On January 21, 2020, the Supreme Court denied Facebook’s Petition for a Writ of Certiorari to the Ninth Circuit in Facebook Inc. v. Patel regarding standing and class certification issues in a suit under the Illinois Biometric Information Privacy Act (“BIPA”).
Facebook sought review of:
- “Whether a court could find Article III standing based on its conclusion that a statute protects a concrete interest, without determining that the plaintiff suffered a personal, real-world injury from the alleged statutory violation”
- Whether a court can find Article III standing based on a risk that a plaintiff’s personal information could be misused in the future, without concluding that the possibility of misuse is imminent”, and
- “Whether a court can certify a class without deciding a question of law that is relevant to determining whether common issues predominate under Rule 23.”
The lead plaintiffs argued that Facebook violated BIPA by using facial-recognition software to help users tag people in photos. Plaintiffs argued that Facebook did not seek particular consent or provide them with particular notice as required by BIPA.
On January 29, 2020, Facebook announced a tentative $550 million settlement of the underlying class-action lawsuit on Facebook’s fourth-quarter earnings call. Counsel for Plaintiffs claimed in a press release that the settlement would be the largest cash settlement ever resolving a privacy related lawsuit.
Had the Supreme Court granted certiorari, the Court would have had an opportunity to clarify whether statutory violations are sufficient to confer Article III standing, resolving a circuit split that has arisen in the wake of Supreme Court’s 2016 decision in Spokeo v. Robins.
As we noted a year ago, the Illinois Supreme Court held in Rosenbach v. Six Flags Enter. Corp. that an individual “need not have sustained actual damage beyond violation of his or her rights under [BIPA] in order to bring an action under it.” In the decision below, the Ninth Circuit relied heavily on the Rosenbach decision in determining that Plaintiffs had standing. The Ninth Circuit noted that the Illinois Supreme Court in Rosenbach interpreted the intent of the General Assembly in enacting BIPA to protect individuals’ “biometric privacy” by (1) imposing safeguards to ensure that privacy rights in biometric identifiers and information are properly honored and protected before they can be compromised, and (2) to subject private entities who do not follow the statute’s requirements to substantial potential liability.
Consistent with the Illinois Supreme Court’s conclusion that standing under BIPA does not require injury outside of a violation of a statutory right, the Ninth Circuit concluded that BIPA was established to protect an individual’s “concrete interests” in privacy, and not just procedural rights. The Ninth Circuit similarly followed the Illinois Supreme Court’s reasoning that the procedural protections in BIPA are important because an individual’s right to maintain biometric privacy disappears when a private entity does not follow the statute, and thus plaintiffs had alleged a concrete injury-in-fact sufficient to confer Article III standing.
The Supreme Court’s denial of certiorari, combined with the settlement figure itself, portends some similarly large privacy settlements in the coming years. Given BIPA’s broad scope, as well as the law’s private right of action and statutory damages, companies should familiarize themselves with the statute and consider their risks.
For more information on BIPA, or to discuss risks under BIPA, contact Thompson Coburn’s Cybersecurity group.
Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about the California Consumer Privacy Act (CCPA). Jim Shreve is the chair of Thompson Coburn's Cybersecurity group. Libby Casale is an associate in Thompson Coburn’s Business Litigation group and holds CIPP/US certification.
The Supreme Court of Illinois does not recognize certifications of specialties in the practice of law, and the CIPP/US certificate is not a requirement to practice law in Illinois.