November 27, 2020

Volume X, Number 332


November 25, 2020

Subscribe to Latest Legal News and Analysis

Google Defeats Alleged BIPA Violations for Retention and Collection of Face-geometry Scans via Google Photos

In December 2018, Google defeated claims that it had violated Illinois’ Biometric Identification Privacy Act (BIPA). The US District Court for the Northern District of Illinois granted Google summary judgment and dismissed the plaintiffs’ claims for lack of subject matter jurisdiction because it determined that the plaintiffs had not established Article III standing to sue.


In Rivera v. Google, the plaintiffs alleged that Google violated BIPA by collecting, storing and “exploiting” their face-geometry scans via Google Photos. Google moved for summary judgment, arguing that the plaintiffs could not establish Article III standing because the plaintiffs were not “aggrieved” within the meaning of BIPA. The court agreed with Google.

The lawsuit involved Google Photos, which is a free, cloud-based service used for organizing and sharing photographs. When a user uploads a photograph to Google Photos, Google Photos detects images of faces and creates face templates. Google uses these face templates to compare the visual similarity of faces within the user’s private account and then group together visually similar photographs. Google does not use the face templates for anything other than organizing photographs within a user account.

Both plaintiffs in Rivera claimed that they suffered injury to their privacy interests because Google did not have their permission to capture, store or use their face scans. The plaintiffs testified, however, that they had not suffered any financial, physical or emotional injury apart from feeling “offended by the unauthorized collection.”

Standing Analysis

The court looked to Google’s collection and retention of the face templates to determine whether either process constituted an injury-in-fact sufficient to establish standing. The court ultimately held that neither could.

Collecting Biometric Data

Regarding Google’s collection of face scans, the court relied on Spokeo, Inc. v. Robins, which held that when determining which intangible injuries are sufficient to confer standing and which are not, courts should consider legislative intent and examine possible analogues to common law harms that historically have supported a finding of Article III injury-in-fact.

Here, the court found that neither legislative intent nor common law analogies supported a finding of the required concrete injury. First, the court found that although the legislative findings discussed the immutability of biometrics, they did not explain why the “injury” suffered here – the creation of face templates without consent – is concrete sufficient for Article III purposes. The court rejected a California court’s opposite holding in a prior case, stating that the permanency of biometrics does not justify a bright line rule that all cases involving collection or retention of biometric data present a sufficient risk of disclosure that concrete injury is satisfied in every case.

Second, the court held that the alleged injury in this case did not bear a close resemblance to any common law tort that historically supports Article III standing. The court distinguished the privacy torts of intrusion on seclusion and appropriation of likeness on the grounds that an individual’s face, when knowingly exposed, does not carry privacy protection, and that Google did not benefit commercially from the face templates.

The court dismissed the plaintiffs’ claims, concluding that without conclusive legislative history or a common law analogue to support a finding of concrete injury, the plaintiffs could not establish Article III standing to sue Google based on Google’s collection of biometric data to create the face templates.

Retaining Biometric Data

BIPA requires private entities in possession of biometric information or identifiers (e.g., a face scan) to publicly provide a retention schedule and guidelines for destroying that information. The plaintiffs argued that because Google failed to provide a retention schedule or guidelines, the plaintiffs could not exercise their right to control their own information and therefore suffered injury. The court looked to the Seventh Circuit case Gubala v. Time Warner Cable, Inc., which held that retention of an individual’s private information, on its own (i.e., without disclosure or risk of disclosure), is not a concrete injury sufficient to confer Article III standing. In Rivera, the court found that because the plaintiffs did not argue that their face templates were shared, nor could they present evidence that there was a “substantial risk” that future harm would occur (e.g., proof of unauthorized access to and theft of personal information), the court had to dismiss the plaintiffs’ retention claims.


The Rivera decision demonstrates that despite the continued federal district and circuit split on standing, even after Spokeo, companies facing lawsuits alleging procedural violations of privacy statutes, like BIPA, can still defeat such claims at the summary judgment stage if they can show the absence of a concrete injury. The Rivera court relied on two important facts: (1) the biometric data was not shared with third parties and (2) the plaintiffs did not demonstrate a likelihood or risk that it would be shared or was otherwise at risk. Companies should take note of these findings and ensure that they can demonstrate the flow of personal data and document how it is protected from unauthorized use or disclosure. This decision comes at a time when the Illinois Supreme Court is considering similar issues, as described in one of our prior blog posts.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume IX, Number 22



About this Author

Robin Campbell Data Privacy & Cybersecurity Attorney Squire Patton Boggs Washington DC
Senior Advisor

Robin Campbell is senior advisor for our Data Privacy & Cybersecurity Practice and is a member of our Healthcare Group. Robin brings first-hand understanding of the day-to-day issues faced by clients, having been seconded to clients to manage privacy in-house three times: twice in the automotive sector and once in healthcare. Robin’s practice focuses on a wide array of privacy and security issues, including the development and implementation of information management strategies for the handling of personal information.

Robin focuses on providing practical solutions for data...

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...

India Scarver, Squire Patton Boggs Law Firm, Columbus, Litigation Attorney

India Scarver focuses her practice on toxic tort litigation in federal and state courts. India also has experience representing clients in debt collection cases.