Tag, You’re It: Biometric Information Privacy Act Class Action Against Shutterfly Moves Past 12(b)(6)
Over the last six months, at least four putative class actions have been filed under the Biometric Information Privacy Act (“BIPA”)—an obscure Illinois statute passed about seven years ago to regulate the collection and use of consumers’ biometric information. In relevant part, the BIPA requires entities in possession of biometric information (i.e., retina scans, fingerprints, voiceprints, etc.) to retain a specific written policy governing data retention and to collect written consent from consumers before collecting biometric information.
The sudden rash of class actions over the past six months includes cases against Facebook and Shutterfly—stemming from the alleged unlawful collection of consumers’ facial images used in photo tagging features—and cases against LA Tan and Palm Beach Tan—stemming from the alleged unlawful collection of fingerprint data used in lieu of membership cards.
Like many privacy-centric statutes (i.e., the FRCA and TCPA), the BIPA provides for extremely high statutory damages—$1,000 to $5,000 per violation. And like many privacy-centric statutes (i.e., the Video Privacy Protection Act and Michigan’s Video Rental Privacy Act), the BIPA had little-to-no judicial interpretation. That is, until Judge Charles Norgle issued his order in Norberg v. Shutterfly, Inc., Case No. 15-cv-5351 (N.D. Ill.).
On December 29, 2015, in a brief, two-page order, Judge Norgle denied Shutterfly’s motion to dismiss, leaving the plaintiffs’ likely to continue filing no-harm class actions with potentially crippling statutory damages.
The Shutterfly case stemmed from Shutterfly’s use of photo facial recognition features on its websites, including Shutterfly.com and ThisLife.com. The Plaintiff contended that Shutterfly used his personal face pattern in connection with the facial recognition software, despite the fact that he had never used Shutterfly, nor had his consent been obtained.
Shutterfly’s central argument was that the BIPA specifically exempts photographs from its definition of biometric identifying data, and thus its facial recognition features did not fall within the ambit of the statute. Judge Norgle, however, disagreed, drawing an apparent distinction between photographs and facial features derived from those photographs. Whether that distinction is the correct read of the statute is also the central argument at issue in Facebook’s BIPA case, In re Facebook Biometric Information Privacy Litigation, Case No. 15-cv-3747 (N.D. Cal.), in which a motion to dismiss is pending.
Whether Judge Norgle’s decision carries the day in the Facebook litigation is to be seen. Sheppard Mullin’s privacy and class action defense teams will be monitoring both Shutterfly and Facebook cases closely—as well as the potential impact the Supreme Court’s Spokeo decision (covered here) could have on these actions. In the meantime, however, given the statutory damages available, companies cannot afford to ignore Illinois’ BIPA.