Last Friday, the Illinois Supreme Court ruled in the long-awaited Rosenbach case that an individual does not have to plead an actual injury or harm, apart from the statutory violation itself, in order to have statutory standing to sue under the Illinois Biometric Information Privacy Act (BIPA).  The Illinois Supreme Court ruling will allow procedural BIPA violations to proceed (and multiply) in state court – and has reportedly already prompted parties to settle such actions.  However, recent rulings in federal court have offered a divergent interpretation of the related, but different Article III standing issue.

With the flood of Illinois biometric privacy suits lodged against employers in recent months, and multiple biometric privacy suits against social media and other mobile platforms currently pending over the use of photo tagging functions, 2017 has been a busy year in this area.  In a notable circuit court level

For the second time in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing.  In Vigil v. Take-Two Interactive Software, Inc., No. 15-8211 (S.D.N.Y. Jan. 27, 2017), the court dismissed Illinois biometric privacy claims against a videogame maker related to a feature in the NBA 2K videogame series that allows users to scan their faces and create a personalized virtual avatar for in-game play.  In a lengthy opinion, the New York court provided Take-Two with a resounding victory when it ruled that procedural violations of the notice and consent provisions of the Illinois biometric privacy statute are not in-of-themselves sufficient to confer standing.

Biometric technology such as facial recognition, iris scans, or fingerprint authentication is being used and further developed to improve the security of financial and other sensitive transactions.  At the same time, social media sites, mobile apps, videogame developers and others are employing biometrics for other cutting edge uses to improve services.  The current Vigil ruling is particularly important, however, as it may buoy companies that collect biometric data under reasonable notice and usage policies, as they hope that the approval applied in Vigil is affirmed, if appealed, and followed in other jurisdictions.

In Yershov v. Gannett Satellite Information Network, Inc., a user of the free USA Today app alleged that each time he viewed a video clip, the app transmitted his mobile Android ID, GPS coordinates and identification of the watched video to a third-party analytics company to create user profiles for the purposes of targeted advertising, in violation of the Video Privacy Protection Act (VPPA). When we last wrote about this case in May, the First Circuit reversed the dismissal by the district court and allowed the case to proceed, taking a more generous view as to who is a “consumer” under the VPPA.

On remand, Gannett moved to dismiss the complaint again for lack of subject matter jurisdiction, contending that the complaint merely alleges a “bare procedural violation” of the VPPA, insufficient to establish Article III standing to bring suit under the standard enunciated in the Supreme Court’s Spokeo decision. In essence, Gannett contended that the complaint does not allege a concrete injury in fact, and that even if it did, the complaint depends on the “implausible” assumption that the third-party analytics company receiving the data maintains a “profile” on the plaintiff.