The U.S. Court of Appeals for the Second Circuit on Nov. 21, 2017, affirmed the dismissal of a putative class action alleging violations of the Illinois Biometric Information Privacy Act for failing to allege a material risk of harm. Although the facts of the case, Santana v. Take-Two Interactive Software, limit the impact of the ruling on the viability of BIPA claims, it nonetheless adds further support to the growing body of caselaw following Spokeo v. Robins finding allegations of procedural violations of privacy statutes to be insufficient to establish Article III standing.
Illinois passed the BIPA—still the most sweeping law regulating the collection, storage and use of individuals’ biometric information in the United States—in 2008. BIPA requires organizations to provide written notice of their biometric information collection, storage and use practices and to obtain written consent before collecting an individual’s biometric data. The notice must include the purpose of the collection and the duration that the organization will use or retain the data. A “biometric identifier” is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Once an organization has collected biometric data, BIPA requires that the date be protected in the same manner as other sensitive and confidential information using the reasonable standard of care in the organization’s industry. And BIPA requires organizations to have a publicly available, written policy stating how long the organization will retain the data and rules governing the destruction of that data. BIPA is unique among state biometric data laws in that it provides a private right of action to any person who is “aggrieved by a violation” of the law.
Take-Two Interactive Software, Inc. develops and distributes video games, including “NBA 2K15” and “NBA 2K16.” These games have a feature called “MyPlayer,” which allows players to create personalized avatars in the games with a 3-D rendition of the player’s face. To create a MyPlayer avatar a player must first agree to terms and conditions that state: “Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding, you agree and consent to such uses and other use pursuant to the End User License Agreement.” The user must then sit through a facial scanning process that takes 15 about minutes. If a player chose to play the game online in multiplayer mode, other players in that game would see the personalized avatar.
In 2015, the plaintiffs filed a putative class action alleging that Take-Two’s My Player feature violated BIPA. They alleged that Take-Two collected and disseminated their biometric data without their informed consent; failed to inform them of the specific purpose and duration for which their biometric data would be stored; failed to make publicly available a retention schedule or destruction guidelines; and failed to store, transmit, or protect their biometric data by using a reasonable standard of care or in a manner that is at least as protective a manner as Take-Two treats its other confidential and sensitive information.
The district court dismissed plaintiffs’ claims with prejudice for lack of Article III standing and failure to state a cause of action under the statute (i.e., statutory standing).
The Second Circuit began its analysis by examining the principles for determining whether a plaintiff possesses standing, noting a plaintiff must establish “first, that ‘Congress conferred the procedural right to protect a plaintiff’s concrete interests’ as to the harm in question, and second, that ‘the procedural violation presents a risk of real harm to that concrete interest.’” Because neither party disputed the first requirement, the court assumed that “BIPA’s purpose is to prevent the unauthorized use, collection, or disclosure of an individual’s biometric data.” However, the Second Circuit found that the second requirement for standing had not been met, concluding that “none of the alleged procedural violations here raise a material risk of harm to this interest.”
The Second Circuit found that although plaintiffs allege that Take-Two had collected and disclosed their biometric data (when they played the game with other players) without their authorization, they did not, and could not, given the detailed and lengthy scanning process, dispute that the camera was conducting a facial scan to be used in the creation of a personalized avatar. The court also found that allegations that Take-Two did not inform users of the duration it would hold their biometric data or provide notice of its retention schedule and destruction guidelines were insufficient as the plaintiffs did not show how these alleged violations presented “a material risk that their biometric data [would] be misused or disclosed.” Indeed, the plaintiffs had not alleged that “Take-Two has not or will destroy their biometric data within the period specified by the statue,” and “Take-Two lacks [retention and destruction] protocols, that its policies are inadequate, or that Take-Two is unlikely to abide by its internal procedures.” The mere technical or procedural violations of the statute were not enough to confer standing.
Similarly, the Second Circuit found the allegation that Take-Two had violated the data security provisions of BIPA by “transmit[ting] . . . unencrypted scans of face geometry via the open, commercial Internet,” and “stor[ing] [p]laintiffs’ face templates in a manner that associates their identity with their biometric data,” inadequate because plaintiffs had not alleged that these purported violations raised “a material risk that their biometric data will be improperly accessed by third parties.” Finally, the Second Circuit rejected the plaintiffs’ attempt to manufacture an injury by alleging that the BIPA violations deterred them from participating in biometric transactions in the future. The court held that “[p]laintiffs’ fear, without more, is insufficient to confer an Article III injury-in-fact.” Indeed, the court noted that BIPA’s legislative findings clarified that the problem of customer withdrawal from biometric transaction only arises when a customer’s biometric data had been “compromised (i.e., collected or disclosed without his or her authorization).”
Take-Two establishes standing limitations in the Second Circuit to BIPA claims where the plaintiff is unable to allege an injury separate from a procedural violation of technical aspects of the statute’s notice and policy requirements. The breadth of the ruling is likely limited, however, by the factual circumstances of the case. The plaintiff was well-aware that Take-Two would collect, store and use the plaintiff’s facial scan—that was the entire point of the feature he used, and he sat through a lengthy facial scanning process. Whether the Second Circuit would have reached a different conclusion if the defendant had not provided any notice to the plaintiffs before collecting and using the plaintiff’s biometric scans remains an open question. Therefore, organizations should be careful not to read Take-Two as carte blanche to collect and use biometric data from Illinois residents without notice.
Nevertheless, Take-Two adds an arrow to the quiver of defendants challenging standing in privacy and data security cases at the pleading stage. See our prior analysis in “Second Circuit Holds Procedural FACTA Violation Insufficient to Establish Standing” and “The Seventh Circuit Finds No Standing in FCRA Case Based on Job Application Credit Reports.” Along with Crupar-Weinmann v. Paris Baguette America and Katz v. Donna Karan, Take-Two supports arguments that plaintiffs in such cases must allege an injury that derives from procedural violations of privacy statutes, and cannot rely on the procedural violation alone.