Privacy & Cybersecurity Law Blog

On August 8, 2019, the United States Court of Appeals for the Ninth Circuit allowed a class action brought by Illinois residents to proceed against Facebook under the Illinois Biometric Information Privacy Act (“BIPA”) (740 ICLS 14/1, et seq.).

The plaintiffs alleged that Facebook subjected them to a facial recognition technology in violation of BIPA. Facebook moved to dismiss the case due to lack of Article III standing, but while the motion was pending, the plaintiffs moved to certify their putative class action. The trial court denied the motion to dismiss and certified a class of Illinois Facebook users. Facebook appealed both rulings.

The Ninth Circuit first found sufficient Article III standing because the plaintiffs alleged a concrete injury-in-fact, not a mere procedural violation, under BIPA. The court underscored that advances in technology can increase the potential for unreasonable intrusions into personal privacy. It also held that an invasion of biometric privacy rights has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit. This point was further buttressed by the “instructive and important” judgment of the Illinois General Assembly that capture and use of biometric data invades a concrete interest. The court also found that a BIPA violation actually harmed or presented a material risk of harm. Quoting the Supreme Court of Illinois, the Ninth Circuit stated that if a private entity fails to adhere to the BIPA, an individual’s biometric privacy right “vanishes into thin air.”

The Ninth Circuit also affirmed the certification of the class of Illinois residents. It rejected Facebook’s argument that Illinois’ extraterritoriality doctrine (i.e., that Illinois law generally cannot govern transactions taking place outside of Illinois) precluded a predominance finding under Federal Rule of Civil Procedure 23(b)(3). If the violation of BIPA occurred when the plaintiffs used Facebook in Illinois, the court reasoned that the relevant events occurred primarily and substantially in the state, thus mooting the issue. If, however, the violation occurred somewhere else, the trial court could determine if the extraterritoriality precluded BIPA’s application, noting that a later decertification by the trial court remained an option.

Finally, the Ninth Circuit rejected the proposition that a class action was not superior to individual actions under Federal Rule of Civil Procedure 23(b)(3) based on the potential for a large, class-wide statutory damages award. Noting that this argument turned on legislative intent, the court found that nothing in the text or legislative history of the BIPA indicated that large damages award would subvert the intent of the Illinois General Assembly.