ISBA Members, please login to join this section

March 2020Volume 50Number 6PDF icon PDF version (for best printing)

Lessons From Facebook’s Record $550 Million Biometric Settlement

On January 29, 2020, Facebook, Inc. agreed to pay over half a billion dollars to settle claims that it violated the Illinois Biometric Information Privacy Act (“BIPA”)1 by using facial recognition software to help users “tag” their friends in photographs. The settlement came less than two weeks after the United States Supreme Court refused to review the ninth circuit’s decision affirming class certification in Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019), which would have set the stage for one of the largest consumer class action trials in history. The settlement also comes almost exactly one year after the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., 129 N.E.3d 1197 (Ill. 2019), holding that plaintiffs need not plead any actual injury apart from a statutory violation in order to qualify as “aggrieved” under BIPA.2 Facebook’s settlement is a harbinger of the issues that will be litigated in the next stage of BIPA litigation following the Rosenbach decision.

The Facebook Litigation

In 2018, the district court denied Facebook’s motion to dismiss the case for lack of Article III standing3 and, two months later, granted the plaintiffs’ motion for class certification over Facebook’s objections.4 Facebook appealed both the denial of its motion to dismiss and the grant of class certification to the ninth circuit, which affirmed both orders.

In the appeal, Facebook renewed its challenge to standing, arguing that the plaintiffs alleged only a bare procedural violation and had suffered no “real-world harm” (such as an adverse employment action, or even just anxiety) as a result of its “tagging” program that could satisfy Article III. The ninth circuit rejected this argument, employing its two-step approach for determining whether a statutory violation causes a concrete injury. First, it held that BIPA was enacted to protect an individual’s “concrete interests” in his or her privacy; it was not enacted to protect “merely procedural” rights. Second, the court concluded that the alleged BIPA violations actually harmed those concrete interests. The court reasoned: “Because the privacy right protected by BIPA is the right not to be subject to the collection and use of such biometric data, Facebook’s alleged violation of these statutory requirements would necessarily violate the plaintiffs’ substantive privacy interests.”5

The court then turned to Facebook’s class certification arguments. Facebook argued that the claims did not satisfy Rule 23’s commonality requirement because each class member’s claims would pose individualized inquiries concerning whether a class member’s claims fell within BIPA’s territorial scope.6 Because BIPA does not apply extraterritorially, and because each of Facebook’s servers that stored the plaintiff’s biometric information was located outside of Illinois, Facebook argued that individualized proof would be required to show that the challenged conduct took place “primarily and substantially” within Illinois. Facebook asserted that countless min-trials would be required to determine whether, for example, particular class members were in Illinois when their picture was uploaded, when the facial recognition analysis was performed, or when Facebook suggested a tag. The ninth circuit disagreed, finding that the “dispute regarding extraterritoriality requires a decision as to where the essential elements of a BIPA violation take place,” which, it found, could be decided on a class-wide basis, subject to the district court’s ability to later decertify the class if it determined that the elements required individualized inquiries.

Facebook also argued that a class action was not superior to individual actions given the $1,000 or $5,000 statutory penalties recoverable by plaintiff, which in the aggregate would amount to billions of dollars given the size of the asserted class. But the ninth circuit rejected Facebook’s contention that the potential for “a large, class-wide damages award” defeated superiority. The court did not find anything in the statutory language or the legislative history to indicate that the drafters intended to “place a cap on statutory damages.”

Facebook’s petition for certiorari asserted that the ninth circuit’s standing analysis was deficient in two ways. According to Facebook, the court erred by finding that because BIPA protects a concrete privacy interest, a BIPA violation necessarily injures that interest. Facebook asserted that this holding was not only incorrect, but created a split with the second, fourth, sixth, seventh, and eighth circuits, which require plaintiffs to allege that the statutory violation harmed the plaintiff “in a personal and individual way.” Second, Facebook argued that the ninth circuit erred and created an additional circuit split because it determined that the plaintiffs had standing without finding that risk of future misuse of the plaintiffs’ personal information constituted an “imminent” risk of harm.

Separate and apart from the standing issues, Facebook contended that the court erred in its predominance analysis. While the ninth circuit held that the question of where the alleged BIPA violations occurred (i.e. where the Plaintiffs were located or where Facebook’s servers were located) could be determined by the district court after class certification, Facebook argued that this “predicate question of law” affecting predominance had to be decided before certifying the class. Facebook asserted that the ninth circuit’s decision created a split with the second, eighth, and eleventh circuits, which prohibit courts from certifying a class without answering threshold legal questions central to class certification.

Despite Facebook’s assertion of three separate circuit splits, the Supreme Court denied certiorari on January 21, 2020. Just over one week later, the parties disclosed their agreement to settle the case. The parties’ motion for preliminary approval of the settlement is expected to be filed around the time of this article’s publication.

What Can Companies Learn From Facebook’s Settlement?

