Privacy & Information Security Law Blog

As we previously reported in February 2017, an Illinois federal judge denied a motion to dismiss two complaints brought under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”) by individuals who alleged that Google captured, without plaintiff’s consent, biometric data from facial scans of images that were uploaded onto Google Photos. The cases subsequently were consolidated, and on December 29, 2018, the Northern District of Illinois dismissed the case on standing grounds, finding that despite the existence of statutory standing under BIPA, neither plaintiff had claimed any injury that would support Article III standing.

In Spokeo, Inc. v. Robins, the Supreme Court held that Article III standing requires a concrete and particularized injury even in the context of a statutory violation. The court here likewise concluded that although the plaintiffs in this case had statutory standing under BIPA, the procedural, statutory violation alone was insufficient in satisfying the standing requirement.

In asking whether either plaintiff adequately alleged such requisite injury, the court considered Google’s collection and retention of the facial scans. With respect to the retention issue, the court followed the 7th Circuit ruling in Gubala v. Time Warner Cable, Inc. that, while in violation of the Cable Communications Policy Act, the retention of individual information alone, without information disclosure or sufficient risk of information disclosure, did not confer Article III standing.

Regarding collection, the court considered (1) Patel v. Facebook Inc., a similar case brought in the Northern District of California that was not dismissed, involving a plaintiff who alleged that Facebook’s use of facial recognition for tagging photos violated BIPA’s notice and consent requirements; and (2) common law tort analogues. The Illinois court (1) declined to follow the California court, reasoning that there was an insufficient showing that the Illinois legislature intended to create a cause of action that would arise from the violation of BIPA’s notice and consent requirements alone; and (2) found that the two common law tort analogues bearing the closest relationship to the alleged injury, intrusion upon seclusion and misappropriation, were not appropriate in this case because the harms alleged by the plaintiffs were incompatible with or did not align with the harms of the tort of intrusion upon seclusion or misappropriation. Specifically, the templates that Google created were based on faces, which are regularly publicly exposed, and were not made publicly available or used by Google for commercial purposes. As such, the court dismissed the claim, holding that neither plaintiff in this case had claimed an injury that would support Article III standing.

A number of BIPA actions remain pending in federal and state courts. It remains to be seen whether other courts will agree with the Northern District of Illinois regarding the unavailability of BIPA claims based solely on procedural violations of the act.