9th Circuit biometric privacy case denied, but others on the way

This article examines recent litigation surrounding the use and collection of biometric data. In January, the U.S. Supreme Court denied a petition for a writ of certiorari from the 9th U.S. Circuit Court of Appeals' decision in Patel v. Facebook, 932 F.3d 1264 (9th Cir. 2019). After the Supreme Court's denial, Facebook announced it had agreed to a settlement in the suit for $550 million, which is subject to judicial review and approval. Tony Romm, "Facebook Agrees to Pay $550 Million to Settle Privacy Lawsuit, Days After Supreme Court Declined to Hear Case," Wash. Post. (Jan. 29, 2020), .

The 9th Circuit decision involved a class action under the Illinois Biometric Privacy Act. BIPA regulates the collection, use and storage of "biometric identifiers" -- defined as retina or iris scans, fingerprints, voiceprints and "scans of hand or face geometry." 740 Ill. Comp. Stat.14/10. BIPA is, for now, the only state biometric privacy statute that provides a private right of action.

In Patel, Illinois-resident Facebook users brought suit against Facebook in the Northern District of California for allegedly violating BIPA by using facial-recognition technology in the company's "tag suggestions" feature. The feature at issue compared faces in each user-uploaded photograph with face templates stored in its database. If a match occurred, Facebook's pop-up suggested "tagging" the identified person in the photograph. According to the plaintiffs in Patel, the feature violated BIPA's prohibition against collecting, using and storing biometric identifiers from their photos without obtaining a written release and without establishing a compliant retention schedule.

Facebook moved to dismiss for lack of Article III standing on the grounds that the plaintiffs had not alleged any concrete injury. The district court denied the motion to dismiss and granted the plaintiffs' separate class-certification motion.

The 9th Circuit affirmed. Specifically, it held the plaintiffs had alleged a concrete injury-in-fact sufficient to confer Article III standing to maintain suit. Applying the U.S. Supreme Court's decision in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016), the 9th Circuit held that BIPA protects concrete privacy interests and that the alleged violations harmed those interests. In so deciding, the 9th Circuit relied on the Illinois Supreme Court's interpretation of BIPA's private right of action in Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197, 1206 (Ill. 2019). There, the Illinois Supreme Court had held "the right of the individual to maintain his or her privacy" is violated when a private entity violates BIPA, which was designed to protect individual biometric privacy rights "by subjecting private entities who fail to follow the statute's requirements to substantial potential liability." The 9th Circuit observed that the right to biometric privacy implicates the same privacy rights as those that have "traditionally been regarded as providing a basis for a lawsuit." (Internal quotation marks omitted).

Concerning the district court's class-certification grant, the 9th Circuit rejected Facebook's arguments regarding extraterritoriality. It reasoned that the legislative record shows that BIPA was designed to regulate corporations that use locations in Illinois to pilot biometric-facilitated transactions. The court further found that the relevant events "primarily and substantially" took place in Illinois since it involved Illinois residents who used Facebook in Illinois.

In seeking U.S. Supreme Court review, Facebook argued the 9th Circuit missed crucial steps in its standing analysis: first, by not determining whether each plaintiff actually suffered a personal, real-world injury because of the statutory violation. This, according to Facebook, created a circuit split warranting review. Facebook also argued that the 9th Circuit erred in considering only the risk of misuse of personal information instead of the risk of imminent injury.

The respondents elected not to file a response to the petition for a writ of certiorari, although three amici filed Supreme Court briefs. One from the Washington Legal Foundation, in support of Facebook, asserted that before 1890, no English or American court had recognized a right to privacy. It also invoked the specter of huge damages awards: "Here the respondents seek to represent a class comprising at least six million Facebook users who claim statutory damages solely for a statutory injury. Under BIPA's statutory minimum of $1,000 per class member, the certified class could produce a staggering $6 billion recovery. The statutory maximum could yield a $30 billion recovery. So massive a recovery would wipe out most American companies." Another amicus, TechFreedom, stated that "[e]ven as they have gained limited recognition more recently, privacy claims are historically disfavored due to their capacity to conflict with free speech interests."

Although the Supreme Court declined to address these issues for now, the 7th U.S. Circuit Court of Appeals is potentially poised to hear another BIPA case, and more suits will continue to be filed against companies and other allegedly noncompliant parties. See Rivera v. Google, 366 F. Supp. 3d 998 (N.D. Ill. 2018), appeal docketed, Nos. 19-1242 & 19-1182 (7th Cir. Feb. 8, 2019) (briefing schedule suspended pursuant to Rule 33). The legislative landscape remains in flux as well. In December 2019, two U.S. senators released differing proposals for federal data-privacy legislation that split on whether a private right of action should be included. California's new consumer-privacy statute, the California Consumer Privacy Act, which took effect on Jan. 1, provides for a limited private right of action in the event of data-security breaches, Cal. Civ. Code Section 1798.150, and the California attorney general released new proposed implementing regulations last week. New York is also considering data-privacy legislation that includes a private right of action. All to say: The law isn't settled on biometric-privacy laws, and the Supreme Court may yet be called upon to address biometric-privacy questions in the near future. Regardless, businesses in virtually every industry are increasingly subject to legal regulation -- and increasingly face the risk of significant monetary damages awards for violations, as shown by the proposed Patel v. Facebook settlement -- regarding their collection, use and storage of consumer and user data. 