Ninth Circuit Affirms Class Certification, Standing in Illinois Biometric Information Privacy Act Suit Against Facebook
A three-judge panel of the Ninth Circuit U.S. Court of Appeals has held that Illinois Facebook users may bring claims for privacy violations under state law for the use and storage of biometric information on the company’s platforms and servers.
Chicago, Ill. (August 21, 2019) - A three-judge panel of the Ninth Circuit U.S. Court of Appeals has held that Illinois Facebook users may bring claims for privacy violations under state law for the use and storage of biometric information on the company’s platforms and servers. Patel v. Facebook, 18-15982, (9th Cir. Aug. 8, 2019).
The court held that injury in fact was pled by the three Illinois residents whose “face templates” were created and used by Facebook without sufficient notice, agreement, and protection under the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/15. The court also affirmed a class certified as “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011.” Patel, at *10; F.R.Civ.P. 23(f); 28 U.S.C. 1292. The size of this class is not currently clear. The case will return to the Northern District of California for further proceedings absent further review or attempt to appeal.
This ruling is expected to have an immediate impact on the nature and scope of BIPA litigation depending on the technology involved and will likely have insurance coverage implications as well. The ruling may raise significant questions of available insurance coverage for BIPA claims against businesses that use finger-print and facial recognition technology in both employment and non-work environments, and whether those claims are within the scope of personal and/or advertising injury coverage. Additionally, the case confirms that BIPA cases will proceed in courts outside of Illinois if other jurisdictional prerequisites are met.
BIPA was enacted in 2008 to regulate the collection and storage of biometric information by private entities. The law provides that no private entity may collect, store, or use biometric information without notice to and written release or consent from the subject. 740 ILCS 14/15. On January 25, 2019, the Illinois Supreme Court held that individuals do not need to allege they were actually harmed by a violation of BIPA to seek liquidated damages and injunctive relief under the Act. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186.
This ruling strengthened the bases for class actions under BIPA in a way similar to the Telephone Consumer Protection Act (TCPA) and class actions where any technical violations results in an award of “statutory damages.” BIPA provides for statutory damages of $5,000 for each reckless or intentional violation, $1,000 for each negligent violation or actual damages plus attorneys’ fees. 740 ILCS 14/20(1).
Class action lawsuits have been filed at an average of about one per day since the Rosenbach decision came down.
Patel v. Facebook
In Patel, the plaintiffs alleged BIPA violations occurred when biometric material was collected, stored, and used without prior written release or agreement after Facebook launched its “Tag Suggestions” feature in 2010. When this feature is enabled, Facebook uses facial recognition technology to analyze the faces of other people in the photos uploaded by the user and suggest that the user “tag” the others in the photo. The technology creates a face map or signature from the face geometry collected. Facebook then compares the face signature to “face templates” of other users that are already stored by Facebook. If there is matching data, Facebook will suggest tagging others in the photo.
The Ninth Circuit reviewed common law privacy interests and constitutionally protected “zones of privacy” in finding that “an invasion of an individual’s biometric privacy rights has a ‘close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts’” in order to find a concrete and particularized injury for Article III standing. Id., at *16, citing Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2015)(rights under Fair Credit Report Act, 15 U. S. C. §1681). The court reasoned that the statutory provisions were established to protect “concrete interests” as opposed to procedural rights, and that the alleged violations caused actual harm or threatened harm to those concrete interests.
The court listed a parade of horrible and unforeseen uses as Facebook could use and “retain this template for all time.” Patel, at *19. At the pleadings stage, the court noted that the three representative plaintiffs alleged that there was not proper notice nor a proper release, and no evidence of a retention policy consistent with BIPA. The court noted parenthetically that under BIPA, a photograph alone is not “biometric material” but can be when its data is scanned and converted into facial geometry identifiers. Id., at * 8, ftn.4.
The Patel decision is distinguishable due to the significant level of biometric collection involved, which was described by the court as “detailed, encyclopaedic, and effortlessly compiled.” This is vastly different than technology in many BIPA cases, for example, technology that acquires an image of points on a person’s finger and turns it into an algorithm that cannot be reverse engineered. Depending on the facts and technology involved in any particular BIPA case, Patel’s impact may be limited.
The Patel litigation should be monitored for decisions on still-pending issues such as: the scope and impact of Facebook’s disclosure of the Tag Suggestions and the efficacy of an “opt-out” option; the nature and scope of consent; and the measure of damages as it is not yet clear under Illinois law how to calculate the number of violations, but that number alone could be significant.
As stated above, this case will also likely have coverage implications for businesses. Many liability policies with advertising and/or personal injury coverage exclude coverage for claims arising out of an act or omission that violates or is alleged to violate “[a]ny federal, state or local statute, ordinance or regulation…that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” CG 1012 0817, p.10-11 of 20. As such, we anticipate coverage litigation over the scope of these provisions and the rights and obligations to defend and indemnify for BIPA claims and judgments.
For more information, visit our Illinois BIPA Practice page.
Vincent Tomkiewicz, Partner
Daniel Cetina, Associate
Mary A. Smigielski, Partner