A new decision out of the Ninth Circuit Court of Appeals could be a bellwether for future privacy cases under the California Consumer Privacy Act. On Thursday, the Ninth Circuit held that the plaintiffs in a class-action lawsuit against Facebook alleging violation of an Illinois biometrics law had standing, allowing the case to move forward.
Given the similarities between the Illinois law and the relevant portions of the CCPA, the Ninth Circuit’s decision may dramatically expand standing in future cases under the CCPA for similar biometric violations.
The Ninth Circuit Facebook Facial Recognition Case
The Illinois Biometric Information Privacy Act (BIPA) requires that before a company may “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information,” it must disclose to individuals that biometric information is being collected, the purpose for the biometric information being collected and term it will be kept, and receive a written release from the individual.
Companies must also develop written policies for “permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied,” or three years after the consumer’s last interaction with the company, whichever happens first.
The class-action lawsuit in question in, Patel v. Facebook, alleged that Facebook violated the BIPA through its “face template” system, the manner in which Facebook analyzes uploaded photographs and suggests who it believes is in the photo to tag by comparing a number of biometric markers with existing photographs on the platform. According to the Ninth Circuit:
the technology extracts the various geometric data points that make a face unique, such as the distance between the eyes, nose, and ears, to create a face signature or map. The technology then compares the face signature to faces in Facebook’s database of user face templates (i.e., face signatures that have already been matched to the user’s profiles). If there is a match between the face signature and the face template, Facebook may suggest tagging the person in the photo.
The plaintiffs alleged that Facebook, by performing its face template process on uploaded photos of Illinois residents, violated the BIPA. Facebook also allegedly failed to develop the retention and destruction policy required by the BIPA.
The Ninth Circuit, affirming the decision of Judge James Donato from the Northern District of California, held that Facebook’s alleged violation of the BIPA was enough to constitute a concrete injury-in-fact, and therefore meets the requirements for standing under Article III.
The Court reached its decision by following the two-step process set forth in Robins v. Spokeo, Inc., 867 F.3d 1108, 1113 (9th Cir. 2017), aka Spokeo II:
(1) whether the statutory provisions at issue were established to protect [the plaintiff’s] concrete interests (as opposed to purely procedural rights), and if so, (2) whether the specific procedural violations alleged in this case actually harm, or present a material risk of harm to, such interests.
The Ninth Circuit, citing both a history of U.S. Supreme Court cases and the legislative intent behind the BIPA, held that the BIPA was established to protect concrete privacy interests, rather than merely procedural rights, as well as to address concerns over a slippery slope of the unrestricted use of facial recognition technology:
Once a face template of an individual is created, Facebook can use it to identify that individual in any of the other hundreds of millions of photos uploaded to Facebook each day, as well as determine when the individual was present at a specific location. Facebook can also identify the individual’s Facebook friends or acquaintances who are present in the photo. Taking into account the future development of such technology as suggested in Carpenter, see 138 S. Ct. at 2216, it seems likely that a face-mapped individual could be identified from a surveillance photo taken on the streets or in an office building. Or a biometric face template could be used to unlock the face recognition lock on that individual’s cell phone. We conclude that the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests. Similar conduct is actionable at common law.
The Court then held that violation of the BIPA constituted an actual risk of harm, stating:
Facebook’s alleged collection, use, and storage of plaintiffs’ face templates here is the very substantive harm targeted by BIPA. Because we conclude that BIPA protects the plaintiffs’ concrete privacy interests and violations of the procedures in BIPA actually harm or pose a material risk of harm to those privacy interests, see Dutta, 895 F.3d at 1174, the plaintiffs have alleged a concrete and particularized harm, sufficient to confer Article III standing.
As a result, the Court affirmed the District Court’s decision and allowed the case to proceed.
How Does This Affect Privacy Lawsuits in California?
Given the similarities between the BIPA and the CCPA, it seems likely that this decision will influence future privacy actions in California. In particular, under the CCPA, biometric information is included in the definition of “personal information,” and is thus subject to the CCPA’s protections. Biometric information is defined in the CCPA as:
an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
Essentially, there is no obvious reason why the Ninth Circuit would treat the CCPA differently from the BIPA. Presumably, if faced with a lawsuit regarding failure to comply with the CCPA’s protection of biometric data, any court in the Ninth Circuit following Patel would similarly find that Article III standing existed.
More specifically, if the Northern District was correct in holding that a plaintiff has standing to assert that Facebook’s use of face templates violated the BIPA, it stands to reason that a plaintiff alleging that face templates violate the CCPA would also be able to meet the requirements for standing. Like the BIPA, the CCPA is intended to protect an individual’s “concrete” rights, rather than simply “procedural” rights, and violation of the CCPA could result in concrete harm. As a result, a violation of those portions of the CCPA could be considered an injury-in-fact sufficient for standing.
The main difference between the BIPA and the CCPA is that the BIPA confers a private right of action on “[a]ny person aggrieved by a violation of this Act,” whereas no similar private right of action exists under the CCPA. This alone may prevent Patel from opening the floodgates for similar cases under the CCPA. Regardless, how this ends up playing out will be very interesting to monitor.
Disclaimer: This information is given for legal education only. This post is not legal advice and does not create an attorney-client relationship. Please contact an attorney for legal advice.
Daniel Zarchy is a civil litigator and privacy attorney in San Francisco, California. Daniel is also a Certified Information Privacy Professional (CIPP/US). The views and opinions expressed herein are solely those of the author and do not necessarily reflect the views or opinions of any other party or law firm.
Latest posts by Daniel J. Zarchy
(see all)Like this:
Like Loading...