eCases

• JAMES DONATO, United States District Judge

  In this putative class action case under the Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 et seq. ("BIPA"), named plaintiffs allege that defendant Facebook, Inc. ("Facebook") unlawfully collected and stored their biometric data without prior notice or consent. Dkt. No. 40. Facebook asks to dismiss the case under Federal Rule of Civil Procedure 12(b)(1) and Spokeo, Inc. v. Robins , --- U.S. ----, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016) ( Spokeo I ) on the ground that plaintiffs have failed to allege a concrete injury in fact. Dkt. No. 227. The motion is denied.

  BACKGROUND

  This consolidated action originated as three separate cases originally filed in Illinois *951courts. Two of the cases were filed in federal court, while a third was filed in Illinois state court and removed to federal court by Facebook under the Class Action Fairness Act. Notice of Removal, Licata v. Facebook, Inc., No. 1:15-cv-04022 (N.D. Ill. filed May 6, 2015) (No. 1). The parties stipulated to transfer the cases to this Court, where they were consolidated into a single action. In re Facebook Biometric Info. Privacy Litig. , 185 F.Supp.3d 1155, 1159 (N.D.Cal. 2016). The consolidated class action complaint, Dkt. No. 40, is the operative complaint.

  The consolidated complaint alleges that Facebook "operates the largest social network in the world, with over one billion active users." Dkt. No. 40 ¶ 1. The named plaintiffs, Nimesh Patel, Adam Pezen and Carlo Licata, use Facebook "to, among other things, upload and share photographs with friends and relatives." Id. ¶¶ 2, 7-9.

  Plaintiffs' claims arise out of Facebook's "Tag Suggestions" program launched in 2010. Id. ¶ 3. A user "tags" other Facebook users and non-users by identifying them in photographs uploaded to Facebook. Id. ¶ 2. "Tag Suggestions" is intended to encourage more tagging. Id. ¶ 3. It scans uploaded photographs "and then identif[ies] faces appearing in those photographs." Id. If the program "recognizes and identifies one of the faces appearing in [a] photograph, Facebook will suggest that individual's name or automatically tag them." Id. In effect, the program associates names with faces in photos and prompts users to tag those people.

  Tag Suggestions uses "state-of-the-art facial recognition technology" to extract biometric identifiers from photographs that users upload. Id. ¶¶ 4, 22. Facebook creates and stores digital representations (known as "templates") of people's faces based on the geometric relationship of facial features unique to each individual, "like the distance between [a person's] eyes, nose and ears." Id. ¶ 23.

  Plaintiffs allege that Facebook collected users' biometric data secretly and without consent. Specifically, they allege that the Tag Suggestions program violated BIPA because Facebook did not: "[1] properly inform plaintiffs or the class in writing that their biometric identifiers (face geometry) were being generated, collected or stored; [2] properly inform plaintiffs or the class in writing of the specific purpose and length of time for which their biometric identifiers were being collected, stored, and used; [3] provide a publicly available retention schedule and guidelines for permanently destroying the biometric identifiers of plaintiffs and the class (who do not opt-out of 'Tag Suggestions'); and [4] receive a written release from plaintiffs or the class to collect, capture, or otherwise obtain their biometric identifiers."Id. ¶ 5. Plaintiffs seek declaratory and injunctive relief and statutory damages. Id. ¶ 6.

  DISCUSSION

  I. Legal Standards

  "A Rule 12(b)(1) jurisdictional attack may be facial or factual. In a facial attack, the challenger asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction. By contrast, in a factual attack, the challenger disputes the truth of the allegations that, by themselves, would otherwise invoke federal jurisdiction." Safe Air for Everyone v. Meyer , 373 F.3d 1035, 1039 (9th Cir. 2004) (citations omitted).

  In a facial jurisdictional challenge, the Court takes all factual allegations in the complaint as true and draws all reasonable inferences in plaintiffs' favor. Pride v. Correa , 719 F.3d 1130, 1133 (9th Cir. 2013). In a factual challenge, the Court "may review evidence beyond the *952complaint without converting the motion to dismiss into a motion for summary judgment" and "need not presume the truthfulness of the plaintiff's allegations." Safe Air , 373 F.3d at 1039 (citations omitted). This discretion should be used with caution so that it does not usurp a merits determination. A "jurisdictional finding of genuinely disputed facts is inappropriate when the jurisdictional issue and substantive issues are so intertwined that the question of jurisdiction is dependent on the resolution of factual issues going to the merits of an action." Id. (internal quotations and citations omitted).

