Ninth Circuit Affirms Certification of Class Alleging Biometric Privacy Violations
The Ninth Circuit has issued its much-anticipated decision in a class action against Facebook involving alleged biometric privacy violations, affirming certification of a class. In Patel v. Facebook, the Northern District of California certified a class of Facebook users residing in Illinois who alleged that the social media giant violated the Illinois Biometric Information Privacy Act (BIPA) by using facial-recognition technology “without obtaining a written release and without establishing a compliant retention schedule” in accordance with BIPA. Facebook uses facial-recognition technology as part of its “Tag Suggestions” feature, which involves analyzing photos uploaded to Facebook to identify the people in them.
Facebook’s interlocutory appeal to the Ninth Circuit attracted national attention, with amicus briefs filed by the U.S. Chamber of Commerce and the Internet Association in support of Facebook and by the Electronic Privacy Information Center and ACLU in support of the plaintiffs. The Ninth Circuit decision addressed important issues of Article III standing, predominance, and the interaction of statutory damages and class actions.
In the lawsuit, the plaintiffs do not allege that Facebook disclosed their biometric information to third parties. But BIPA provides that biometric information may be collected by a private entity only pursuant to a written release. It further provides that a person’s biometric information in the hands of a private entity must be permanently destroyed when the initial purpose for collecting the information has been satisfied or within three years of the person’s interaction with the private entity, whichever comes first. The plaintiffs allege that Facebook violated those provisions of BIPA. Facebook, of course, denied the allegations.
Facebook argued that the plaintiffs had not alleged a concrete injury, and thus the class complaint should be dismissed. That argument made this case a significant battle in the ongoing war over how the Supreme Court’s Spokeo decision will be understood and applied.
Spokeo held that the concrete injury requirement for Article III standing is not automatically satisfied “whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right. Article III standing requires a concrete injury even in the context of a statutory violation.” But Spokeo also reaffirmed that “intangible injuries can nevertheless be concrete” and that legislative judgment regarding “intangible harms that meet minimum Article III requirements” is “instructive and important.”
Here, the Ninth Circuit held that the violations of BIPA alleged by the plaintiffs, if true, caused a concrete injury to the plaintiffs. The court drew support for its holding from a variety of sources: (1) the common law right to privacy; (2) constitutionally protected zones of privacy, including recent Fourth Amendment decisions from the Supreme Court recognizing that “advances in technology can increase the potential for unreasonable intrusions into personal privacy”; and (3) the Illinois Legislature, which enacted BIPA based on the judgment that biometric privacy must be safeguarded.
The plaintiffs argued, and the Ninth Circuit agreed, that Facebook’s alleged violations of BIPA allowed it “to create and use a face template and to retain this template for all time,” without consent, which invaded plaintiffs’ “substantive privacy interests” “not to be subject to the collection and use of such biometric data.” The Ninth Circuit analogized the alleged violations of BIPA to Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2017), which involved an alleged violation of the Video Privacy Protection Act wherein someone’s personally identifiable information and video-viewing history was allegedly disclosed.
By contrast, Facebook analogized the alleged violations of BIPA to Bassett v. ABM Parking Services, Inc., 883 F.3d 776 (9th Cir. 2018), in which a defendant allegedly violated the Fair Credit Reporting Act by failing to redact a credit card’s expiration date on a receipt that was never seen by anyone other than the customer who obtained the receipt. The Ninth Circuit rejected that analogy, finding that Facebook’s alleged violations of BIPA were not merely procedural. “Facebook’s alleged collection, use, and storage of plaintiffs’ face templates here is the very substantive harm targeted by BIPA.”
The next issue the court confronted was predominance. Under Illinois law, its statutes are not to be given extraterritorial effect unless the Legislature clearly intends that result – a result, Facebook argued, that the Illinois Legislature did not intend with BIPA. Thus, Facebook further argued, mini-trials would need to be held for each class member to determine where the alleged violations of BIPA occurred for that class member.
The Ninth Circuit agreed that applying BIPA in this case “requires a decision as to where the essential elements of a BIPA violation take place” because that is a question of first impression under Illinois law. But it found that certain potential answers to this question would resolve the question on a classwide basis, which means that the need to answer the question did not necessarily defeat predominance. And if the district court later determined that “extraterritoriality must be evaluated on an individual basis,” it could decertify the class at that time.
Lastly, the court addressed the interaction of statutory damages and class actions. Facebook argued that the prospect of enormous liability for statutory violations that caused no real harm defeats the superiority requirement for a Rule 23(b)(3) damages class. The court found that this is true only when there is some indication that the legislature intended to place a cap on damages awards under the relevant statute, and there was no evidence that the Illinois Legislature had such an intent with BIPA.
Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019).