In an important opinion, the Ninth Circuit affirmed a lower court’s ruling that plaintiffs in the ongoing Facebook biometric privacy class action have alleged a concrete injury-in-fact to confer Article III standing and that the class was properly certified. (Patel v. Facebook, Inc., No. 18-15982 (9th Cir. Aug. 8, 2019)). Given the California district court’s prior rulings which denied Facebook’s numerous motions to dismiss on procedural and substantive grounds, and the Illinois Supreme Court’s January 2019 blockbuster ruling in Rosenbach, which held that a person “aggrieved” by a violation of the Illinois Biometric Information Privacy Act (“BIPA”) need not allege some actual injury or harm beyond a procedural violation to have standing to bring an action under the statute, the Ninth Circuit’s decision was not entirely surprising. Still, the ruling is significant as a federal appeals court has ruled on important procedural issues in a BIPA action and found standing. The case will be sent back to the lower court with the prospect of a trial looming, and given BIPA’s statutory damage provisions, Facebook may be looking at a potential staggering damage award or substantial settlement.     

As discussed in past posts about the long-running Facebook biometric privacy class action, users are challenging Facebook’s “Tag Suggestions” program, which scans for and identifies people in uploaded photographs for photo tagging. The class alleges that Facebook collected and stored their biometric data without prior notice or consent in violation of the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq.  While other technology companies face BIPA actions over photo tagging functions, In Re Facebook is the headliner of sorts for BIPA litigation, being the most closely-watched and fully-litigated.

There have been a host of new developments in this case as the parties continued to joust when the prospect of a trial was looming.  Earlier this month, a California district court denied both parties’ motions for summary judgment and found that a “multitude of factual disputes” barred judgment as a matter of law for either side.   (In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal. May 14, 2018)).  The court’s prior orders over the past several years provide the context for the denial of summary judgment and the court’s refusal to revisit procedural rulings. See: In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016) (declining to enforce California choice of law provision in user agreement and applying Illinois law and refusing to find that the text of BIPA excludes from its scope all information involving photographs); Patel v. Facebook Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018) (declining to dismiss based on lack of Article III standing); In re Facebook Biometric Info. Privacy Litig., No. 15-03747, 2018 WL 1794295 (N.D. Cal. Apr. 16, 2018) (certifying Illinois user class and refusing Facebook’s renewed arguments to dismiss on procedural grounds). 

UPDATE: On March 2, 2018, in a related biometric privacy litigation surrounding Tag Suggestions brought by non-users of Facebook, a California district court in a brief order declined to dismiss the action for lack of standing, citing its reasoning in the Patel opinion.  (Gullen v. Facebook, Inc., No. 16-00937 (N.D. Cal. Mar. 2, 2018)). While Facebook offered evidence that it does not store faceprint data on non-users, but only analyzes it to see if there is a match, the court stated such substantive arguments are best left for summary judgment or trial.  Note: the Gullen case is related to the consolidated Facebook biometric privacy litigation and as such, is being heard before the same judge. The difference between the two actions is that Gullen involves non-Facebook users, whereas the plaintiffs in In re Facebook are registered users.

This past week, a California district court again declined Facebook’s motion to dismiss an ongoing litigation involving claims under the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”), surrounding Tag Suggestions, its facial recognition-based system of photo tagging.  In 2016, the court declined to dismiss the action based upon, among other things, Facebook’s contention that BIPA categorically excludes digital photographs from its scope.  This time around, the court declined to dismiss the plaintiffs’ complaint for lack of standing under the Supreme Court’s 2016 Spokeo decision on the ground that plaintiffs have failed to allege a concrete injury in fact.  (Patel v. Facebook, Inc., No. 15-03747 (N.D. Cal. Feb. 26, 2018) (cases consolidated at In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal.)).  As a result, Facebook will be forced to continue to litigate this action.

This dispute is being closely watched as there are a number of similar pending BIPA suits relating to biometrics and facial recognition  and other defendants are looking at which of Facebook’s defenses might hold sway with a court. 

This month, in one of the many recently-filed Illinois biometric privacy suits, a class action complaint alleging violations of Illinois’s Biometric Information Privacy Act (BIPA) was lodged against Wow Bao, a restaurant chain, over its use of self-order kiosks that allow customers to use faceprints as a method to authenticate purchases. (Morris v. Wow Bao LLC, No. 2017-CH-12029 (Ill. Cir. Ct. filed Sept. 5, 2017)).  The suit against Wow Bao was not the only BIPA-related suit filed in September, as several businesses with an Illinois presence, including Crunch Fitness and Speedway, Inc., were served with complaints. And more than a week ago, an Illinois federal court refused to dismiss BIPA claims against photo storage service Shutterfly over claims that its photo tagging feature created a faceprint of the non-user plaintiff after a friend uploaded a group photo, and upon the service’s suggestion, then tagged the plaintiff, thereby storing plaintiff’s faceprint and name in Shutterfly’s database without his notice or consent. (Monroy v. Shutterfly, Inc., No. 16-10984 (N.D. Ill. Sept. 15, 2017)).

Update: On March 9, 2017, Google filed a motion requesting the court certify an interlocutory appeal.  In particular, Google contends that the following question satisfies the statutory criteria: whether the term “biometric identifier,” as defined in Illinois Biometric Privacy Act, includes information derived from photographs.

We’ve closely followed the numerous biometric privacy disputes and legislative developments surrounding the Illinois Biometric Information Privacy Act (BIPA), which precludes the unauthorized collection and storing of some types of biometric data.  In the latest ruling, an Illinois district court refused to dismiss a putative class action alleging that the cloud-based Google Photos service violated BIPA by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent.  (Rivera v. Google, Inc., No. 16-02714 (N.D. Ill. Feb. 27, 2017)).

This is the third instance where a district court refused, at an early stage of a litigation, to dismiss BIPA claims relating to the online collection of facial templates for photo-tagging purposes.  Unlike those prior courts’ relatively cursory interpretations, however, the Rivera court’s expansive 30-page opinion is the deepest dive yet into the statutory scheme (and purported vagaries) of the Illinois statute.  The decision is the latest must-read for mobile or online services that collect and store biometric data from users as to what extent their activities might fall under the Illinois biometric privacy statute.  It may well turn out that the plaintiffs’ claims in Rivera (as well as the ongoing biometric privacy litigation going on in California) may prove unsuccessful on procedural or statutory grounds, yet, these initial takes on the scope of BIPA stress the importance of examining current practices and rollouts of new services that feature biometrics. 

As we have previously written about, there are several ongoing biometric privacy-related lawsuits alleging that facial recognition-based systems of photo tagging violate the Illinois Biometric Information Privacy Act (BIPA).  Add one more to the list.  A Chicago resident brought a putative class action against Google for allegedly collecting, storing

As we have previously noted, there are several ongoing privacy-related lawsuits alleging that facial recognition-based systems of photo tagging violate the Illinois Biometric Information Privacy Act (BIPA). The photo storage service Shutterfly and the social network Facebook are both defending putative class action suits that, among other things, allege