The Privacy Risk Report has previously reported on the necessity to safeguard personal information such as names, addresses, social security numbers and credit card information to avoid risk resulting from data breaches. The latest trend we are seeing now involves a push by state legislatures to enact new laws that also protect biometric data, such as the Illinois Biometric Information Privacy Act (BIPA).

“Biometrics” defines “the field of science relating to the identification of humans based upon unique biological traits, such as fingerprints, DNA, and retinas” and recently “has produced new ways of conducting commercial transactions.” In particular, the protection of biometrics is a growing concern as this technology is turning up in everything from watches that may collect health data, finger-scanners at grocery stores and gas stations to retina scanners for financial transactions. Not only is this technology is here to stay, but it is already involved in litigation across the country.

For example, in Vigil v. Take-Two Interactive Software, Inc., the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game.

Illinois Biometric Information Privacy Act

The Illinois legislature enacted BIPA (740 Ill. Comp. Stat. 14/1 et seq.), “which sets forth disclosure, consent, and retention requirements for private entities that collect, store, and disseminate biometric data.”

Before reaching its decision to grant Take-Two’s motion to dismiss, the District Court provided the following exhaustive background on BIPA:

As the Illinois legislature observed, biometric data are by definition unique, and thus—unlike a credit card number—cannot realistically be changed if they are subject to identity theft. See 740 Ill. Comp. Stat. 14/5(c). The Illinois legislature was concerned that the failure of businesses to implement reasonable safeguards for such data would deter Illinois citizens from “partaking in biometric identifier-facilitated transactions” in the first place, and would thus discourage the proliferation of such transactions as a form of engaging in commerce. 740 Ill. Comp. Stat. 14/5(e). The BIPA represents the Illinois legislature’s judgment that the collection and storage of biometrics to facilitate financial transactions is not in-of-itself undesirable or impermissible; instead, the purpose of the BIPA is to ensure that, when an individual engages in a biometric-facilitated transaction, the private entity protects the individual’s biometric data, and does not use that data for an improper purpose, especially a purpose not contemplated by the underlying transaction. See 740 Ill. Comp. Stat. 14/5(a–g).

Under the BIPA, a “biometric identifier” is “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” while “biometric information” is information based on “biometric identifiers.” 740 Ill. Comp. Stat. 14/10.

Take-Two’s Video Game — NBA 2K16

The defendant, Take-Two, collects and uses biometric data for its video games, including NBA 2K16. The plaintiffs allege that they used a feature in the video game “to scan their respective faces to create personalized virtual basketball players, exclusively for in-game play.” The plaintiffs did not allege the images of their faces were used for anything beyond use in their own games. The “MyPlayer” feature was specifically at issue, “which allows a gamer to create a ‘personalized basketball avatar’ based on a three-dimensional rendition of the gamer’s face.”

Plaintiffs’ Claims of BIPA Violations

Plaintiffs claimed that Take-Two’s violations of BIPA included the following:

  • Take-Two did not publicly provide “a retention schedule or guidelines for permanently destroying biometric identifiers;”
  • Take-Two failed to inform the plaintiffs in writing that their biometric information was being collected;
  • Take-Two collected biometric information without obtaining a proper release from the plaintiffs;
  • Take-Two disclosed and disseminated plaintiffs’ biometric information without adequate consent;
  • Take-Two did not employ “industry-standard reasonable care;” and,
  • Take-Two profited from plaintiffs’ biometric information.

Dismissal of Plaintiffs’ Complaint

Unconvinced by the plaintiffs’ arguments, the District Court granted Take-Two’s motion to dismiss the plaintiffs’ second amended complaint based on a finding that plaintiffs’ lacked standing to bring suit against Take-Two. As with many data storage cases, plaintiffs’ had to demonstrate they had standing to bring suit. In order to avoid Take-Two’s motion to dismiss, the plaintiffs attempted to support their claims with allegations of procedural violations of BIPA, without any allegations of additional harm in order to establish standing.

The District Court rejected the plaintiffs’ position because “[n]one of the plaintiffs’ allegations of procedural violations, on their own, demonstrate a material risk of harm to BIPA’s concrete data protection interest because there is no plausible allegation that there is a material risk that plaintiffs’ biometrics may be used in a way not contemplated by the underlying use of the MyPlayer feature.

Additionally, the District Court held the plaintiffs failed to establish that there was “an imminent risk of harm that Take-Two’s storage and dissemination of their facial scans could compromise the data protection interest of the BIPA.” The District Court held the allegations that Take-Two’s practices may have subjected plaintiffs’ facial scans to an “‘enhanced risk of harm’ of somehow falling into the ‘wrong hands’” was too speculative to demonstrate plaintiffs had standing to sue Take-Two.

The District Court also rejected the plaintiffs’ argument that their damages were more than merely “speculative and abstract” by arguing that “face scans are relatively immutable, and, unlike (for example) passwords, cannot be changed.”

Initial Impact of this Decision

One fundamental principle in each section of the District Court’s lengthy opinion is that the plaintiffs scan their own faces in order to create avatars for the video game. And, the plaintiffs failed to allege that the biometric information was used for any purpose other than what plaintiffs had consented. That being said, this will not be the last time a court will be called on to interpret BIPA or similar statutes across the country. It is only a matter of time before data collectors find other uses for biometric information.