What You Do Know Can’t Hurt You: Standing and the Illinois Biometric Privacy Act
The Illinois Biometric Information Privacy Act (“BIPA”) protects individuals against the unlawful collection, storage and use of their “biometric” information. Under BIPA, plaintiffs may bring claims against companies for failing to obtain informed consent before collecting biometric identifiers (including fingerprints and face scans) and for not maintaining proper privacy policies and procedures for storage of that information. Because the harm can be nebulous — for example, the economic harm from a violation is not always obvious — these cases often raise issues about what constitutes an actual “injury” sufficient to confer standing. Indeed, a number of recent cases in this area have given rise to an emerging circuit split. As in the false advertising context, some courts have permitted such cases to go forward on mere allegations of “bare procedural violations.” As these cases proliferate, we’ll be watching closely to see whether courts begin to apply the Article III criteria appropriately rigorously, as they have increasingly done in the false advertising context.
Take, for example, the recent decision in Lenoir v. Little Caesar Enterprises, Inc., 2020 WL 4569695 (N.D. Ill. Aug. 7, 2020), where the court denied Defendant Little Caesars’s motion to dismiss and allowed plaintiffs’ suit under BIPA to proceed. Plaintiffs were former employees of Little Caesars, having each worked at a Chicago-area branch of the pizza chain. During plaintiffs’ employment, Little Caesars had a “biometric time clock system,” which required employees (including plaintiffs) to clock in and out using a fingerprint scan. Plaintiffs alleged that the system violated BIPA because Little Caesars failed to follow the statute’s detailed requirements for handling biometric information. Specifically, plaintiffs alleged that Little Caesars failed to obtain written consent before collecting their fingerprints and sharing them with the time-keeping vendor. In addition, plaintiffs alleged that the company failed to publish data retention and destruction policies, as required under BIPA. The uncertainty surrounding Little Caesars’s use of their fingerprints and the potential for a data breach purportedly caused plaintiffs to suffer “emotional distress.”
The court rejected Little Caesars’s various arguments to dismiss the claims. Most notably, the company argued that one of the plaintiffs (Lenoir) “voluntarily gave up any right to pursue a BIPA claim” because she did, in fact, affirmatively consent to providing her fingerprints when, six months after she began working, she registered her finger scan with “Caesar Vision” and consented to the “past, present and future collection, use, and storage of [her] fingerprint data.” In support of this waiver argument, Little Caesars sought to attach “representative sample screens” reflecting Lenoir’s consent. The court, however, agreed with plaintiffs that such documents were not properly before the court on the motion to dismiss and that, even if they were, they did not defeat plaintiffs’ BIPA claims because, among other things, the consent came six months after Little Caesars had already collected and used Lenoir’s fingerprints.
The court did not, however, address the other question that the plaintiffs’ knowing participation in the fingerprint clock-in system raised: standing. Setting aside the question of whether any plaintiff gave consent or signed a waiver, didn’t their use of their fingerprints every day to clock in and clock out suggest that they knew Little Caesars was storing their prints? And if they knew that Little Caesars was storing their prints, how could they have been injured by Little Caesars’s purported failure to provide “notice” of that fact, in accordance with BIPA?
Spokeo and BIPA: An Emergent Circuit Split
Had the court considered these questions, they may well have doomed the plaintiffs’ case. The Supreme Court’s 2016 decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016) provides the relevant framework. There, plaintiff sued defendant Spokeo, a “people search engine,” for posting inaccurate biographical information (age, marital status, profession, etc.) about him on an online profile. Plaintiff alleged that this misinformation violated the Fair Credit Reporting Act and harmed his employment prospects. The Ninth Circuit concluded that “the violation of a statutory right is usually sufficient injury in fact to confer standing,” only to have the Supreme Court vacate and remand. The Supreme Court faulted the Ninth Circuit for failing to consider the “concreteness” of the alleged injury, concluding that a plaintiff “cannot satisfy the demands of Article III by alleging a bare procedural violation” without some further allegation of concrete harm. The majority noted, for example, that an incorrect zip code would almost certainly qualify as a purely procedural violation.
