Rivera v. Google, a recent federal court decision from the Northern District of Illinois, highlights how challenges to Article III standing are a versatile and useful tool for corporate defendants in privacy and cybersecurity litigation. At the same time, the litigation underscores the significant legal risk faced by entities that collect biometric information and the consequent need to proactively assess and mitigate that risk.
Overview of Biometric Privacy Litigation
In recent years, some legislatures have sought to codify the protection of biometric information that is collected by private companies. To that end, Illinois, Texas, and Washington each have statutes aimed at regulating the collection, use, and retention of biometric information, and New York City is currently considering a bill with similar impact.
Though each statute has had notable effect on businesses operating within these jurisdictions, the Illinois Biometric Information Privacy Act (“BIPA”) is generally regarded as the most stringent among the three state laws. In particular, BIPA regulates how an individual’s “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” or any information based on an individual's biometric identifier used to identify an individual may be used, stored, and disposed of by private entities (defined broadly). The law requires that entities collecting or possessing biometric information or identifiers inform consumers of the content and purpose of the company’s data collection and maintain retention schedules and disposal guidelines, among other obligations and restrictions. Further, BIPA provides for a private right of action to persons “aggrieved by a violation” of the Act. BIPA actions are subject to statutory damages of $1,000 per violation or $5,000 if the violation is deemed intentional or reckless. Due to its scope and the possibility of statutory damages, BIPA has formed the basis of several high-stakes consumer class actions across the United States.
Rivera v. Google, Inc.
One such action is Rivera, where two individuals—one a Google Photos user, the other not—filed suit claiming that the face-recognition feature of Google Photos violated BIPA. No. 16-02714 (N.D. Ill. Dec. 29, 2018). They asserted that Google violated the Act by applying its face-recognition program to images of them without their knowledge or consent. They characterized their harm as an injury to their privacy interests, but conceded that they had not suffered financial, physical, or emotional harm apart from feeling offended by the allegedly unauthorized collection of their scans. Google argued that the court lacked subject matter jurisdiction over the case because plaintiffs lacked a concrete “injury in fact” sufficient for standing under Article III of the U.S. Constitution.
In analyzing Google’s argument, the Rivera court cited Spokeo v. Robins, 136 S. Ct. 1540 (2016), for the proposition that while intangible injuries may satisfy the concrete injury requirement of Article III, a “bare procedural violation” of a statute is not sufficient to establish standing. The court then examined the ways in which plaintiffs claimed they were harmed—first, by collection of the information, and second, by retention of that information—and ultimately determined that neither alleged sufficient harm.
In regard to retention, the court applied Gubala v. Time Warner Cable, Inc., 846 F.3d 909 (7th Cir. 2016), and found that because only Google and the private users had access to the scans, and there had been no unauthorized access to the data, Google’s allegedly improper retention of the data did not cause plaintiffs a concrete harm.
Regarding the manner of collection, the court deemed the Article III analysis a “much closer question.” It noted a dearth of comparable precedent on the question of whether the alleged collection of facial scans without consent satisfies Article III. The court thus proceeded to evaluate factors set forth in Spokeo relevant to whether an intangible injury gives rise to Article III standing—namely, (1) whether legislative judgments supported plaintiffs’ claimed injury and (2) whether the claimed injury bears a close relationship to injuries that have traditionally been regarded as providing a basis for a lawsuit in U.S. and English courts. As to the first factor, the court observed that the only specific injury-related concern described by the Illinois legislature when enacting BIPA was the risk of identity theft, yet plaintiffs presented no evidence that Google’s alleged collection of facial scans created a substantial risk of identity theft. As to the second factor, plaintiffs identified no common law torts that bore a close relationship to the collection of facial scans without consent. Consequently, the Rivera court determined that Google was entitled to summary judgment because plaintiffs simply could not establish standing under Article III. In so holding, the court departed from the conclusion of an analogous case, Patel v. Facebook, Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018), which upheld the Article III standing of consumers who alleged that Facebook applied facial-recognition software to create facial templates without consent. The Patel litigation is now pending in the Ninth Circuit.
The Rivera decision has several important takeaways for companies that collect or use personally identifiable information.