Facebook’s settlement signals a developing circuit split regarding BIPA claims. In the ninth circuit, plaintiffs now may be able to satisfy Article III merely by alleging a violation of BIPA apart from any actual harm. District courts in other Circuits, however, have remanded BIPA actions for failure to show actual harm under Article III. See, e.g., Hunter v. Automated Health Systems, Inc., No. 19 C 2529 (N.D. Ill. February 20, 2020) (concluding that the “plaintiff lacked Article III standing … because there was no allegation of any dissemination, just a claim for a bare procedural violation”). In addition, while Facebook’s extraterritoriality challenge to class certification did not persuade the ninth circuit, courts in other Circuits may evaluate these arguments differently, particularly when asked to resolve the question left open by the ninth circuit as to where the elements of a BIPA violation take place. BIPA defendants should carefully monitor these trends when evaluating challenges to personal jurisdiction, forum, standing and class relief.

There also remain a host of other defenses that have yet to be resolved by courts, such as the applicable statute of limitations. BIPA does not contain its own statute of limitations, but Illinois has a one-year limitations period for “publication of matter violating the right of privacy,” 735 ILCS 5/13-201, which arguably should apply to BIPA claims. A defendant may also be able to argue that the plaintiff provided implied consent to the collection of biometric information, or that BIPA claims must be resolved in arbitration or another forum because of applicable statutes, collective bargaining agreements or individual contracts.

BIPA itself may be vulnerable to a constitutional challenge. The grocery store chain Albertson’s for example, is currently appealing to the Illinois Supreme Court whether BIPA violates its equal protection rights by arbitrarily exempting government contractors and certain financial institutions from BIPA liability.7 BIPA also may violate the Dormant Commerce Clause by burdening out-of-state companies through its uncertain extraterritorial effects, and it may violate due process by imposing disproportionate and excessive statutory penalties on class action defendants who have not actually injured anyone. The amount of the Facebook settlement suggests just these kinds of effects.

In the end, Facebook’s settlement is a warning that companies should not only be careful with regard to their biometric practices, but also remain informed of this rapidly evolving area of law. And it is not just large tech companies like Facebook and that should be on notice. Big and small companies across the economy have found themselves subject to BIPA litigation in recent years, including a photo-sharing company,8 a rail terminal operator,9 a die casting company,10 a cold storage logistics company,11 an automotive parts supplier,12 a foodservice company,13 and a senior living company,14 just to name a few. No matter their size or industry, companies would be wise to take notice of Facebook’s settlement and seriously evaluate their own potential exposure to liability under BIPA.


Nick Kahlon and Eli Litoff are lawyers in the Chicago office of Riley Safer Holmes & Cancila LLP.

 

1. BIPA, passed in 2008, generally prohibits companies from obtaining biometric information (such as fingerprints, voice samples, and scans of face or hand geometry) without obtaining consent and disclosing how they use, store and destroy that data. 740 ILCS 14/1 et seq. The statute carries penalties of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation. 740 ILCS 14/20(1)-(2).

2. BIPA creates a private right of action only for a “person aggrieved by a violation” of the Act. See 740 ILCS 14/20.

3. See Patel v. Facebook Inc., 290 F.Supp.3d 948, 954 (N.D. Cal. 2018).

4. See In re Facebook Biometric Information Privacy Litigation, 326 F.R.D. 535, 544-49 (N.D. Cal. 2018).

5. According to Facebook’s appellate briefs, one of the Patel plaintiffs apparently testified that he thought Facebook’s tagging tool was a “nice” feature and had chosen not to opt out of it. The ninth circuit did not address this evidence against harm in its decision.

6. In the district court, Facebook also argued that individualized inquiries would be required to establish whether each plaintiff was “aggrieved by” the alleged BIPA violations, which Facebook argued required some actual harm in addition to the violation itself. By the time it reached the ninth circuit, however, this argument was foreclosed by the Illinois Supreme Court’s decision in Rosenbach.

7. The case, Bruhn v. New Albertson’s Inc. et al., No. 2018 CH 01737, is currently pending in the Circuit Court of Cook County.

8. See Norberg v. Shutterfly, Inc., No. 15 CV 5351 (N.D. Ill.).

9. See Rogers v. CSX Intermodal Terminals, Inc., No. 1:19 C 2937 (N.D. Ill.).

10. See Colon v. Dynacast, LLC, No. 19-CV-4561 (N.D. Ill.).

11. See McGinnis v. United States Cold Storage, Inc., No. 17 C 08054 (N.D. Ill.).

12. See Goings v. UGN, Inc., No. 17-cv-9340 (N.D. Ill.).

13. See Bryant v. Compass Group USA, Inc., No. 19 C 6622 (N.D. Ill.).

14. See Dixon v. Washington and Jane Smith Community-Beverly, No. 17 C 8033 (N.D. Ill.).

 

Login to post comments