Lessons from Rivera: What One Case Reveals About Federal Biometric Litigation
Rivera v. Google offers key insight into the federal standing threshold for BIPA claims, and provides litigants a vital defense strategy for fighting back against, and defeating, BIPA actions in federal court.
June 10, 2019 at 07:00 AM
8 minute read
Recently, lawsuits concerning the collection and use of consumer biometric data have spiked due to the ever-evolving laws and regulations concerning privacy, judicial interpretations that foster more ambiguity than clarity, and, of course, the rapid adoption of various types of biometric technology in everyday business. What stands out about many of these lawsuits, however, is how business can attempt to keep privacy complaints outside the courtroom.
For example, in Rivera v. Google, Inc., the U.S. District Court for the Northern District of Illinois dismissed a data privacy lawsuit against Google involving its photo app. Specifically, the Court held an alleged technical violation of the Illinois Biometric Information Privacy Act (BIPA) was insufficient to demonstrate “concrete injury” for purposes of Article III standing, and thus, subject matter jurisdiction. This ruling casts significant doubt on the enforceability of claims alleging mere technical BIPA violations in federal court, while also demonstrating how corporate defendants can try to challenge the injury-in-fact prong of Article III standing to defeat a wide range of data privacy actions.
|Getting In Your Face: The Google Photos App
Google Photos is a free, cloud-based service for organizing and sharing photos. When users upload photos to the app, it detects images of faces and creates a face template. Google then uses these face templates to compare the visual similarity of faces within Google Photos users' private accounts, and then groups photographs with visually similar faces and displays the groups (called “face groups”) to the users' private account.
Recently, state legislatures have enacted legislation to regulate the collection and use of consumer biometric information. Under Illinois' BIPA, for instance, a private entity cannot collect or store certain kinds of biometric information—including face-geometry scans—without first obtaining consent and providing certain disclosures. In addition, BIPA provides a private right of action to individuals “aggrieved by a violation” of the law. BIPA violations are subject to statutory damages of $1,000 per violation, or $5,000 if the violation is considered intentional or reckless. Because of the law's expansive scope and availability of statutory damages, BIPA has served as the basis for several high-profile consumer class action lawsuits.
Plaintiffs Lindabeth Rivera and Joseph Weiss both sued Google, alleging the company unlawfully collected, stored and exploited their face-geometry scans via Google Photos in violation of BIPA. Both also claimed injury to their privacy interests—but acknowledged at deposition they did not suffer any financial, physical, or emotional injury apart from feeling offended by the unauthorized collection.
|The Court's Decision
On summary judgment, Google argued the court lacked subject matter jurisdiction over the case because plaintiffs had not shown they had suffered “concrete injuries” sufficient to satisfy Article III standing. Importantly, the parties disputed how the court should apply the U.S. Supreme Court's most recent pronouncement on the injury-in-fact requirement, Spokeo v. Robins. In Spokeo, the high court reiterated that the concrete-injury requirement can be satisfied even if the injury is solely intangible. In determining which intangible injuries are sufficient to confer standing, Spokeo set out the general rule that a “bare procedural violation” of a statute is not automatically enough to satisfy Article III's concreteness requirement.
The Spokeo court further explained both the law's history and Congress' judgment play important roles in determining whether an intangible harm constitutes a cognizable injury-in-fact. In this respect, when Congress creates a cause of action for a statutory violation, by definition, it has created a legally protected interest that Congress at least deems important enough for a lawsuit. Still, Congress' role in identifying and elevating intangible harms does not mean a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a statutory right. Rather, Article III requires concrete harm “even in the context of a statutory violation”—mandating that plaintiffs plead concrete harm apart from a “bare procedural violation.” In addition, Spokeo also announced the principle that the risk of harm sometimes is enough to satisfy concreteness, and, in some instances, plaintiffs need not allege any additional harm beyond the one Congress identified.
Applying these principles to the case at hand, the district court analyzed plaintiffs' two principal arguments: that they suffered a concrete injury as a result of Google's retention and creation of their face templates, which they contended both ran afoul of BIPA. With respect to the “retention” argument, the court found it was clear Google's retention of the plaintiffs' unique face templates did not cause them a concrete injury for Article III standing purposes—as Seventh Circuit precedent had definitively held retention of an individual's private information, on its own, is not a concrete injury sufficient to establish Article III standing.
