As the number of lawsuits based on claimed violations of the Illinois Biometric Information Protection Act (“BIPA”) increase, litigants have struggled to find guidance from the courts on this new area of law. The Ninth Circuit’s August 8, 2019 decision in Patel v. Facebook, Inc., No. 18-15982 (August 8, 2019) provides slightly more guidance. In Facebook, the Ninth Circuit affirmed the district court’s finding that allegations related to Facebook’s use and storage of “face templates” may violate BIPA. The Ninth Circuit focused on whether the plaintiff’s allegations constitute a concrete and particularized harm sufficient to confer Article III standing under the U.S. Constitution. This has been a threshold question for a number of years in data breach litigation. In short, Article III of the Constitution limits the jurisdiction of federal courts to “Cases” and “Controversies” “which are appropriately resolved through the judicial process.” Under the U.S. Supreme Court decision in Clapper v. Amnesty Int’l USA, a plaintiff is required to show a data breach resulted in an “imminent risk of a concrete injury” to have standing under Article III. Initially, a number of courts dismissed data breach cases because they lacked standing as plaintiffs were not able to show a concrete injury and the alleged future injuries were too speculative related to a data breach.

However, the question of whether plaintiffs have standing in data breach cases may be drastically different in BIPA violation cases. It is well-established under Illinois law that a plaintiff may be “aggrieved” under BIPA when a data collector merely fails to provide proper notice and get consent that biometric information will be collected and used. Therefore, the Facebook decision may have been inevitable given the substantial body of law on Article III standing for data breach cases coupled with well-settled Illinois law addressing BIPA claims.

Facebook’s Creation Of Template For “Tag Suggestions” Application

The Ninth Circuit provided the following background concerning the plaintiffs’ usage of Facebook and how it gave rise to this action:

• “When a new user registers for a Facebook account, the user must create a profile and agree to Facebook’s terms and conditions…”
• “To interact with other users on the platform, a Facebook user identifies another user as a friend and sends a friend and sends a friend request.” The two users can share text and photographs when they become “Facebook friends.”
• Facebook allows users to tag their Facebook friends in photos they post.
• “In 2010, Facebook launched a feature called Tag Suggestions” that allows “facial-recognition technology to analyze whether the user’s Facebook friends are in photos uploaded by the user.”
• Facebook scans the photos for images of faces to “extract the various geometric data points that make a face unique, such as the distance between the eyes, nose, and ears, to create a face signature or map.”
• The face signatures are saved in a database stored on Facebook servers that allows matching to other saved photos which allows Facebook to make a suggestion to tag a person appearing in the photograph.

Ninth Circuit’s Finding That Plaintiffs Had Standing To Bring Suit

The class-action plaintiffs were living in Illinois and claim to have uploaded photos while in Illinois and claim the use of their photos to create a template violated BIPA. In particular, the plaintiffs claim BIPA was violated with Facebook’s “collecting, using, and storing biometric identifiers…from their photos without obtaining a written release and without establishing a compliant retention schedule.”

Facebook filed a motion to dismiss arguing the plaintiffs “had not alleged any concrete injury” and lacked standing under Article III.  Plaintiffs filed a motion to certify a class action while the motion to dismiss was pending. The Ninth Circuit first reviewed the district court denial of Facebook’s motion to dismiss.

As seen in a number of other privacy cases, the Ninth Circuit relied on well-settled law holding a plaintiff “must have suffered an ‘injury in fact’—an invasion of legally protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical.”  As part of this analysis, the Ninth Circuit further held “it is not enough for a plaintiff to allege a defendant has violated a right created by statute…”  Further, the Ninth Circuit adopted the following “two-step approach to determine whether the violation of a statute causes concrete injury:”

• Whether the statutory provisions at issue were established to protect the plaintiff’s concrete interests (as opposed to purely procedural rights), and

• Whether the specific procedural violations alleged in this case actually harm, or present a material risk of harm to, such interests.

In applying this two-step approach, the Ninth Circuit rejected Facebook’s argument that plaintiffs’ complaint should be dismissed to the extent it “describes a bare procedural violation of BIPA rather than injury to a concrete interest, and therefore plaintiffs failed to allege that they suffered an injury-in-fact that is sufficiently concrete for purposes of standing.” In agreeing with the plaintiffs, the Ninth Circuit held this first prong was met as it held “we conclude that an invasion of an individual’s biometric privacy rights ‘has a close relationship to a harm that has traditionally been regarded as providing as basis for a lawsuit in English or American courts.”  In short, the Ninth Circuit found “the development of a face template using facial recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”

As for the second prong, the Ninth Circuit found Facebook may have caused “actual harm” with a face template that will be retained “for all time.”  The Ninth Circuit held BIPA protects against the improper notice and use of biometric data which can lead to a violation of privacy rights. Based on the legislative intent behind BIPA, the Ninth Circuit found the plaintiffs “alleged a concrete injury-in-fact sufficient to confer Article III standing.”

