February 19, 2019

February 19, 2019

Subscribe to Latest Legal News and Analysis

February 18, 2019

Subscribe to Latest Legal News and Analysis

Google Defeats Alleged BIPA Violations for Retention and Collection of Face-geometry Scans via Google Photos

In December 2018, Google defeated claims that it had violated Illinois’ Biometric Identification Privacy Act (BIPA). The US District Court for the Northern District of Illinois granted Google summary judgment and dismissed the plaintiffs’ claims for lack of subject matter jurisdiction because it determined that the plaintiffs had not established Article III standing to sue.

Background

In Rivera v. Google, the plaintiffs alleged that Google violated BIPA by collecting, storing and “exploiting” their face-geometry scans via Google Photos. Google moved for summary judgment, arguing that the plaintiffs could not establish Article III standing because the plaintiffs were not “aggrieved” within the meaning of BIPA. The court agreed with Google.

The lawsuit involved Google Photos, which is a free, cloud-based service used for organizing and sharing photographs. When a user uploads a photograph to Google Photos, Google Photos detects images of faces and creates face templates. Google uses these face templates to compare the visual similarity of faces within the user’s private account and then group together visually similar photographs. Google does not use the face templates for anything other than organizing photographs within a user account.

Both plaintiffs in Rivera claimed that they suffered injury to their privacy interests because Google did not have their permission to capture, store or use their face scans. The plaintiffs testified, however, that they had not suffered any financial, physical or emotional injury apart from feeling “offended by the unauthorized collection.”

Standing Analysis

The court looked to Google’s collection and retention of the face templates to determine whether either process constituted an injury-in-fact sufficient to establish standing. The court ultimately held that neither could.

Collecting Biometric Data

Regarding Google’s collection of face scans, the court relied on Spokeo, Inc. v. Robins, which held that when determining which intangible injuries are sufficient to confer standing and which are not, courts should consider legislative intent and examine possible analogues to common law harms that historically have supported a finding of Article III injury-in-fact.

Here, the court found that neither legislative intent nor common law analogies supported a finding of the required concrete injury. First, the court found that although the legislative findings discussed the immutability of biometrics, they did not explain why the “injury” suffered here – the creation of face templates without consent – is concrete sufficient for Article III purposes. The court rejected a California court’s opposite holding in a prior case, stating that the permanency of biometrics does not justify a bright line rule that all cases involving collection or retention of biometric data present a sufficient risk of disclosure that concrete injury is satisfied in every case.

Second, the court held that the alleged injury in this case did not bear a close resemblance to any common law tort that historically supports Article III standing. The court distinguished the privacy torts of intrusion on seclusion and appropriation of likeness on the grounds that an individual’s face, when knowingly exposed, does not carry privacy protection, and that Google did not benefit commercially from the face templates.

The court dismissed the plaintiffs’ claims, concluding that without conclusive legislative history or a common law analogue to support a finding of concrete injury, the plaintiffs could not establish Article III standing to sue Google based on Google’s collection of biometric data to create the face templates.

Retaining Biometric Data

BIPA requires private entities in possession of biometric information or identifiers (e.g., a face scan) to publicly provide a retention schedule and guidelines for destroying that information. The plaintiffs argued that because Google failed to provide a retention schedule or guidelines, the plaintiffs could not exercise their right to control their own information and therefore suffered injury. The court looked to the Seventh Circuit case Gubala v. Time Warner Cable, Inc., which held that retention of an individual’s private information, on its own (i.e., without disclosure or risk of disclosure), is not a concrete injury sufficient to confer Article III standing. In Rivera, the court found that because the plaintiffs did not argue that their face templates were shared, nor could they present evidence that there was a “substantial risk” that future harm would occur (e.g., proof of unauthorized access to and theft of personal information), the court had to dismiss the plaintiffs’ retention claims.

Implications

The Rivera decision demonstrates that despite the continued federal district and circuit split on standing, even after Spokeo, companies facing lawsuits alleging procedural violations of privacy statutes, like BIPA, can still defeat such claims at the summary judgment stage if they can show the absence of a concrete injury. The Rivera court relied on two important facts: (1) the biometric data was not shared with third parties and (2) the plaintiffs did not demonstrate a likelihood or risk that it would be shared or was otherwise at risk. Companies should take note of these findings and ensure that they can demonstrate the flow of personal data and document how it is protected from unauthorized use or disclosure. This decision comes at a time when the Illinois Supreme Court is considering similar issues, as described in one of our prior blog posts.

© Copyright 2019 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Robin Campbell, Squire Patton Bogs Law Firm, Cybersecurity lawyer, healthcare attorney
Partner

Robin Campbell co-leads our Data Privacy & Cybersecurity Group and is a member of our Healthcare Practice. Robin brings first-hand understanding of the day-to-day issues faced by clients, having been seconded to clients to manage privacy in-house three times, twice in the automotive sector and once in healthcare. Robin’s practice focuses on a wide array of privacy and security issues, including the development and implementation of information management strategies for the handling of personal information. Robin focuses on providing practical solutions for data...

202 457 6409
Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

Elliot has also managed dozens of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

Elliot's practice covers a wide range of laws, regulations, industry standards and best practices, such as HIPAA and HITECH; 42 CFR Part 2 (Federal Confidentiality of Alcohol and Drug Abuse Patient Records); Federal Trade Commission (FTC) Act and FTC guidance; state laws and guidance governing privacy, security and breach notification (such as the California Shine the Light law, Lanterman-Petris-Short Act, Confidentiality of Medical Information Act, CalOPPA, and state laws governing sensitive health information); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Gramm-Leach-Bliley Act (GLBA); Children's Online Privacy Protection Act (COPPA); NIST Security Standards; and Payment Card Industry Data Security Standards (PCI-DSS).

Elliot is co-chair of the ABA E-Privacy Law Committee, vice-chair of the ABA Healthcare Technology Committee, vice-chair of the Privacy, Security and Emerging Technology Division for the ABA Section of Science & Technology Law, a member of the Bloomberg BNA Health Care Innovations Board, and a frequent speaker and writer of thought leadership pieces. He is also a Certified Information Privacy Professional (CIPP/US).

202-457-6407
India Scarver, Squire Patton Boggs Law Firm, Columbus, Litigation Attorney
Associate

India Scarver focuses her practice on toxic tort litigation in federal and state courts. India also has experience representing clients in debt collection cases.

614-365-2719