digital-fingerprint

Recently, lawsuits concerning the collection and use of consumer biometric data have spiked due to the ever-evolving laws and regulations concerning privacy, judicial interpretations that foster more ambiguity than clarity, and, of course, the rapid adoption of various types of biometric technology in everyday business. What stands out about many of these lawsuits, however, is how business can attempt to keep privacy complaints outside the courtroom.

For example, in Rivera v. Google, Inc., the U.S. District Court for the Northern District of Illinois dismissed a data privacy lawsuit against Google involving its photo app. Specifically, the Court held an alleged technical violation of the Illinois Biometric Information Privacy Act (BIPA) was insufficient to demonstrate “concrete injury” for purposes of Article III standing, and thus, subject matter jurisdiction. This ruling casts significant doubt on the enforceability of claims alleging mere technical BIPA violations in federal court, while also demonstrating how corporate defendants can try to challenge the injury-in-fact prong of Article III standing to defeat a wide range of data privacy actions.

|

Getting In Your Face: The Google Photos App

Google Photos is a free, cloud-based service for organizing and sharing photos. When users upload photos to the app, it detects images of faces and creates a face template. Google then uses these face templates to compare the visual similarity of faces within Google Photos users' private accounts, and then groups photographs with visually similar faces and displays the groups (called “face groups”) to the users' private account.

Recently, state legislatures have enacted legislation to regulate the collection and use of consumer biometric information. Under Illinois' BIPA, for instance, a private entity cannot collect or store certain kinds of biometric information—including face-geometry scans—without first obtaining consent and providing certain disclosures. In addition, BIPA provides a private right of action to individuals “aggrieved by a violation” of the law. BIPA violations are subject to statutory damages of $1,000 per violation, or $5,000 if the violation is considered intentional or reckless. Because of the law's expansive scope and availability of statutory damages, BIPA has served as the basis for several high-profile consumer class action lawsuits.

Plaintiffs Lindabeth Rivera and Joseph Weiss both sued Google, alleging the company unlawfully collected, stored and exploited their face-geometry scans via Google Photos in violation of BIPA. Both also claimed injury to their privacy interests—but acknowledged at deposition they did not suffer any financial, physical, or emotional injury apart from feeling offended by the unauthorized collection.

|

The Court's Decision

On summary judgment, Google argued the court lacked subject matter jurisdiction over the case because plaintiffs had not shown they had suffered “concrete injuries” sufficient to satisfy Article III standing. Importantly, the parties disputed how the court should apply the U.S. Supreme Court's most recent pronouncement on the injury-in-fact requirement, Spokeo v. Robins. In Spokeo, the high court reiterated that the concrete-injury requirement can be satisfied even if the injury is solely intangible. In determining which intangible injuries are sufficient to confer standing, Spokeo set out the general rule that a “bare procedural violation” of a statute is not automatically enough to satisfy Article III's concreteness requirement.

The Spokeo court further explained both the law's history and Congress' judgment play important roles in determining whether an intangible harm constitutes a cognizable injury-in-fact. In this respect, when Congress creates a cause of action for a statutory violation, by definition, it has created a legally protected interest that Congress at least deems important enough for a lawsuit. Still, Congress' role in identifying and elevating intangible harms does not mean a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a statutory right. Rather, Article III requires concrete harm “even in the context of a statutory violation”—mandating that plaintiffs plead concrete harm apart from a “bare procedural violation.” In addition, Spokeo also announced the principle that the risk of harm sometimes is enough to satisfy concreteness, and, in some instances, plaintiffs need not allege any additional harm beyond the one Congress identified.

Applying these principles to the case at hand, the district court analyzed plaintiffs' two principal arguments: that they suffered a concrete injury as a result of Google's retention and creation of their face templates, which they contended both ran afoul of BIPA. With respect to the “retention” argument, the court found it was clear Google's retention of the plaintiffs' unique face templates did not cause them a concrete injury for Article III standing purposes—as Seventh Circuit precedent had definitively held retention of an individual's private information, on its own, is not a concrete injury sufficient to establish Article III standing.

After disposing of the retention argument, the court turned to the “closer question” of whether the collection of face templates without plaintiffs' knowledge constituted a cognizable injury in fact. Under Spokeo, the court considered both whether legislative judgments supported the plaintiffs' claimed injury, and whether the plaintiffs' alleged injury mirrored the kinds of common law harms that have historically supported a finding of an Article III injury-in-fact. The court held plaintiffs' claimed injury was insufficient under both analyses.

First, as to whether legislative judgments supported plaintiffs' claimed injuries, the court noted the only specific injury described by BIPA was the risk of identity theft. Importantly, there was no legislative finding explaining why the absence of consent gives rise to an injury independent of the risk of identity theft. As such, BIPA's legislative judgments did not support a finding that the concrete-injury requirement had been met. In addition, in assessing possible analogues to common law harms that historically have supported an Article III injury-in-fact, the court found plaintiffs identified no common law torts that bore a close relationship to the collection of facial scans without user consent.

With neither a legislative judgment nor a common law analogue (or anything else) to support a concrete injury, the court concluded plaintiffs had not demonstrated an injury-in-fact sufficient to confer Article III standing. Accordingly, the court granted Google's summary judgment motion based on a lack of subject matter jurisdiction.

|

Takeaways: Does the Forum Make the Difference?

Just a few weeks after Rivera was decided, the Illinois Supreme Court handed down its decision in Rosenbach v. Six Flags Entertainment Corp., in which Illinois's highest court significantly altered the playing field in terms of BIPA litigation when it ruled a plaintiff may pursue a cause of action for damages and injunctive relief for mere technical violations—even where no actual harm or damage is sustained. The Illinois Supreme Court ruling substantially lowers the bar for maintaining cognizable claims for BIPA violation in Illinois state courts, as it permits procedural BIPA violations to proceed in state court without any allegations or evidence of an actual, concrete injury or harm. Because of the combination of the Rivera and Rosenbach rulings, litigators and clients alike should anticipate a great deal of forum shopping by plaintiffs, with more BIPA cases being filed in state court as compared to its federal counterpart.

As the Rivera decision demonstrates, federal courts have offered a differing interpretation vis-à-vis state courts related to subject matter jurisdiction. Importantly, Rivera offers key insight into the federal standing threshold for BIPA claims, and provides litigants a vital defense strategy for fighting back against, and defeating, BIPA actions in federal court. Article III represents a robust tool for defendants embroiled in data privacy and cybersecurity litigation, and can be raised at any stage of the litigation. In fact, Google did not raise its Article III defense at the motion to dismiss stage in Rivera, choosing instead to successfully assert the defense on summary judgment.

Although state courts may have differing constitutional standing analyses, companies would be wise to continue to not only obtain consent, but safeguard the information collected so to minimize the risk of alleged harm that may later have to be litigated in a class action. Most importantly, the company should have effective mechanisms to shield personal data held by the organization from unauthorized third-party disclosure or access, which can be utilized as a robust defense in the event the company ever finds itself in litigation involving alleged privacy violations pertaining to the collection/retention of biometric personal data.

|

Ana Tagvoryan is a partner at Blank Rome LLP and serves as chair of the Firm's Privacy Class Action Defense group and vice chair of the Corporate Litigation group. She can be reached at [email protected].

Jeffrey N. Rosenthal is a partner at Blank Rome LLP. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. He can be reached at [email protected].

David J. Oberly is an associate at Blank Rome LLP and is also a member of the Firm's Cybersecurity & Data Privacy group. He can be reached at [email protected].