Nimesh Patel v. Facebook, Inc.
932 F.3d 1264
| 9th Cir. | 2019Background
- Facebook offered a "Tag Suggestions" feature that used facial-recognition technology to create and store biometric face templates from users' uploaded photos.
- Plaintiffs (Illinois residents) alleged Facebook created and retained their face templates without complying with the Illinois Biometric Information Privacy Act (BIPA), specifically §§ 15(a) (retention/destruction policy) and 15(b) (written notice and consent).
- Plaintiffs filed a consolidated class action in federal district court (California) seeking statutory damages under BIPA; the district court denied Facebook’s motion to dismiss for lack of Article III standing and certified a Rule 23(b)(3) class of Illinois users for whom Facebook created and stored face templates after June 7, 2011.
- Facebook appealed under Rule 23(f), arguing (1) plaintiffs lack concrete injury for Article III standing because BIPA violations are merely procedural, and (2) class certification was improper because Illinois’s extraterritoriality rule and individualized issues defeat predominance and superiority.
- The Ninth Circuit reviewed standing de novo and class certification for abuse of discretion, addressing whether BIPA violations constitute a concrete privacy injury and whether common issues predominate for an Illinois-located class.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing — concrete injury from BIPA violation | Patel: Creation/use/storage of face templates without BIPA consent invades substantive privacy and is a concrete injury | Facebook: Plaintiffs allege only statutory/procedural violations, not concrete harms | Held: BIPA protects concrete privacy interests; alleged violations (creating/using face templates without consent and retention failures) cause or risk concrete harm, so plaintiffs have standing |
| Whether facial-recognition conduct tracks traditional privacy harms | Plaintiffs: Biometric mapping is akin to classic privacy intrusions and historically actionable | Facebook: Technologies are novel; statutory procedural breach alone insufficient | Held: Court finds close relationship to traditional privacy torts and modern Fourth Amendment privacy concerns; biometric collection without consent is materially harmful |
| Predominance under Rule 23(b)(3) given Illinois extraterritoriality | Plaintiffs: Applicability of BIPA can be decided class-wide (e.g., violation occurs when user is in Illinois) | Facebook: Key events occurred on out-of-state servers; extraterritoriality will require individual mini-trials | Held: Predominance not defeated; threshold questions about where violation occurs can be resolved class-wide and decertification remains available if needed |
| Superiority of class action given potential large statutory damages | Plaintiffs: Class action is superior for efficient adjudication of many similar claims | Facebook: Massive aggregate liability counsels against class treatment | Held: Superiority upheld; nothing in BIPA shows legislature intended to limit aggregate statutory damages, so potential liability alone does not defeat class certification |
Key Cases Cited
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (framework for when statutory violations constitute concrete Article III injuries)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing requires concrete and particularized injury-in-fact)
- Van Patten v. Vertical Fitness Group, LLC, 847 F.3d 1037 (9th Cir. 2017) (statutory privacy violation — unsolicited communications — can be concrete injury)
- Bassett v. ABM Parking Servs., Inc., 883 F.3d 776 (9th Cir. 2018) (statutory procedural violation that did not risk the substantive harm targeted by statute failed to confer standing)
- Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2017) (unauthorized disclosure of personally identifiable information implicates substantive privacy interest sufficient for standing)
- Carpenter v. United States, 138 S. Ct. 2206 (2018) (modern technologies can reveal detailed personal information and implicate privacy concerns)
- Kyllo v. United States, 533 U.S. 27 (2001) (technology-enhanced intrusions implicate privacy rights)
- Riley v. California, 573 U.S. 373 (2014) (cellphones store vast quantities of personal data; technology changes privacy analysis)
- In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018) (procedural posture and standing review principles)