BIPA Violations Automatically A Concrete Harm In The 9th Circuit (Updated)

“A violation of the BIPA notice and consent procedures … is quintessentially an intangible harm that constitutes a concrete injury in fact.”

In re Facebook Biometric Litigation
Renewed motion to dismiss denied – Facebook allegedly collected, stored, and used biometric data without notice or consent required under the Illinois Biometric Information Privacy Act (BIPA). Plaintiffs alleged:
• Facebook collected, stored, and used biometric data without written consent
• Individuals were not informed their biometric data was collected or stored
• Individuals were not informed in writing of the specific purposes of use of their biometric data
• Facebook did not provide a publicly available retention schedule
• Facebook did not provide instructions for individuals to permanently destroy the biometric data held by Facebook

Multiple actions were filed in Illinois – two in federal court, and in state court that was removed to federal court by Facebook.

The court found:

(1) the statutory provisions of BIPA were established to protect the plaintiff’s concrete interests.
• Biometrics are uniquely sensitive identifiers (“BIPA expressly recognizes that social security numbers do not implicate the kinds of privacy concerns that biometric identifiers do“)
• Biometric technology is a new frontier subject to unpredictable developments
• People are apprehensive of transactions involving their biometrics
• Regulation of biometric collection, use, and storage serves the public interest


(2) the alleged procedural violations presented a material risk of harm to concrete interests the Illinois legislature sought to protect. “(T)he plain text of BIPA as a whole, leaves little question that the Illinois legislature codified a right of privacy in personal biometric information (and) a violation of BIPA’s procedures would cause actual and concrete harm.”

The court also noted that the Supreme Court expressly recognized the violation of statutory procedural rights in itself could be sufficient, without any additional alleged harm, to constitute a concrete injury. Furthermore, the 9th circuit had determined that intrusion on privacy alone could be a concrete injury (“Our circuit has specifically affirmed findings of concrete injury, and standing to sue, when plaintiffs were deprived of procedures that protected privacy interests without any attendant embarrassment, job loss, stress or other additional injury.“)

Finally, the court stated evidence submitted by Facebook contending BIPA notice and consent requirements were satisfied required a fact based inquiry ill-suited for a motion dismiss. “These dispositive disputes on the merits should be decided on summary judgment or at trial.”
[N.D. CA; 3:15-cv-03747]
jbho: the opinion builds on other recent, post-Spokeo decisions in the 9th, including Van Patten v. Vertical Fitness Group (9th Circ.; 14-55980) where the appellate court found that “a (single) violation of the TCPA is a concrete, de facto injury.” The court here felt “privacy torts do not always require additional consequences to be actionable” and that “when an online service simply disregards the Illinois procedures … the right of the individual to maintain her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.”

Note that the court previously rejected a motion to dismiss (Doc#120) premised on the argument the Facebook user agreement required disputes to be resolved under the laws of California. Per the court “if California law is applied, the Illinois policy of protecting its citizens’ privacy interests in their biometric data, especially in the context of dealing with ‘major national corporations’ like Facebook, would be written out of existence.”

Although, perhaps Facebook would have been better off in state court? Compare this to the recent decisions Rosenbach v. Six Flags (Ill. App. Ct. 2nd Dist; 2-17-0317) where the court found there was no concrete harm where the only injury alleged was a violation of BIPA’s disclosures and consent requirements.

A very compelling body of case law continues to evolve. Stay Tuned.

UPDATE: 16Apr2018 – class certified (Doc #333). The court found all the necessary elements of class certification were met, for a narrowed class of “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011.” (Merely uploading a photograph did not necessarily mean that a face signature or template was collected or stored by Facebook.)

Notably, the court rejected Facebook’s contention that Commonality and Predominance were not met since determining whether each class member was aggrieved was an individual matter under Rosenbach v. Six Flags (Ill. App. Ct. 2nd Dist; 2-17-0317). The court disagreed, finding “the Rosenbach court expressly observed that Plaintiff did not allege in her complaint any harm or injury to a privacy right … the better reading is Rosenbach would find that injury to a privacy right is enough to make a person aggrieved under BIPA.” Furthermore, in Rosenbach, plaintiff expressly allowed his thumbprint to be scanned (not the case here).

The court also stated the geographic locations of Facebook servers were not a factor, as the present case was deeply rooted in Illinois. “The named plaintiffs are located in Illinois along with all of the proposed class members, and the claims are based on the application of Illinois law to use of Facebook mainly in Illinois.”


More Biometrics fun…

Leave a Reply