The Ninth Circuit’s Decision May Have Been Inevitable In Light Of Illinois Law

The Illinois Supreme Court decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) may have forced the Ninth Circuit’s holding in Facebook. In Rosenbach, the Illinois Supreme Court analyzed the provision in the Biometric Act which states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The central question for the Supreme Court was whether the use of the term “aggrieved” in the Biometric Act requires a plaintiff assert that they suffered an injury in addition to having their biometric data collected.  In reversing the Illinois Court of Appeals, the Illinois Supreme Court found a violation of the Biometric Act when a data collector merely took information from a minor without proper consent.  The most important aspect of the Rosenbach decision is a data collector can be liable without breaching any information. Therefore, the Ninth Circuit quickly realized that BIPA claims were not going to face the same questions related to Article III standing that plagued data breach plaintiffs for years.  While the Facebook decision was inevitable, it is interesting to the extent it shows how two areas of privacy law are developing separately.

For more information, contact Tressler attorney Todd Rowe at trowe@tresslerllp.com.

The post Ninth Circuit’s Recent BIPA Decision Must Be Kept In Context With Well-Settled Illinois Law appeared first on Privacy Risk Report.

It is a pivotal moment when the United States Supreme Court addresses data breach cases. There was a time when people said that cyber security would be like “Y2K” and any preparations for cyber issues would suffer the same embarrassing fate as buying a generator to prepare for “Y2K.” There is no need to get too emotional, but there is no reasonable dispute that privacy issues are now just a part of our lives. April 24, 2019 is a watershed moment in privacy law when the U.S. Supreme Court issued a decision in Lamps Plus, Inc. v. Varela, 2019 1780275 (April 24, 2019), a case that starts with a data breach.

• The Breach

In Lamps Plus, an employee, Frank Varela, filed a class action against his employer, Lamps Plus, in the U.S. District Court of California. Varela claimed his employer’s negligence provide a hacker with access to tax information that resulted in a fraudulent tax return being filed in his name. Varela’s class action complaint further asserted that 1,300 other employees had their information taken as well.

• Procedural History

Lamps Plus filed a motion to dismiss in the District Court wherein it argued the arbitration agreement in Varela’s employment contract required the dismissal of Varela’s class action lawsuit and that his claims should be arbitrated on an individual basis rather in a class action. The District Court denied the portion of the motion seeking to have the class members arbitrate their claims on an individual basis but authorized the arbitration of the claims on a class-wide basis. The Ninth Circuit affirmed the District Court’s decision to allow the class action plaintiffs arbitrate their claims as a class rather than require each class member arbitrate their claims individually. In particular, the Ninth Circuit’s holding, based on a finding that the arbitration provision was ambiguous, would have allowed Varela and the other employees to pursue their claims as a class in an arbitration proceeding.

In short, Varela argued that he should be permitted to litigate—in the courts—a class action against Lamps Plus despite signing an employment agreement with an arbitration provision stating “arbitration shall be in lieu of any and all lawsuits or other civil legal proceedings related to my employment.” On the other hand, Lamps Plus took the position that the case should be arbitrated and Varela was required to arbitrate his claims individually rather than drawing on the strength of other members in a class action. (A good breakdown of these issues can be found in this New York Times article.)

• Supreme Court’s Decision In Favor Of Lamps Plus

In a 5-4 decision, the Supreme Court reversed and remanded the Ninth Circuit’s decision since Lamps Plus did not expressly agree to arbitrating employee disputes on a class action basis. Based on the arbitration provision in the employment agreement, Chief Justice Roberts—writing the majority opinion— held only individual arbitrations were permitted. The Majority further opined “Class arbitration ‘sacrifices the principal advantage of arbitration—its informality—and makes the process slower, more costly, and more likely to generate procedural morass than final judgment.’”

• How To Approach These Issues

Admittedly, the central issue in the Lamps Plus decision relates to the enforcement of an arbitration clause and merely happens to arise out of data breach. Nevertheless, this issue should be front and center for any employer that collects an employee’s private data.  In addition to reaching an agreement on the process of bringing claims against an employer (class actions versus individual claims), employment agreements may need to start addressing whether privacy claims should be litigated or arbitrated.

A further example was seen on April 9, 2019 when the Appellate Court of Illinois found an arbitration agreement did not allow an employer to arbitrate an employee’s biometric data claim. Liu v. Four Seasons Hotel, Ltd., 2019 IL App (1^st) 182645 (April 9, 2019). In Liu, the Court of Appeals rejected an employer’s contention that an employment agreement to arbitrate “wage or hour violation” claims would include the plaintiff’s alleged biometric data violations. The Liu court rejected the employer’s argument “that the sole purpose of requiring employees to scan their fingerprints was to monitor the hours worked, which makes it a ‘wage or hour violation’ claim.”

These two recent cases involving employment agreements demonstrate that there are a number of moving parts to a privacy lawsuit that must be considered by both those collecting the data and those having their data collected.

The post Arbitrate Or Litigate: U.S. Supreme Court Decision Sheds Light On Consequences Of Lamp Seller’s Data Breach appeared first on Privacy Risk Report.