After disposing of the retention argument, the court turned to the “closer question” of whether the collection of face templates without plaintiffs' knowledge constituted a cognizable injury in fact. Under Spokeo, the court considered both whether legislative judgments supported the plaintiffs' claimed injury, and whether the plaintiffs' alleged injury mirrored the kinds of common law harms that have historically supported a finding of an Article III injury-in-fact. The court held plaintiffs' claimed injury was insufficient under both analyses.
First, as to whether legislative judgments supported plaintiffs' claimed injuries, the court noted the only specific injury described by BIPA was the risk of identity theft. Importantly, there was no legislative finding explaining why the absence of consent gives rise to an injury independent of the risk of identity theft. As such, BIPA's legislative judgments did not support a finding that the concrete-injury requirement had been met. In addition, in assessing possible analogues to common law harms that historically have supported an Article III injury-in-fact, the court found plaintiffs identified no common law torts that bore a close relationship to the collection of facial scans without user consent.
With neither a legislative judgment nor a common law analogue (or anything else) to support a concrete injury, the court concluded plaintiffs had not demonstrated an injury-in-fact sufficient to confer Article III standing. Accordingly, the court granted Google's summary judgment motion based on a lack of subject matter jurisdiction.
|Takeaways: Does the Forum Make the Difference?
Just a few weeks after Rivera was decided, the Illinois Supreme Court handed down its decision in Rosenbach v. Six Flags Entertainment Corp., in which Illinois's highest court significantly altered the playing field in terms of BIPA litigation when it ruled a plaintiff may pursue a cause of action for damages and injunctive relief for mere technical violations—even where no actual harm or damage is sustained. The Illinois Supreme Court ruling substantially lowers the bar for maintaining cognizable claims for BIPA violation in Illinois state courts, as it permits procedural BIPA violations to proceed in state court without any allegations or evidence of an actual, concrete injury or harm. Because of the combination of the Rivera and Rosenbach rulings, litigators and clients alike should anticipate a great deal of forum shopping by plaintiffs, with more BIPA cases being filed in state court as compared to its federal counterpart.
As the Rivera decision demonstrates, federal courts have offered a differing interpretation vis-à-vis state courts related to subject matter jurisdiction. Importantly, Rivera offers key insight into the federal standing threshold for BIPA claims, and provides litigants a vital defense strategy for fighting back against, and defeating, BIPA actions in federal court. Article III represents a robust tool for defendants embroiled in data privacy and cybersecurity litigation, and can be raised at any stage of the litigation. In fact, Google did not raise its Article III defense at the motion to dismiss stage in Rivera, choosing instead to successfully assert the defense on summary judgment.
Although state courts may have differing constitutional standing analyses, companies would be wise to continue to not only obtain consent, but safeguard the information collected so to minimize the risk of alleged harm that may later have to be litigated in a class action. Most importantly, the company should have effective mechanisms to shield personal data held by the organization from unauthorized third-party disclosure or access, which can be utilized as a robust defense in the event the company ever finds itself in litigation involving alleged privacy violations pertaining to the collection/retention of biometric personal data.
Ana Tagvoryan is a partner at Blank Rome LLP and serves as chair of the Firm's Privacy Class Action Defense group and vice chair of the Corporate Litigation group. She can be reached at [email protected].
Jeffrey N. Rosenthal is a partner at Blank Rome LLP. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. He can be reached at [email protected].
David J. Oberly is an associate at Blank Rome LLP and is also a member of the Firm's Cybersecurity & Data Privacy group. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Judicial Ethics Opinion 24-58
- 2Sweet James Clinches $17.4M Personal Injury Jury Verdict in California's Kings County
- 3In Lame-Duck Session, US Senate Confirms Illinois Federal Judge on Bipartisan Vote
- 4Gordon Rees Opens 80th Office, ‘Collaboration Hub’ in Palo Alto
- 5The White Stripes Drop Copyright Claim Against Trump Campaign
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250