This article was first published at JDSUPRA
On August 8, the Ninth Circuit issued a highly anticipated decision affirming the district court’s certification of a class of Facebook users who suffered alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”). The case—which has been followed closely by the business community and privacy activists—may lead to the proliferation of biometric privacy class actions under the BIPA and analogous statutes in Texas, California, and Washington.
- A group of Illinois Facebook users filed a putative class action alleging that Facebook violated the BIPA by using facial recognition technology to automatically tag individuals in photos without first obtaining written consent and without complying with the BIPA’s requirements with respect to retention of biometric data.
- Facebook moved to dismiss for lack of Article III standing, arguing the plaintiffs alleged only a bare statutory violation, not a concrete injury. While the motion was pending, the plaintiffs filed a motion for class certification. The district court denied Facebook’s motion to dismiss and granted the plaintiffs’ motion for class certification. Facebook appealed.
- With respect to standing, the Ninth Circuit explained that the right to privacy has long been recognized as a concrete injury. And “[b]ecause the privacy right protected by BIPA is the right not to be subject to the collection and use of such biometric data, Facebook’s alleged violation of these statutory requirements would necessarily violate the plaintiffs’ substantive privacy interests.” Accordingly, the court concluded the plaintiffs had alleged a concrete injury in fact.
- The Ninth Circuit also affirmed the district court’s order on class certification, rejecting Facebook’s argument that the plaintiffs failed to satisfy Rule 23(b)(3)’s predominance requirement due to the presumption against extraterritorial application of Illinois law. In so holding, the court explained that Illinois law would govern the claims of individuals who use Facebook in Illinois, even if some relevant activities occurred outside the state.
- Moreover, the court rejected Facebook’s argument that the potential for a large, class-wide statutory damages award—including $1,000 for each negligent violation and $5,000 for each intentional or reckless violation across a putative class potentially consisting of millions of users—defeated Rule 23(b)(3)’s superiority requirement, since the Illinois legislature declined to impose any aggregate statutory damages cap in the BIPA.
- The decision comes as an increasing number of states weigh proposed legislation to curb biometric privacy abuses. In the wake of the Ninth Circuit’s ruling, corporate defendants that collect biometric data should ensure they comply with the BIPA and other state data privacy statutes, as failure to do so may expose the company to various risks, including consumer class actions and state attorney-general actions/investigations.
Read the Ninth Circuit’s opinion in Patel v. Facebook here.