the settlement terms did not fundamentally change Facebook’s data collection practices. It is possible that Facebook may take another one-time charge in the coming year to cover a potentially nine-figure settlement in this biometric privacy litigation.  The question remains whether such a potential settlement would explicitly require changes to Facebook’s facial recognition practices or place limitations on future uses of its vast facial template database, or how (or if) Facebook would have to conform its user consent processes to comply with BIPA. For example, Facebook had previously turned off the automated Tag Suggestion feature in the EU, but last year announced it would test the feature, giving EU users the opportunity to opt-in or block Tag Suggestions.  Moreover, in 2018 Facebook notified U.S. users about how they could turn off facial recognition. Based on patent filings, Facebook is considering other commercial uses for facial recognition technology beyond photo tagging, so Facebook’s harnessing of its faceprint database seems to be a continuing part of its future suite of services, thus making the resolution of this litigation even more noteworthy.

We will continue to monitor this case for future developments, including how its ultimate resolution will affect other ongoing BIPA litigation.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise…

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law discipline, Jeff continues to lead on a range of business-critical transactions involving the use of emerging technology and distribution methods. For example, Jeff has become one of the foremost private practice lawyers in the country for the implementation of blockchain-based technology solutions, helping clients in a wide variety of industries capture the business opportunities presented by the rapid evolution of blockchain. He is a member of the New York State Bar Association’s Task Force on Emerging Digital Finance and Currency.

Jeff counsels on a variety of e-commerce, social media and advertising matters; represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements; advises on the implementation of biometric technology; and represents clients on a wide range of data aggregation, privacy and data security matters. In addition, Jeff assists clients on a wide range of issues related to intellectual property and publishing matters in the context of both technology-based applications and traditional media.