DocketNumber: Case No. 3:15–cv–03747–JD
Citation Numbers: 290 F. Supp. 3d 948
Judges: Donato
Filed Date: 2/26/2018
Status: Precedential
Modified Date: 7/25/2022
In this putative class action case under the Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 et seq. ("BIPA"), named plaintiffs allege that defendant Facebook, Inc. ("Facebook") unlawfully collected and stored their biometric data without prior notice or consent. Dkt. No. 40. Facebook asks to dismiss the case under Federal Rule of Civil Procedure 12(b)(1) and Spokeo, Inc. v. Robins , --- U.S. ----,
BACKGROUND
This consolidated action originated as three separate cases originally filed in Illinois *951courts. Two of the cases were filed in federal court, while a third was filed in Illinois state court and removed to federal court by Facebook under the Class Action Fairness Act. Notice of Removal, Licata v. Facebook, Inc., No. 1:15-cv-04022 (N.D. Ill. filed May 6, 2015) (No. 1). The parties stipulated to transfer the cases to this Court, where they were consolidated into a single action. In re Facebook Biometric Info. Privacy Litig. ,
The consolidated complaint alleges that Facebook "operates the largest social network in the world, with over one billion active users." Dkt. No. 40 ¶ 1. The named plaintiffs, Nimesh Patel, Adam Pezen and Carlo Licata, use Facebook "to, among other things, upload and share photographs with friends and relatives." Id. ¶¶ 2, 7-9.
Plaintiffs' claims arise out of Facebook's "Tag Suggestions" program launched in 2010. Id. ¶ 3. A user "tags" other Facebook users and non-users by identifying them in photographs uploaded to Facebook. Id. ¶ 2. "Tag Suggestions" is intended to encourage more tagging. Id. ¶ 3. It scans uploaded photographs "and then identif[ies] faces appearing in those photographs." Id. If the program "recognizes and identifies one of the faces appearing in [a] photograph, Facebook will suggest that individual's name or automatically tag them." Id. In effect, the program associates names with faces in photos and prompts users to tag those people.
Tag Suggestions uses "state-of-the-art facial recognition technology" to extract biometric identifiers from photographs that users upload. Id. ¶¶ 4, 22. Facebook creates and stores digital representations (known as "templates") of people's faces based on the geometric relationship of facial features unique to each individual, "like the distance between [a person's] eyes, nose and ears." Id. ¶ 23.
Plaintiffs allege that Facebook collected users' biometric data secretly and without consent. Specifically, they allege that the Tag Suggestions program violated BIPA because Facebook did not: "[1] properly inform plaintiffs or the class in writing that their biometric identifiers (face geometry) were being generated, collected or stored; [2] properly inform plaintiffs or the class in writing of the specific purpose and length of time for which their biometric identifiers were being collected, stored, and used; [3] provide a publicly available retention schedule and guidelines for permanently destroying the biometric identifiers of plaintiffs and the class (who do not opt-out of 'Tag Suggestions'); and [4] receive a written release from plaintiffs or the class to collect, capture, or otherwise obtain their biometric identifiers."Id. ¶ 5. Plaintiffs seek declaratory and injunctive relief and statutory damages. Id. ¶ 6.
DISCUSSION
I. Legal Standards
"A Rule 12(b)(1) jurisdictional attack may be facial or factual. In a facial attack, the challenger asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction. By contrast, in a factual attack, the challenger disputes the truth of the allegations that, by themselves, would otherwise invoke federal jurisdiction." Safe Air for Everyone v. Meyer ,
In a facial jurisdictional challenge, the Court takes all factual allegations in the complaint as true and draws all reasonable inferences in plaintiffs' favor. Pride v. Correa ,
II. Article III Standing
Federal courts are courts of limited jurisdiction, and the "case or controversy" requirement of Article III of the U.S. Constitution "limits federal courts' subject matter jurisdiction by requiring, inter alia, that plaintiffs have standing." Chandler v. State Farm Mut. Auto. Ins. Co. ,
Spokeo I did not announce new standing requirements, as the citation to Lujan indicates. Rather, it sharpened the focus on when an intangible harm such as the violation of a statutory right is sufficiently concrete to rise to the level of an injury in fact. To determine whether an injury in fact has been demonstrated in this "somewhat murky area," Robins v. Spokeo, Inc. ,
While Spokeo I refers to Congress, neither side disputes that state legislatures are equally well-positioned to determine when an intangible harm is a concrete injury. Our circuit said as much when it held that "state law can create interests that support standing in federal courts. If that were not so, there would not be Article III standing in most diversity cases, including run-of-the-mill contract and property disputes. State statutes constitute state law that can create such interests." Cantrell v. City of Long Beach ,
Our circuit has adopted decisions from sister circuits to hold that "an alleged procedural violation [of a statute] can by itself manifest concrete injury where Congress conferred the procedural right to protect a plaintiff's concrete interests and where the procedural violation presents 'a real risk of harm' to that concrete interest." Spokeo II ,
III. Concrete Injury
The plain language of BIPA drives the standing analysis in this case. BIPA expresses the judgments of the Illinois legislature about the rights of Illinois citizens with respect to the collection of personal biometric data by corporations and businesses. In re Facebook ,
(1) Biometrics are uniquely sensitive identifiers. "Biometrics are unlike other unique identifiers... [and] are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions." 740 Ill. Comp. Stat. 14/5(c).