  II. Article III Standing

  Federal courts are courts of limited jurisdiction, and the "case or controversy" requirement of Article III of the U.S. Constitution "limits federal courts' subject matter jurisdiction by requiring, inter alia, that plaintiffs have standing." Chandler v. State Farm Mut. Auto. Ins. Co. , 598 F.3d 1115, 1121 (9th Cir. 2010). As the Supreme Court recently reiterated, a plaintiff must demonstrate standing to sue by alleging the "irreducible constitutional minimum" of (1) an "injury in fact" (2) that is "fairly traceable to the challenged conduct of the defendants" and (3) "likely to be redressed by a favorable judicial decision." Spokeo I , 136 S.Ct. at 1547. These requirements may not be abrogated by Congress. Id. at 1548. The specific element of injury in fact is satisfied when the plaintiff has "suffered 'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.' " Id. (quoting Lujan v. Defenders of Wildlife , 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ).

  Spokeo I did not announce new standing requirements, as the citation to Lujan indicates. Rather, it sharpened the focus on when an intangible harm such as the violation of a statutory right is sufficiently concrete to rise to the level of an injury in fact. To determine whether an injury in fact has been demonstrated in this "somewhat murky area," Robins v. Spokeo, Inc. , 867 F.3d 1108, 1112 (9th Cir. 2017) ( Spokeo II ), the Supreme Court has held that "both history and the judgment of Congress play important roles." Spokeo I , 136 S.Ct. at 1549. History is instructive because an intangible harm is likely to be concrete for standing purposes when it bears "a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit." Id. Congress's judgment is particularly important because it is "well positioned to identify intangible harms" that are in fact concrete for Article III purposes. Id. Congress has the power to create statutory rights and causes of action "that will give rise to a case or controversy where none existed before." Id. Consequently, an intangible harm such as "the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified." Id.

  While Spokeo I refers to Congress, neither side disputes that state legislatures are equally well-positioned to determine when an intangible harm is a concrete injury. Our circuit said as much when it held that "state law can create interests that support standing in federal courts. If that were not so, there would not be Article III standing in most diversity cases, including run-of-the-mill contract and property disputes. State statutes constitute state law that can create such interests." Cantrell v. City of Long Beach , 241 F.3d 674, 684 (9th Cir. 2001). While this conclusion pre-dates Spokeo I , nothing there undercuts it. To be sure, state law *953cannot create Article III standing where none exists under our federal precedents. But there is no good reason why the judgment of a state legislature should be treated as less important than that of Congress in deciding when the violation of a statutory grant in itself amounts to a real and concrete injury.

  Our circuit has adopted decisions from sister circuits to hold that "an alleged procedural violation [of a statute] can by itself manifest concrete injury where Congress conferred the procedural right to protect a plaintiff's concrete interests and where the procedural violation presents 'a real risk of harm' to that concrete interest." Spokeo II , 867 F.3d at 1113 (internal citations omitted) (brackets in original). The dispositive inquiries are whether: (1) the statutory provisions at issue were established to protect the plaintiff's concrete interests; and (2) the specifically alleged procedural violations "actually harm or present a material risk of harm" to those interests. Id.

  III. Concrete Injury

  The plain language of BIPA drives the standing analysis in this case. BIPA expresses the judgments of the Illinois legislature about the rights of Illinois citizens with respect to the collection of personal biometric data by corporations and businesses. In re Facebook , 185 F.Supp.3d at 1169 (citing 740 Ill. Comp. Stat. 14/5(b) ). Specifically, BIPA manifests the Illinois legislature's conclusions that:

  (1) Biometrics are uniquely sensitive identifiers. "Biometrics are unlike other unique identifiers... [and] are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions." 740 Ill. Comp. Stat. 14/5(c).

  (2) Biometric technology is a new frontier subject to unpredictable developments. "The full ramifications of biometric technology are not fully known." Id. at 14/5(f).

  (3) People are apprehensive of transactions involving their biometrics. The "overwhelming majority of members of the public are weary of the use of biometrics when such information is tied to finances and other personal information" and are "deterred from partaking in biometric identifier-facilitated transactions." Id. at 14/5(d)-(e).

  (4) Regulation of biometric collection, use, and storage serves the public interest. The "public welfare, security and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information."Id. at 14/5(g).

