In a ruling handed down just before the new year, an Illinois court held that consumers who claimed that Google created biometric face prints without their consent, but who did not suffer any concrete harm resulting from the collection, lacked standing to bring their claims in federal court.
Under Illinois’s Biometric Information Privacy Act (“BIPA”), 740 ILCS 14, private entities cannot collect or capture an individual’s biometric identifier (such as a fingerprint, voiceprint, or face geometry), without written notice to and consent from that individual. The law, which is one of just three state biometric privacy laws in the country, provides for a private right of action for violations, with the opportunity to seek damages, and has entangled companies such as Facebook, Shutterfly, Six Flags and others in litigation.
In Rivera, the plaintiffs alleged that Google, through its Google Photos app, used facial-recognition technology to create face templates of their photos, and then grouped together what it believed to be visually-similar faces. The Plaintiffs alleged the feature is enabled by default and that the Plaintiffs never gave their consent to use the feature. Nevertheless, the Plaintiffs testified that they “did not suffer any financial, physical, or emotional injury apart from feeling offended by the unauthorized collection.” As a result, Google argued that the Plaintiffs lacked standing to pursue the claim.
The Court agreed, and held that Google’s creation and retention of Plaintiffs’ face templates “did not cause them a concrete injury for Article III standing purposes.” Google did not share the templates with other Google Photos users or anyone outside of Google; there was no unauthorized access to the templates or the data; and hackers did not obtain any of the data. The “risk of future harm” was not sufficient to confer standing, and the “bare procedural violation” alleged was not itself sufficient under Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).
The decision is important with use of biometrics on the rise and as businesses continue to grapple with Illinois’ stringent notice-and-consent requirements. It also stands in contrast to the Patel v. Facebook Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018), decision out of Northern California, which reached the opposite result on very similar facts. The Patel case is currently on appeal to the Ninth Circuit.
Ultimately, the only certainty is that more uncertainty will follow on the question of injury and use of biometrics. Businesses that use or are considering using biometrics should continue to monitor these cases and others across the country for emerging clarity and uniform guidance on the risk of using biometric identifiers and the nature of any notice and consent mechanisms that must be provided.
Goodwin’s Data, Privacy and Cybersecurity practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial industry, licensing, litigation and regulatory practices. The team has handled hundreds of data breach investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators. Goodwin provides clients practical advice on all aspects of information-related management, including the establishment of comprehensive privacy programs, audits, transactional due diligence and compliance with domestic and international privacy laws.