Kamran Salour Publishes Daily Journal Article on Implications of Supreme Court BIPA Decision

Orange County, Calif. (August 14, 2020) - Orange County Data Privacy and Cybersecurity Partner Kamran Salour recently published an article in the Daily Journal titled “BIPA: How A Privacy Law Is Helping Shape Security Standards.” The article discusses the “far-reaching effects in security law” of the U.S. Supreme Court’s January 2020 decision to deny Facebook’s petition for certiorari in the case of Patel v. Facebook. In this matter, the Ninth Circuit held that Article III standing may exist under the Biometric Information Privacy Act (BIPA), even in the absence of a finding that a plaintiff suffered personal, real-world injury from the alleged BIPA violation.

Mr. Salour begins the article by explaining that BIPA, which the Illinois’ General Assembly enacted in 2008, imposes restrictions on how private entities may collect, use, and store biometric information. Specifically, the statute requires private entities to provide notice to, and obtain consent from, Illinois residents before collecting their biometric identifiers. The law also includes a private right of action for civil suits against entities that fail to comply with the required notice and consent procedures.

After reviewing the components of BIPA, Mr. Salour describes the Facebook matter, in which three Facebook users filed a consolidated putative class action alleging that Facebook violated their privacy rights under BIPA by failing to provide notice or request their consent before using its “Tag Suggestion Feature” to capture, use, and store their face geometry – a type of biometric identifier. Facebook moved to dismiss the plaintiffs’ complaint, contending they lacked Article III standing because they failed to allege that they suffered a concrete and particularized injury arising from Facebook’s alleged BIPA violations. The Ninth Circuit, however, denied Facebook’s motion, concluding that Facebook’s violation of BIPA’s notice and consent requirements “would necessarily violate [the plaintiffs’] substantive privacy rights” because “the privacy right protected by BIPA is the right not to be subject to the collection and use of biometric data.”

As Mr. Salour notes, Facebook then petitioned the U.S. Supreme Court for certiorari to determine whether a court could find Article III standing under BIPA where plaintiffs allege only a BIPA violation without alleging actual injury. As Mr. Salour states, because the Supreme Court denied Facebook’s petition, current Ninth Circuit law indicates that “a bare procedural violation of BIPA, without an additional showing of harm, confers Article III standing.”

In the last section of the article, Mr. Salour analyzes the potential broad implications of the Facebook decision. First, he points out that because BIPA applies to the collection and protection of biometric information, “BIPA’s unlimited private right of action for privacy violations impacts security violations, too.” Specifically, BIPA requires that private entities use the reasonable standard of care within their industries to store and protect all biometric information, and that they do so in a manner that is the same as or more protective than the manner in which the entities protect other confidential and sensitive information.

Mr. Salour explains that the Ninth Circuit’s ruling in Facebook and the Supreme Court’s subsequent denial of certiorari “leaves open the question of whether a plaintiff has Article III standing if that plaintiff alleges a violation of BIPA’s protection provision.” Accordingly, Mr. Salour advises that “this uncertainty should put private entities that store the biometric identifiers or biometric information of Illinois residents on alert.” He warns that a failure to protect the information in accordance with BIPA’s requirements “could be enough to confer standing,” even “without an allegation of harm resulting from the failure.”

Mr. Salour concludes by explaining how the provisions of the California Consumer Privacy Act (CCPA) illustrate that BIPA’s private right of action has impacted security standards outside of Illinois. Specifically, he describes that the original version of the CCPA provided that a bare BIPA violation constituted an injury in fact that could give rise to a private right of action. The current version of the law, however, limits a private right of action to the security setting. Mr. Salour concludes that this change in language was “the result of a compromise between proponents and opponents of the CCPA that was undoubtedly influenced by BIPA and its private right of action.”

Mr. Salour, CIPP/US and CIPT, dedicates his practice to helping clients respond to security incidents, comply with numerous data privacy and security requirements, and assert and defend against claims in state and federal litigation. In addition, utilizing his knowledge of domestic and international privacy laws, including the EU’s General Data Protection Regulation (GDPR), BIPA, and the CCPA, he educates clients about a full range of privacy issues and counsels them on complying with emerging and ever-changing privacy laws. 

You can read the full Daily Journal article here (subscription required).