On January 21, 2020, the Supreme Court denied Facebook’s Petition for Certiorari, raising the issues of (i) Whether a court can find Article III standing based on its conclusion that a state protects a concrete interest, without determining that the plaintiff suffered a personal, real-world injury from the alleged statutory violation; (ii) whether a court can find Article III standing based on a risk that a plaintiff’s personal information could be misused in the future, without concluding the possibility of misuse is imminent; and (iii) whether a court can certify a class without deciding a question of law that is relevant to determining whether common issues predominate under [Federal Rule of Civil Procedure,] Rule 23.
The underlying case, Patel v. Facebook Inc., hinges on a question of whether Facebook violated the Illinois Biometric Privacy Act (BIPA) by implementing a photo-tagging feature that recognized users’ faces and suggested their names without first obtaining adequate consent.
BIPA, which was passed into law in 2008, requires companies to obtain written consent from people before collecting biometric identifiers or biometric information, including (1) informing the subject that the biometric information is being collected/stored; (2) informing the subject of the purpose and duration for which the biometric information is being collected, stored, and used; and (3) receiving a written release. “Biometric identifier” is defined by the statute to include a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” and expressly excludes a multitude of things, including but not limited to “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color and eye color”; donated organs, tissues, blood, or serum; biological materials regulated under the Genetic Information Privacy Act; and information captured from a patient in a health care setting. “Biometric information” is defined as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”
BIPA provides users with a private right of action, and statutory damages of $1,000 per violation (or actual damages, whichever is greater), or $5,000 per violation (or actual damages, whichever is greater) if the violation is intentional or reckless. BIPA also provides for the recovery of attorneys’ fees and costs and other relief, including an injunction. (Note: It is BIPA’s private right of action, and hefty fines, that distinguish it from other state laws regulation biometric data usage.)
Facebook argued in its cert petition that the plaintiffs in Patel v. Facebook lacked standing to bring the suit because, although the plaintiffs claimed that their privacy interests under the statute had been violated, they never alleged (or showed) “that they would have done anything differently, or that their circumstances would have changed in any way, if they had received the kind of notice and consent they alleged that [the Illinois law] requires, rather than the disclosures that Facebook actually provided to them.”
Of note, the challenged practice is no longer used by Facebook. While Facebook previously disclosed that it was using facial recognition technology and gave users the option to turn it off, as of September 2019, Facebook changed its practice, replacing it with an interface that expressly asks users whether they want to turn on the feature. This change was one of many that resulted from Facebook’s settlement of an ITC investigation (which also resulted in Facebook’s payment of a $5 billion fine).