  To address these concerns and protect the rights of its residents to control their biometric information, the Illinois legislature enacted several measures. Section 15(a) of BIPA requires private entities possessing biometric data to publish written policies on data retention and destruction. Section 15(b) provides that biometric data may not be obtained without (1) written notice that biometric data is at issue, (2) written notice of why and for how long the data is being collected and stored, and (3) written consent from the subject. Sections 15(c) and (d) limit the sale, trade, and disclosure of biometric data, and Section 15(e) sets security standards for storing data. Plaintiffs have sued under Sections 15(a) and (b) for lack of notice and consent.

  These provisions, along with the plain text of BIPA as a whole, leave little question that the Illinois legislature codified a right of privacy in personal biometric information. There is equally little doubt about the legislature's judgment that a violation of BIPA's procedures would cause actual and concrete harm. BIPA

  *954vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent. As the Illinois legislature found, these procedural protections are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual's unique biometric identifiers-identifiers that cannot be changed if compromised or misused. When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.

  Consequently, the abrogation of the procedural rights mandated by BIPA necessarily amounts to a concrete injury. This injury is worlds away from the trivial harm of a mishandled zip code or credit card receipt. A violation of the BIPA notice and consent procedures infringes the very privacy rights the Illinois legislature sought to protect by enacting BIPA. That is quintessentially an intangible harm that constitutes a concrete injury in fact. See Spokeo II , 867 F.3d at 1113 (and cases cited therein).

  The Illinois legislature's considered judgments in enacting BIPA are also well-grounded in a long tradition of claims actionable in privacy law. The " 'common law and the literal understanding of privacy encompass the individual's control of information concerning his or her person.' " Eichenberger v. ESPN, Inc. , 876 F.3d 979, 983 (9th Cir. 2017) (quoting U.S. Dep't of Justice v. Reporters Comm. for Freedom of the Press , 489 U.S. 749, 763, 109 S.Ct. 1468, 103 L.Ed.2d 774 (1989) ). "Violations of the right to privacy have long been actionable at common law." Id. "Actions to remedy defendants' invasions of privacy, intrusion upon seclusion, and nuisance have long been heard by American courts, and the right of privacy is recognized by most states." Van Patten v. Vertical Fitness Grp., LLC , 847 F.3d 1037, 1043 (9th Cir. 2017) (citing Restatement (Second) of Torts § 652(B) (Am. Law Inst. 1977) ).

  Facebook insists that the collection of biometric information without notice or consent can never support Article III standing without "real-world harms" such as adverse employment impacts or even just "anxiety." See, e.g. , Dkt. No. 227 at 1, and 5-7 (emphasis in original). That contention exceeds the law. The Supreme Court has expressly recognized that the violation of statutory procedural rights in itself can be sufficient, without any additional harm alleged. Spokeo I , 136 S.Ct. at 1549. Our circuit has also found that "privacy torts do not always require additional consequences to be actionable." Eichenberger , 876 F.3d at 983. Intrusion on privacy alone can be a concrete injury. Id. ; see also Mount v. PulsePoint, Inc. , 684 Fed.Appx. 32, 34 (2d Cir. 2017), as amended (May 3, 2017) (unauthorized access to and monitoring of web-browsing is concrete injury); In re Facebook Internet Tracking Litig. , 263 F.Supp.3d 836, 843 (N.D. Cal. 2017) (tracking users' web-browsing history is concrete injury). Our circuit has specifically affirmed findings of concrete injury, and standing to sue, when plaintiffs were deprived of procedures that protected privacy interests without any attendant embarrassment, job loss, stress or other additional injury. See, e.g., Syed v. M-I, LLC , 853 F.3d 492, 499 (9th Cir. 2017) (loss of statutory right to authorize credit check by prospective employer); Eichenberger , 876 F.3d at 983-84 (loss of control over personal information under Video Privacy Protection Act).

  The cases Facebook relies upon to contest standing are readily distinguishable.

  *955In Gubala v. Time Warner Cable, Inc. , 846 F.3d 909 (7th Cir. 2017), for example, the plaintiff sued Time Warner for retaining his social security number and other personal information in violation of the Cable Communications Policy Act. But that is of scant relevance here because BIPA expressly recognizes that social security numbers do not implicate the kinds of privacy concerns that biometric identifiers do. Biometric identifiers, as the Illinois legislature found, are "unlike other unique identifiers" such as "social security numbers," because those "when compromised, can be changed." 740 Ill. Comp. Stat. 14/5(c).