Similarly, failing to notify plaintiffs that their fingerprints are being stored, when they already clearly know their fingerprints are being stored, seems like a “bare procedural violation” if ever there was one. Yet some courts have found standing based on similarly “procedural” violations of BIPA, leading to a circuit split among the Second, Seventh, and Ninth Circuits.
In Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), the Ninth Circuit all but disregarded Spokeo, concluding that virtually any violation of BIPA necessarily constituted an Article III injury. There, the plaintiffs challenged Facebook’s “Tag Suggestions” feature, which used facial recognition software to analyze photos uploaded by a Facebook user to determine if they contained any of that user’s Facebook friends. The software worked by extracting “geometric data points” that make a face unique to create a “face signature.” Plaintiffs’ allegations were familiar: that because Facebook auto-enrolled them, they were never given the opportunity for informed consent and that Facebook failed to create and publish a data retention and destruction policy. Plaintiffs also alleged that Facebook misappropriated their biometric data and extracted value from it.
The Ninth Circuit rejected Facebook’s argument that plaintiffs lacked standing because they alleged only a “bare procedural violation of BIPA.” The court explained, first, that the “statutory provisions at issue were established to protect . . . concrete interests,” namely the right to privacy. Drawing from Fourth Amendment cases, the court concluded that “an invasion of an individual’s biometric privacy rights” is a “concrete interest” and not merely “procedural.” But then, the court did not really engage with the critical question of whether the facial recognition software truly “invaded” anyone’s “individual biometric privacy rights.” (After all, few people consider the layout of their faces to be deeply private: most of us show it to many strangers every day!) Instead, the court held that because Facebook’s conduct violated the statute, it necessarily violated those privacy interests: “Because the privacy right protected by BIPA is the right not to be subject to the collection and use of such biometric data, Facebook’s alleged violation of these statutory requirements would necessarily violate the plaintiffs’ substantive interests.” (Emphasis added.) In other words, the Ninth Circuit held that any violation of the statute, no matter how “procedural,” confers standing — exactly the logic that the Supreme Court rejected in Spokeo.
The Patel decision was in direct tension with the Second Circuit’s ruling (albeit by summary order) in another BIPA case, Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12 (2d Cir. 2017). Plaintiffs there alleged that the maker of the “NBA 2K15” and “NBA 2K16” video games violated BIPA through the “MyPlayer” feature, which enabled each user to create an individualized “avatar” through a 3-D face-mapping scan. To complete the scan, users placed their faces 6 to 12 inches from the camera for about 15 minutes. Before doing so, gamers would have to agree to terms and conditions, which alerted them that face scans might be “recorded or screen captured during gameplay.”
The Second Circuit concluded that “none of the alleged procedural violations . . . raise[d] a material risk of harm” to plaintiffs’ interest (as BIPA articulates) in “prevent[ing] the unauthorized use, collection, or disclosure of an individual’s biometric data.” The court found that, by informing users of the “face scan,” the terms and conditions to which plaintiffs agreed were “sufficient to meet BIPA’s mandates,” omitting only the word “geometry” (BIPA defines a “biometric identifier” to include a “scan of . . . face geometry”). And further, that “[n]o reasonable person . . . would believe that the MyPlayer feature was conducting anything other than a [facial geometry] scan,” once he or she completed the 15-minute photographing process and got his or her “avatar.” Accordingly, plaintiffs failed to plausibly assert that they would have declined to create their MyPlayer avatar had Take-Two included the word “geometry.” In addition, the court found that plaintiffs failed to raise a material risk of harm on the notice provisions because they merely alleged that Take-Two did not tell them how long it would hold their biometric data. They did not, for example, show that defendants did not or would not destroy their biometric data according to the statute or that the company lacked proper protocols. As such, the court found “no material risk that Take-Two’s procedural violations have resulted in plaintiffs’ biometric data being used or disclosed without their consent.”
