In re Facebook Biometric Information Privacy Litigation
3:15-cv-03747
N.D. Cal.Aug 14, 2019Background
- Facebook operated Tag Suggestions, which used facial-recognition technology to create and store "face templates" (biometric identifiers) from users' photos and stored them on servers including locations outside Illinois.
- Illinois residents Pezen, Licata, and Patel filed a class action alleging Facebook violated the Illinois Biometric Information Privacy Act (BIPA) by collecting, using, and retaining face scans without written consent and without a compliant retention/destroy policy.
- BIPA requires private entities to (a) have a public written retention/destruction policy and (b) obtain written notice and release before collecting biometric identifiers; it also provides statutory damages and a private right of action.
- District court denied Facebook’s motion to dismiss for lack of Article III standing and certified a Rule 23(b)(3) class of Illinois Facebook users for whom Facebook created and stored a face template after June 7, 2011.
- Facebook appealed class certification under Rule 23(f), arguing plaintiffs lacked concrete injury for Article III standing and that class treatment fails predominance and superiority (including an extraterritoriality concern).
- The Ninth Circuit affirmed: plaintiffs sufficiently alleged a concrete privacy injury from BIPA violations and the district court did not abuse its discretion in certifying the class.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing — concrete injury | BIPA violations (collection/use/storage of face templates without consent or retention policy) invade substantive biometric privacy and thus cause concrete injury | Alleged violations are bare procedural statutory noncompliance that do not produce a concrete injury-in-fact under Spokeo | Held: Plaintiffs allege concrete, particularized intangible injuries tied to long-recognized privacy interests; standing satisfied |
| Whether BIPA protects a substantive interest or only procedural rights | BIPA protects biometric privacy substantively; its procedural requirements are means to protect that interest | Facebook: procedural requirements alone don’t create Article III injury | Held: BIPA’s requirements safeguard a concrete privacy interest; violation risks or effects the substantive harm BIPA targets |
| Class certification — predominance given Illinois extraterritoriality doctrine | Common questions (e.g., whether BIPA was violated when plaintiffs used Facebook in Illinois) can be decided class-wide | Facebook: key events (scanning, template creation/storage) occurred on servers outside Illinois, requiring individual inquiries and defeating predominance | Held: Threshold extraterritorial questions can be resolved class-wide; predominance not defeated and class may be decertified later if needed |
| Class certification — superiority and potential aggregate statutory damages | Class action is superior given many small individual claims and no contrary legislative intent limiting aggregate damages | Facebook: massive class-wide statutory damages make class action inappropriate | Held: Superiority satisfied; potential large liability does not defeat certification absent legislative intent to limit damages |
Key Cases Cited
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (framework for assessing whether statutory violations confer concrete Article III injuries)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing elements and burden on plaintiff to plead injury-in-fact)
- Van Patten v. Vertical Fitness Group, LLC, 847 F.3d 1037 (9th Cir. 2017) (statutory privacy violation under TCPA can constitute concrete injury)
- Bassett v. ABM Parking Servs., Inc., 883 F.3d 776 (9th Cir. 2018) (statutory procedural violation that did not risk the substantive harm the statute guarded was insufficient for standing)
- Carpenter v. United States, 138 S. Ct. 2206 (2018) (modern technology can create powerful privacy intrusions and reveal detailed personal information)
- Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2017) (violation of Video Privacy Protection Act constituted injury to substantive privacy interest)
- Kyllo v. United States, 533 U.S. 27 (2001) (technology-enhanced surveillance implicates privacy interests)
- Riley v. California, 573 U.S. 373 (2014) (cell phones store vast quantities of personal information implicating privacy concerns)
- In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018) (de novo review of Article III standing at pleading stage)