  In McCollough v. Smarte Carte, Inc. , No. 16 C 03777, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016), a case brought under BIPA, locker rental customers in Illinois had to complete their rentals by "plac[ing] their finger on a fingerprint scanner, which is then displayed on the screen; finally, the screen displays the locker number and unlocks the locker." Id. at *1. The court found that "a customer would understand that Smarte Carte collects and retains their fingerprint data for at least the duration of the rental. The system would not work otherwise." Id. n.1.

  So too for Vigil v. Take-Two Interactive Software, Inc. , 235 F.Supp.3d 499, 513 (S.D.N.Y. 2017), another decision under BIPA that the Second Circuit affirmed in part, vacated in part, and remanded in Santana v. Take-Two Interactive Software, Inc. , 717 Fed.Appx. 12, No. 17-303, 2017 WL 5592589 (2d Cir. Nov. 21, 2017). In that case, the plaintiffs bought a basketball videogame that allowed players to create personalized "avatars" using their own faces. 717 Fed.Appx. at ----, 2017 WL 5592589 at *1. To make an avatar, players had to scan their faces for approximately 15 minutes by standing "within 6 to 12 inches of the camera" and slowly moving "their heads 30 degrees to the left and to the right." Id. Critically, before a player could create an avatar, she was required to consent by pressing "continue" after reading a notice stating that the "face scan" might be recorded. Id. In these circumstances, the district court found that the plaintiffs clearly knew that "Take-Two had to collect data based upon their faces in order to create the personalized basketball avatars, and that a derivative of the data would be stored in the resulting digital faces of those avatars so long as those avatars existed." Vigil , 235 F.Supp.3d at 515. The Second Circuit had little troubling concluding that Take-Two had satisfied BIPA's notice and consent provisions, and that the plaintiffs could not allege a material risk of harm to a concrete interest protected by the statute. 717 Fed.Appx. at ----, 2017 WL 5592589 at *3.

  While McCullough and Vigil involved BIPA, they turned on circumstances that are a far cry from the ones alleged here. In those cases, the plaintiffs indisputably knew that their biometric data would be collected before they accepted the services offered by the businesses involved. Vigil had the specific fact of prior written notice and click-through consent. In each case, the plaintiffs had sufficient notice to make a meaningful decision about whether to permit the data collection. That factual difference makes these cases of little value in addressing the allegations in the consolidated complaint that Facebook afforded plaintiffs no notice and no opportunity to say no.

  Facebook's reliance on Spokeo II is also misplaced. It highlights a comment in a footnote that a plaintiff might have a hard time showing standing under FCRA provisions "which do not turn on any alleged reporting inaccuracy." Spokeo II , 867 F.3d at 1116 n.2 (emphasis in original). This point appears to be a further elaboration on Facebook's "real harm" contention and *956is unpersuasive for the same reasons. But even taken on its own, it is again of little relevance because BIPA, unlike FCRA, targets the unauthorized collection of information in the first instance. The two statutes are sufficiently distinct so that Spokeo II 's FCRA concerns simply do not apply here. See Eichenberger , 876 F.3d at 983-84 ( Spokeo I and II distinguishable because Video Privacy Protection Act, unlike FCRA, identifies a substantive right to privacy). In addition, as the footnote itself suggests, the comment is likely dicta because the plaintiff in Spokeo II did not allege a claim independent of a reporting inaccuracy. Spokeo II , 867 F.3d at 1116 n.2.

  In addition to its legal arguments, Facebook has submitted its user agreement and data policy, deposition excerpts and other extrinsic evidence to contend that BIPA's notice and consent requirements were actually satisfied. See, e.g., Dkt. No. 227 at 10-11. While that may or may not prove true in the end, the salient point for present purposes is that notice and consent are inextricably intertwined with the merits of plaintiffs' claims. The parties contest the facts surrounding those issues, in contrast to the largely undisputed material facts in McCullough and Vigil . These dispositive disputes on the merits should be decided on summary judgment or at trial, and not in the Rule 12(b)(1) jurisdictional context. Safe Air , 373 F.3d at 1039.

  CONCLUSION

  Facebook's motion to dismiss for lack of subject matter jurisdiction is DENIED .

  IT IS SO ORDERED.

• Sign In
• Sign Up