Biometric data — from, e.g., retina, face and fingerprint scans — plays a big role in the current wave of new technology services. For example, biometrics provide security features for financial and healthcare products. And biometrics are behind some cool new in-game offerings in the interactive entertainment and social media space. But companies using or thinking of using biometric data have to comply with myriad privacy and data security laws and regulations, or face potential enforcement action and litigation. On January 30, 2017, the Southern District of New York dismissed one such litigation brought against video game publisher Take-Two Interactive Software, Inc. for alleged violation of the Illinois Biometric Information Privacy Act (“BIPA“). Here’s a summary.
Take-Two’s NBA 2K15 and NBA 2K16 games contained a “MyPlayer” feature allowing users to create custom in-game characters based on detailed 3D facial scans using a webcam or other peripheral device. BIPA safeguards the use of biometric data by private entities in connection with financial or commercial transactions, and regulates the collection, distribution and storage of biometric data, which includes unique personal identifiers such as retina scans, fingerprints, voiceprints, or scans of the hand or face. BIPA requires companies to disclose their procedures and data retention policies, and obtain customer consent before collecting or transferring the data. BIPA also sets the “standard of care” for data security measures, and provides that individuals “aggrieved” can sue to recover attorney’s fees and statutory damages of up to $5,000 per violation.
The plaintiffs’ suit, entitled Vigil, et al. v. Take-Two Interactive Software, Inc., (No.1:15-cv-08211), alleged that NBA 2K15 and NBA 2K16 violate BIPA. The plaintiffs brought a class action under BIPA, suing on behalf of Illinois residents who used the “MyPlayer” feature. The main issue in the case was whether the plaintiffs had pled an injury sufficient to confer legal “standing” — in other words, whether the plaintiffs had enough of a stake in the matter for a court to legally decide it. The trial court asked the plaintiffs to replead their alleged injuries in light of a new US Supreme Court case on standing: Spokeo, Inc. v. Robins. The plaintiffs’ amended complaint identified three potential harms: (1) that the plaintiffs would not have purchased the NBA 2K game if they had known about the alleged BIPA violations; (2) that Take-Two had misappropriated purportedly “valuable” biometric data; and (3) that Take-Two’s alleged “indefinite” storage of the data enhanced the risk of a data breach, which could result in the plaintiff’s data being compromised.
Motion to Dismiss
Take-Two moved to dismiss the amended complaint for lack of standing, arguing that none of the plaintiffs’ claimed damages qualified as a “concrete injury” required to establish standing under Spokeo. Take-Two characterized the plaintiffs’ theories as “buyer’s remorse,” arguing that the plaintiffs had not alleged that their biometric data had value, that Take-Two profited in any way from the use of the biometric data, or that there was any genuine risk of a data breach.
The District Court ruled in favor of Take-Two, dismissing the plaintiffs’ claims for lack of standing. The Court held that the core interest protected by BIPA is ensuring that a “private entity protects the individual’s biometric data, and does not use that data in a way not contemplated by the underlying transaction.” In essence, the plaintiffs’ claim failed because they could not show that their data was used in any way other than as advertised: to generate a “MyPlayer” character based on the user’s face scan. The Court rejected the “information injury” theory, noting that BIPA is not a statute in which the loss of information amounts to the loss of a substantive right, and denied that BIPA was intended to create a statutory right to privacy in biometric data. In the end, the Court dismissed the plaintiffs’ complaint with prejudice, writing that the plaintiffs “cannot aggregate multiple bare procedural violations to create standing where no injury-in-fact otherwise exists.”
Many in the tech industry will likely applaud this court’s reading of BIPA and willingness to dismiss the case at an early stage. But Vigil is just one of several BIPA cases pending against tech companies; Facebook and Google are each facing similar claims relating to the use of facial-recognition photo-tagging algorithms. Therefore, it remains to be seen whether these companies will succeed in stopping BIPA from becoming the basis for the next wave of mass-tort claims. The stakes here remain high: as biometric information increasingly becomes the way users unlock their mobile devices, authorize both digital and real-world purchases or access other technological features, the opportunities for similar lawsuits will only multiply. Tech companies must be prepared to vet their products and services against an ever-changing, uneven landscape of regulation.