In Bryant v. Compass Group USA, Inc., 958 F.3d 617 (7th Cir. 2020), the Seventh Circuit staked out an intermediate position, adopting some but not all aspects of the Ninth Circuit’s permissive analysis. That case involved allegations that the plaintiff’s workplace — a call center in Illinois — required users to pay for purchases at the company snack machines through accounts linked to their fingerprints, instead of cash or card. In a putative class action, plaintiff alleged that defendants violated BIPA by failing to provide a written consent form and not disclosing data retention and destruction policies.
The court found standing for the informed consent violation: plaintiff had alleged “an invasion of her private domain, much like an act of trespass” on her “distinct biometric identifiers.” Likewise, the court found a sufficiently concrete harm under an “informational injury” theory: that defendant “withheld substantive information” that plaintiff was entitled to, which would have enabled her to decide “not to use the vending machines and instead [bring] her own lunch or snacks.” But like the court in the Little Caesars case, the Seventh Circuit failed to consider what “substantive information” the plaintiff had been denied. As in Take Two, the plaintiff who used her fingerprints to purchase items from the vending machines cannot have reasonably believed that her employer was conducting “anything other than a [fingerprint] scan.” If she continued to participate in the program with that knowledge, then she did not suffer a concrete injury from being deprived of “substantive information.”
Adding to the confusion of Bryant is the fact that the Seventh Circuit reached the opposite conclusion as to the plaintiff’s claim that her employer had failed to develop a written data retention policy, as required by BIPA. The court concluded that the duty to develop and distribute such a policy is “owed to the public generally” and not to “particular persons whose biometric information” a defendant collects. Accordingly, the court found that plaintiff failed to allege a concrete and particularized injury. While we agree with that conclusion, it is difficult to reconcile with the court’s holding on the alleged lack of consent for use of her fingerprints. The court held that the defendant withheld “substantive information” from plaintiff by failing to inform her of something she clearly already knew — that the vending machines stored and used her fingerprints. And yet, when the defendant failed to inform her of something she presumably did not know — its policies for storing and disposing of that data — that did not cause a similar “information injury.”
Lessons Learned from Standing Disputes in False Advertising
Returning to the Little Caesars employees in Lenoir: the district court, implicitly following the Seventh Circuit’s permissive view of BIPA standing in Bryant, didn’t bother to analyze standing question. But it would have been difficult to find that the plaintiffs suffered any concrete injury, given that they must have known their fingerprints were being stored in connection with the timekeeping system. And plaintiffs’ protestations of “emotional distress” because they would “not learn of any data breach that compromises their biometric identifiers and information until after that data breach has occurred” seems similarly unavailing. No actions by Little Caesars (other than contracting with third-party vendor the oracle of Delphi) could eliminate that problem.
The good news is that, while BIPA plaintiffs are getting an improper free pass on concrete injury, many false advertising plaintiffs are not. Take, for example, a recent Second Circuit “slack fill” case, Berni v. Barilla S.p.A, 964 F.3d 141 (2d Cir. 2020). Customers brought a class action against Barilla pasta, alleging that the company included misleading “slack fill” in its newer pasta packages. A lone class member (a “serial” — and in this case, “cereal” — objector and advocate) balked at the settlement between plaintiffs and Barilla, arguing that past purchasers of Barilla lacked standing to seek injunctive relief. The court agreed, concluding that “past purchasers of a product, like the Barilla purchasers, are not likely to encounter future harm of the kind that makes injunctive relief appropriate.” Specifically, such customers, once they suffer their initial disappointment, are (arguably) unlikely to buy the product again. And should they manage to set aside their indignation and reach for that patented blue box once more, they will be under no illusion about the amount of pasta inside. That latter point — call it the “fool me once” principle — could just as easily apply to the Little Caesars employees in Lenoir and the other BIPA plaintiffs. Once they got information that placed them on notice of the use and storage of their fingerprints, they could no longer complain of any injury arising from the alleged violation of BIPA’s disclosure rules. We’ll be watching to see whether courts presiding over BIPA litigation begin to get wise to these principles as they weigh in.