Featured Expert Contributor—Civil Justice/Class Actions
By Frank Cruz-Alvarez, a Partner with Shook, Hardy & Bacon L.L.P. in the firm’s Miami, FL office, with Erica E. McCabe, an Associate in the firm’s Kansas City, MO office.
On February 26, 2018, the U.S. District Court for the Northern District of California tracked the U.S. Court of Appeals for the Ninth Circuit’s permissive approach to Article III standing when it denied Facebook Inc.’s (Facebook) renewed motion to dismiss for lack of subject matter jurisdiction in Patel, et al. v. Facebook Inc., ___F. Supp. 3d ___, 2018 WL 1050154 (N.D. Cal. Feb. 26, 2018). In rejecting Facebook’s motion, the court held that the putative class properly alleged a concrete injury in fact, consistent with the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (Spokeo I).
Originally filed as three individual cases in Illinois courts, the plaintiffs’ claims were transferred to the Northern District of California by stipulation of the parties and were subsequently consolidated into a single action. The putative class is composed of Facebook users who allege that the company’s “Tag Suggestions” program violated the Illinois Biometric Information Privacy Act (BIPA) when it collected and stored their biometic data without prior notice or consent. In light of this alleged violation, the plaintiffs seek declaratory and injunctive relief and statutory damages.
Facebook launched its “Tag Suggestions” program in 2010 as a way to increase photo “tagging” on the company’s social media platform. In application, the program utilizes “state-of-the art facial recognition technology to extract biometric identifiers from photographs that users upload.” Patel, 2018 WL 1050154 at *1. Once the biometric identifiers are extracted, Facebook creates and stores digital representations, or templates, of peoples’ faces based on the unique geometric relationship of their facial features.
To regulate the collection, use, and storage of an individual’s “uniquely sensitive [biometric] identifiers,” Illinois lawmakers enacted the BIPA. Id. at *3. Under this law, private entities that possess biometric data must “publish written policies on data retention and destruction,” provide written notice regarding the collection, storage, and retention of this data, and obtain written consent from each person whose data is collected. Ibid. Companies must also “limit the sale, trade, and disclosure of biometric data” and establish security measures for storing biometric data. Ibid.
Seeking protection under this law, the plaintiffs’ complaint alleges that Facebook’s “Tag Suggestions” program violates BIPA because Facebook allegedly failed to publish its data retention policies, provide written notice, or obtain written consent from each user whose biometric identifiers were collected and stored.
To establish Article III standing, plaintiffs must allege an “injury in fact” that is “fairly traceable to the challenged conduct of the defendants,” and “likely to be redressed by a favorable judicial decision.” Spokeo I, 136 S. Ct. at 1547. Citing the Supreme Court’s decision in Spokeo I, Facebook argued that the putative class lacked Article III standing because the plaintiffs could not demonstrate “real-world harms such as adverse employment impacts or even just anxiety,” and therefore, could not allege a concrete injury in fact. Patel, 2018 WL 1050154 at *4 (internal quotations omitted) (emphasis in original).
Looking first to Facebook’s reliance on Spokeo I, the court rejected any assertion that the Supreme Court established new standing requirements pertaining to intangible harms. Instead, the court opined that Spokeo I simply “sharpened the focus on when an intangible harm such as the violation of a statutory right is sufficiently concrete to rise to the level of an injury in fact.” Id. at *2.
The court further explained that demonstrating injury in fact for the alleged procedural violation of a statute only requires a showing that: “(1) the statutory provisions at issue were established to protect the plaintiff’s concrete interests; and (2) the specifically alleged procedural violations actually harm or present a material risk of harm to those interests.” Id. at *3 (internal citations omitted).
Applying this standard to the plaintiffs’ claims, the court held that the Illinois legislature had “codified a right of privacy in personal biometric information.” Id. at *4. The court likened this claim under BIPA to “a long tradition of claims actionable in privacy law,” and noted that “privacy torts do not always require additional consequences to be actionable.” Id. (quoting Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 2017)) (internal quotations omitted). Accordingly, the court determined, any violation of such a right constitutes actual and concrete harm sufficient to maintain Article III standing.
As a final matter, the court also rejected Facebook’s reliance upon two similar cases filed under BIPA, McCollough v. Smarte Carte, Inc. and Santana v. Take-Two Interactive Software, Inc. Despite striking similarities, the court distinguished the facts of Patel, stating that the plaintiffs in McCollough and Vigil “indisputably knew that their biometric data would be collected before they accepted the services offered by the businesses involved.” Patel, 2018 WL 1050154 at *5.
The court’s ruling in Patel is consistent with the Ninth Circuit’s trend towards a more pro-plaintiff interpretation of injury in fact post-Spokeo I. However, while protected from a motion to dismiss on jurisdictional grounds, it remains unclear how the remaining issues regarding whether Facebook’s user agreement and data policy satisfied BIPA’s notice and consent requirements will play out on summary judgment or at trial.
Given this trend towards a permissive interpretation of injury in fact, companies should carefully consider their compliance with state procedural laws, especially in the context of biometric privacy. Failure to do so may result in lengthy litigation without the reprieve of a dismissal based upon Article III standing.