On April 16, 2018, a California federal court certified a class of individuals suing Facebook for violating Illinois’s Biometric Information Privacy Act, paving the way for potentially billions of dollars in statutory damages. In re Facebook Biometric Information Privacy Litigation
, 2018 WL 1794295 (N.D. Cal. Apr. 16, 2018). Most notably, the court held that individual class members could recover statutory damages without demonstrating actual injury, boldly rejecting the sole Illinois appellate court decision on the issue—Rosenbach v. Six Flags
—which held that the statute only permitted individuals injured by a statutory violation to sue. Although the decision is potentially significant, the holding is questionable, the facts are distinguishable from most BIPA cases, and the massive potential liability will likely prompt Facebook to immediately appeal under Federal Rule of Civil Procedure 23(f).
A wave of class actions have been filed against companies under BIPA
BIPA prohibits private entities from obtaining or using an individual’s biometric information without first providing defined notices and obtaining written consent to do so. 740 ILCS 14/15(a), (b). BIPA allows any “person aggrieved” by a statutory violation to sue for either actual damages or “liquidated damages” of between $1,000 and $5,000, plus attorneys’ fees and injunctive relief. 740 ILCS 14/20.
The availability of liquidated damages has prompted dozens of recent class-action filings, mostly in Illinois state court, alleging BIPA violations. These cases have mostly been filed against employers who allegedly collected and used employee fingerprints for time clocks. These plaintiffs typically do not allege any tangible injury (e.g., identity theft), but simply allege a violation of BIPA’s notice-and-consent requirements and seek to collect the $1,000 to $5,000 liquidated damages for themselves and all other putative class members.
Several courts have dismissed BIPA claims for lack of a tangible injury
After a wave of BIPA filings, courts began dismissing BIPA claims where the plaintiff did not allege any tangible injury. See Vigil v. Take-Two Interactive, 2017 WL 5592589 (2nd Cir. Nov. 21, 2017) (dismissing BIPA claim for lack of Article III standing under Spokeo where plaintiffs allowed their faces to be scanned to become playable avatars in video game and alleged lack of notice and consent required by BIPA); McCollough v. Smarte Carte, Inc., 2016 WL 4077108, at *1 (N.D. Ill. Aug. 1, 2016) (dismissing BIPA claim for lack of Article III standing and statutory standing where plaintiffs allowed their fingerprints to be scanned to use as key for locker and alleged lack of notice and consent).
Most recently, an Illinois appellate court affirmed the dismissal of a BIPA claim and held that plaintiff’s lack of tangible injury meant the plaintiff was not “aggrieved” under BIPA and thus had no standing to sue. Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317. Plaintiff there allowed her son’s fingerprints to be scanned when purchasing a season pass to the defendant’s theme park, and defendant allegedly failed to provide the notice and obtain the written consent required by BIPA. Id. at ¶¶ 7-10. Because plaintiff did not allege any injury beyond the statutory violation, the appellate court held that plaintiffs were not “aggrieved” by the violation, as required by the statute, and thus had no statutory standing to sue. Id. at ¶ 23 (“A determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous.”).
The court in Facebook certified a class, rejecting the argument that class members were required to show individual injuries
Plaintiffs in the Facebook BIPA case sued based on Facebook scanning uploaded photos and creating a digital “template” of each face in the photos, including faces of non-Facebook users. Facebook does this to allow users to “tag” (i.e. identify) people in uploaded photos, which Facebook can then use to identify those people in other photos based on the biometric information Facebook extracts from the photos. Plaintiffs claimed Facebook violated BIPA’s notice-and-consent requirements.
The court in Facebook certified a class of all Facebook users located in Illinois whose facial template had been created and stored by Facebook within the statutory period. Facebook, 2018 WL 1794295 at *4. The court rejected all of Facebook’s predominance arguments including, most significantly, Facebook’s argument that each class member would need to show that they had suffered a tangible injury to be “aggrieved” and thus eligible for statutory damages under BIPA. Id. at *6–8. Surprisingly, the California district court rejected the Illinois appellate court’s holding in Rosenbach; the California court held that an individual need only show a statutory violation—and need not show a resulting tangible injury—to sue. Id. at *6–7. The Facebook court held that a statutory violation is an invasion of privacy sufficient to create statutory standing to sue, and that no further tangible injury (such as identity theft or financial loss) needs to be shown. Id. at *7. The court also noted that the facts of Rosenbach could be distinguished because there the plaintiff knew its fingerprints were being scanned, whereas class members in Facebook may not have known that biometric information was being collected and stored. Id. at *8.
BIPA defendants should be concerned by the Facebook decision and ready to push back
The Facebook decision is a big deal. The court itself recognized that the class could include over a million members and that BIPA’s statutory damages could result in billions of dollars in liability. Facebook, 2018 WL 1794295 at *9. And in other BIPA cases, the Facebook court’s conclusion that BIPA does not require any tangible injury not only expands potential liability but also makes class certification much easier by eliminating what should be an individualized inquiry.
But BIPA defendants have a number of arguments to limit the impact of Facebook. First, BIPA defendants (particularly in Illinois) should argue the case was wrongly decided and the Illinois appellate court’s contrary decision in Rosenbach (which is supported by decisions in Take-Two and McCollough) should control. Also, Facebook has unusual facts that can be distinguished. The court itself recognized that unlike an individual who knowingly submits to a fingerprint scan, the class in Facebook were arguably unaware that their biometric information was being collected and stored and thus have a stronger claim that an invasion of privacy caused them harm. Finally, the district court’s decision is likely not the last word; the massive exposure created by the decision will likely prompt Facebook to seek immediate appeal of the certification under Federal Rule of Civil Procedure 23(f). Thus, defendants and potential defendants should continue to watch the case.