In a recent ten-page order, a federal judge of the United States District Court for the Northern District of California declined to dismiss a lawsuit against Facebook alleging that Facebook's "Tag Suggestions" feature violates the Illinois Biometric Information Privacy Act (BIPA). The ruling means that the case, Patel v. Facebook, Inc., Civil Action No. 3:15-cv-03747-JD, will proceed, but the long-term impact of the ruling is less clear.

The Tag Suggestions feature will be familiar to most Facebook users: when a photo is uploaded, the uploader and certain other users have the option of "tagging" people in the photo—labelling them so that the subjects get a notification of the photo and other viewers can see who they are. Tag Suggestions makes this process a little easier; hover your cursor over the subject's face, and if Facebook recognizes them, it will show you the person's name and ask if you want to tag them.

Tag Suggestions uses facial recognition to make this work; in short, Facebook analyzes the photos and videos in which a user has already been tagged to create a template of that user's face. Tag Suggestions recognizes that an object in a photo is a face and compares it to the database of face templates to figure out who the face belongs to.

As we have discussed in this space before, BIPA places certain restrictions on the collection, retention, disclosure and destruction of biometric data. Facial recognition technology as applied to photos is one area that has been subject to several lawsuits under BIPA, against Facebook and others. (BIPA also may be responsible for depriving selfie-taking Illinoisans and Texans of the ability to find their artistic doppelgangers.)

Three Illinois men each separately sued Facebook over the Tag Suggestions feature in 2015, alleging that Facebook was collecting their biometric data in violation of BIPA. Those lawsuits ended up consolidated in federal court in California, where Facebook sought to have the action dismissed for lack of standing.

The question of standing to sue in the privacy context is one that federal courts address with some regularity, not only because of evolving technology but because of a recent Supreme Court decision addressing the issue. In that case, Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), Mr. Robins sued Spokeo, a "people search engine," for posting inaccurate information about him. Search for Mr. Robins on Spokeo, and the website reported back that he was an affluent family man in his 50s with a graduate degree. None of this information was true, and Mr. Robins sued Spokeo under the Fair Credit Reporting Act (FCRA), alleging that under that law, Spokeo was obligated to ensure that the information it posted about him was as accurate as possible.

The question for the Supreme Court was whether Mr. Robins had actually been harmed by Spokeo's posting of inaccurate information, such that he had standing to sue them in federal court. The Supreme Court didn't answer that question directly, but remanded the case and instructed the Ninth Circuit to consider whether Mr. Robins had actually suffered a "concrete" harm. "A violation of one of FCRA's procedural requirements may result in no harm," wrote Justice Alito for the Court. "An example that comes readily to mind is an incorrect zip code. It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm."

This brings us back to the district court's ruling in the Tag Suggestions case. Facebook had argued that any violation of BIPA was merely procedural, and that the plaintiffs had suffered no concrete harm. But the district court reasoned that in passing BIPA, the Illinois legislature had created a substantive right to information privacy, which could be violated by an entity's failure to follow BIPA's procedures even absent any additional harm. Hence, the three plaintiffs here had at least sufficiently alleged a violation of their information privacy rights.

The district court's holding may, however, be in conflict with a recent holding of the appellate court above it. Just a few days before the district court's ruling, the Ninth Circuit issued a ruling in Bassett v. ABM Parking Services, Inc., No. 16-35933. In Bassett, a company printed a customer's credit card expiration date on a receipt, an action which violates a provision of the Fair and Accurate Credit Transactions Act (FACTA). But the Ninth Circuit found that the printing of "an overly revealing credit card receipt—unseen by others and unused by identity thieves" was a mere procedural violation that did not confer standing. In so doing, the Ninth Circuit declined to adopt the plaintiff's argument that Congress had created a substantive privacy right implicated through a violation of FACTA's procedures without any additional harm.

For the time being, then, the litigants in Patel v. Facebook may proceed without allegations of further actual harm, and other similarly situated plaintiffs have a favorable district court decision to cite. But summary judgment motions are scheduled for May 3, and a jury trial set for July 9. And looming over the case is the Ninth Circuit, which has signaled its unwillingness to follow the underlying logic of Patel v. Facebook—that statutorily-prescribed procedures alone may create substantive rights. The journey from the district court in San Francisco to Ninth Circuit is just a ten minute walk; whether the district court's holding ultimately survives that journey will bear watching.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.