For the second time in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing. In Vigil v. Take-Two Interactive Software, Inc., No. 15-8211 (S.D.N.Y. Jan. 27, 2017), the court dismissed Illinois biometric privacy claims against a videogame maker related to a feature in the NBA 2K videogame series that allows users to scan their faces and create a personalized virtual avatar for in-game play. In a lengthy opinion, the New York court provided Take-Two with a resounding victory when it ruled that procedural violations of the notice and consent provisions of the Illinois biometric privacy statute are not in-of-themselves sufficient to confer standing.
Biometric technology such as facial recognition, iris scans, or fingerprint authentication is being used and further developed to improve the security of financial and other sensitive transactions. At the same time, social media sites, mobile apps, videogame developers and others are employing biometrics for other cutting edge uses to improve services. The current Vigil ruling is particularly important, however, as it may buoy companies that collect biometric data under reasonable notice and usage policies, as they hope that the approval applied in Vigil is affirmed, if appealed, and followed in other jurisdictions.
The case at hand concerned the MyPlayer feature in the NBA 2K15 and NBA 2K16 videogames, which allows users to scan their own faces to create personalized virtual basketball avatars for in-game play (including allowing multiplayer games, if the gamer so chooses). To create the avatars, the game platform’s cameras scan the user’s face and head from various angles and then convert this data into a virtual player that resembles the user.
If a user wants to use the MyPlayer function, he or she must agree to the following terms:
Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement. www.take2games.com/eula
The plaintiffs made no allegations that their faceprints were disseminated or used for any other purpose outside of the game (for which they gave consent). Rather, they contend that Take-Two failed to comply with various provisions of the Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 (“BIPA”). Specifically, the plaintiffs claimed, among other things, that Take-Two failed to provide adequate written notice about the game maker’s data retention policies with respect to the collection and use of the gamer’s faceprints and failed to use adequate security when transmitting faceprints.
Generally speaking, under BIPA an entity cannot collect, capture, purchase, or otherwise obtain a person’s “biometric identifier” or “biometric information,” unless it first:
-
(1) informs the subject in writing that a biometric identifier is being collected;
-
(2) informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
-
(3) receives a written release executed by the subject.
Notably, BIPA provides for a private right of action, and potential awards of $1,000 in statutory damages for each negligent violation ($5,000 for each intentional or reckless violation), as well as injunctive relief and attorney’s fees. The statute contains defined terms and limitations, and parties in other suits are currently litigating the meaning of biometric identifiers” and “biometric information” under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute.
In light of the Supreme Court’s Spokeo ruling in May 2016, the defendant moved to dismiss the action, contending that the plaintiffs did not have Article III standing based upon a lack of a concrete and particularized injury. The court granted the motion.
BIPA’s Storage and Dissemination Claims
Generally speaking, BIPA requires private entities to “store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry,” and to treat such identifiers and information as they would other sensitive and confidential information. See 740 Ill. Comp. Stat. 14/15(e). In examining the plaintiff’s claims, the court noted that there were no allegations that Take-Two disseminated or sold the plaintiff’s biometric data to third-parties or used the data in a manner unrelated to in-game play – in fact, the MyPlayer function operated exactly as anticipated, allowing a gamer to create personalized basketball avatars for in-game play. As such, the court ruled that the purported violations of BIPA were “at best, marginal,” and that the plaintiffs lacked standing to pursue claims for alleged bare procedural violations of the BIPA that did not rise to a material risk of harm that BIPA was designed to prevent. The court rejected the plaintiffs’ claim that Take-Two’s storage and transmission practices subjected their facial scans to an “enhanced risk of harm” of hacking or misuse, finding such claims too “speculative” and “abstract.” Even though the court recognized that biometric data is immutable and the risk associated with unlawful acquisition of facial scan data could be great, it found the plaintiff’s statutory claims lacking: “[T]he hypothetical magnitude of a highly speculative and abstract injury that is not certainly impending does not make the injury any less speculative and abstract.”
BIPA’s Notice and Consent Claims
The plaintiffs alleged that the notice and consent they received before creating a personalized avatar was insufficient because the MyPlayer feature terms and conditions did not specifically disclose the purpose of the scanning, or publish a biometric data retention schedule; the plaintiffs also claimed that their consent to use the MyPlayer feature was not embodied in a writing.
In rejecting that the plaintiff’s argument that the defendant harmed plaintiffs’ “right to information” about the game maker’s use of their facial scans, the court reasoned that BIPA’s disclosure and consent requirements were plainly designed to allow parties to set the contours for the permissible uses of the biometrics collected in the underlying transaction, which was what occurred in this case:
“The alleged failure to give the plaintiffs more extensive notice and consent is not a material risk to a concrete BIPA interest where no material risk of biometric data misuse ever materialized.”
“Unlike statutes where the provision of information about statutory rights, or matters of public concern, is an end itself, the BIPA’s notice and consent provisions do not create a separate interest in the right-to-information, but instead operate in support of the data protection goal of the statute.”
“Even without fully compliant notice and consent, no concrete BIPA interest can be harmed so long as the private entity only uses the biometrics collected as both parties intended.”
Ultimately, the court found the plaintiffs lacked standing because they failed to establish a material risk to the concrete interest protected by BIPA, namely, biometric data protection. In fact, the court stated that the difference between the actual notice and consent in this case, and that purportedly required by the BIPA, did not rise to more a bare procedural violation, insufficient for standing under Spokeo.
We will continue to monitor developments in biometric privacy and technology, including the ongoing Facebook litigation proceeding in California and any future legislative efforts to amend the Illinois statute.