Google Defeats Alleged BIPA Violations for Retention and Collection of Face-geometry Scans via Google Photos
In December 2018, Google defeated claims that it had violated Illinois’ Biometric Identification Privacy Act (BIPA). The US District Court for the Northern District of Illinois granted Google summary judgment and dismissed the plaintiffs’ claims for lack of subject matter jurisdiction because it determined that the plaintiffs had not established Article III standing to sue.
In Rivera v. Google, the plaintiffs alleged that Google violated BIPA by collecting, storing and “exploiting” their face-geometry scans via Google Photos. Google moved for summary judgment, arguing that the plaintiffs could not establish Article III standing because the plaintiffs were not “aggrieved” within the meaning of BIPA. The court agreed with Google.
The lawsuit involved Google Photos, which is a free, cloud-based service used for organizing and sharing photographs. When a user uploads a photograph to Google Photos, Google Photos detects images of faces and creates face templates. Google uses these face templates to compare the visual similarity of faces within the user’s private account and then group together visually similar photographs. Google does not use the face templates for anything other than organizing photographs within a user account.
Both plaintiffs in Rivera claimed that they suffered injury to their privacy interests because Google did not have their permission to capture, store or use their face scans. The plaintiffs testified, however, that they had not suffered any financial, physical or emotional injury apart from feeling “offended by the unauthorized collection.”
The court looked to Google’s collection and retention of the face templates to determine whether either process constituted an injury-in-fact sufficient to establish standing. The court ultimately held that neither could.
Collecting Biometric Data
Regarding Google’s collection of face scans, the court relied on Spokeo, Inc. v. Robins, which held that when determining which intangible injuries are sufficient to confer standing and which are not, courts should consider legislative intent and examine possible analogues to common law harms that historically have supported a finding of Article III injury-in-fact.
Here, the court found that neither legislative intent nor common law analogies supported a finding of the required concrete injury. First, the court found that although the legislative findings discussed the immutability of biometrics, they did not explain why the “injury” suffered here – the creation of face templates without consent – is concrete sufficient for Article III purposes. The court rejected a California court’s opposite holding in a prior case, stating that the permanency of biometrics does not justify a bright line rule that all cases involving collection or retention of biometric data present a sufficient risk of disclosure that concrete injury is satisfied in every case.
Second, the court held that the alleged injury in this case did not bear a close resemblance to any common law tort that historically supports Article III standing. The court distinguished the privacy torts of intrusion on seclusion and appropriation of likeness on the grounds that an individual’s face, when knowingly exposed, does not carry privacy protection, and that Google did not benefit commercially from the face templates.
The court dismissed the plaintiffs’ claims, concluding that without conclusive legislative history or a common law analogue to support a finding of concrete injury, the plaintiffs could not establish Article III standing to sue Google based on Google’s collection of biometric data to create the face templates.
Retaining Biometric Data
BIPA requires private entities in possession of biometric information or identifiers (e.g., a face scan) to publicly provide a retention schedule and guidelines for destroying that information. The plaintiffs argued that because Google failed to provide a retention schedule or guidelines, the plaintiffs could not exercise their right to control their own information and therefore suffered injury. The court looked to the Seventh Circuit case Gubala v. Time Warner Cable, Inc., which held that retention of an individual’s private information, on its own (i.e., without disclosure or risk of disclosure), is not a concrete injury sufficient to confer Article III standing. In Rivera, the court found that because the plaintiffs did not argue that their face templates were shared, nor could they present evidence that there was a “substantial risk” that future harm would occur (e.g., proof of unauthorized access to and theft of personal information), the court had to dismiss the plaintiffs’ retention claims.
The Rivera decision demonstrates that despite the continued federal district and circuit split on standing, even after Spokeo, companies facing lawsuits alleging procedural violations of privacy statutes, like BIPA, can still defeat such claims at the summary judgment stage if they can show the absence of a concrete injury. The Rivera court relied on two important facts: (1) the biometric data was not shared with third parties and (2) the plaintiffs did not demonstrate a likelihood or risk that it would be shared or was otherwise at risk. Companies should take note of these findings and ensure that they can demonstrate the flow of personal data and document how it is protected from unauthorized use or disclosure. This decision comes at a time when the Illinois Supreme Court is considering similar issues, as described in one of our prior blog posts.