(2) Biometric technology is a new frontier subject to unpredictable developments. "The full ramifications of biometric technology are not fully known."
(3) People are apprehensive of transactions involving their biometrics. The "overwhelming majority of members of the public are weary of the use of biometrics when such information is tied to finances and other personal information" and are "deterred from partaking in biometric identifier-facilitated transactions."
(4) Regulation of biometric collection, use, and storage serves the public interest. The "public welfare, security and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information."Id. at 14/5(g).
To address these concerns and protect the rights of its residents to control their biometric information, the Illinois legislature enacted several measures. Section 15(a) of BIPA requires private entities possessing biometric data to publish written policies on data retention and destruction. Section 15(b) provides that biometric data may not be obtained without (1) written notice that biometric data is at issue, (2) written notice of why and for how long the data is being collected and stored, and (3) written consent from the subject. Sections 15(c) and (d) limit the sale, trade, and disclosure of biometric data, and Section 15(e) sets security standards for storing data. Plaintiffs have sued under Sections 15(a) and (b) for lack of notice and consent.
These provisions, along with the plain text of BIPA as a whole, leave little question that the Illinois legislature codified a right of privacy in personal biometric information. There is equally little doubt about the legislature's judgment that a violation of BIPA's procedures would cause actual and concrete harm. BIPA
*954vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent. As the Illinois legislature found, these procedural protections are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual's unique biometric identifiers-identifiers that cannot be changed if compromised or misused. When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.
Consequently, the abrogation of the procedural rights mandated by BIPA necessarily amounts to a concrete injury. This injury is worlds away from the trivial harm of a mishandled zip code or credit card receipt. A violation of the BIPA notice and consent procedures infringes the very privacy rights the Illinois legislature sought to protect by enacting BIPA. That is quintessentially an intangible harm that constitutes a concrete injury in fact. See Spokeo II ,
The Illinois legislature's considered judgments in enacting BIPA are also well-grounded in a long tradition of claims actionable in privacy law. The " 'common law and the literal understanding of privacy encompass the individual's control of information concerning his or her person.' " Eichenberger v. ESPN, Inc. ,
Facebook insists that the collection of biometric information without notice or consent can never support Article III standing without "real-world harms" such as adverse employment impacts or even just "anxiety." See, e.g. , Dkt. No. 227 at 1, and 5-7 (emphasis in original). That contention exceeds the law. The Supreme Court has expressly recognized that the violation of statutory procedural rights in itself can be sufficient, without any additional harm alleged. Spokeo I ,
The cases Facebook relies upon to contest standing are readily distinguishable.
*955In Gubala v. Time Warner Cable, Inc. ,
In McCollough v. Smarte Carte, Inc. , No.
So too for Vigil v. Take-Two Interactive Software, Inc. ,
While McCullough and Vigil involved BIPA, they turned on circumstances that are a far cry from the ones alleged here. In those cases, the plaintiffs indisputably knew that their biometric data would be collected before they accepted the services offered by the businesses involved. Vigil had the specific fact of prior written notice and click-through consent. In each case, the plaintiffs had sufficient notice to make a meaningful decision about whether to permit the data collection. That factual difference makes these cases of little value in addressing the allegations in the consolidated complaint that Facebook afforded plaintiffs no notice and no opportunity to say no.
Facebook's reliance on Spokeo II is also misplaced. It highlights a comment in a footnote that a plaintiff might have a hard time showing standing under FCRA provisions "which do not turn on any alleged reporting inaccuracy." Spokeo II ,
In addition to its legal arguments, Facebook has submitted its user agreement and data policy, deposition excerpts and other extrinsic evidence to contend that BIPA's notice and consent requirements were actually satisfied. See, e.g., Dkt. No. 227 at 10-11. While that may or may not prove true in the end, the salient point for present purposes is that notice and consent are inextricably intertwined with the merits of plaintiffs' claims. The parties contest the facts surrounding those issues, in contrast to the largely undisputed material facts in McCullough and Vigil . These dispositive disputes on the merits should be decided on summary judgment or at trial, and not in the Rule 12(b)(1) jurisdictional context. Safe Air ,
CONCLUSION
Facebook's motion to dismiss for lack of subject matter jurisdiction is DENIED .
IT IS SO ORDERED.