Patel, et al. v. Facebook, Inc., No. 3:15-cv-03747-JD (N.D. Cal. Aug. 8, 2019), hosted by the Electronic Privacy Information Center (EPIC).
Facebook announced that it will pay $550 million to settle Patel v. Facebook, a class-action suit alleging that Facebook’s facial recognition technology violates the Illinois Biometric Information Privacy Act (“BIPA”), 740 Ill. Comp.Stat. 14/5(e). This record-breaking payout far exceeds even the $380.5 million Equifax paid to settle its 2017 consumer data breach. The lawsuit began in 2015, when the plaintiffs claimed Facebook’s “Tag Suggestion” feature harvested and stored users’ facial data from photos without asking for consent or providing notice.
BIPA is among the most comprehensive state biometric privacy laws. It requires written consent before collecting someone’s fingerprints, retina or iris scan, voiceprint, or scan of hand or face geometry. The statute allows any Illinois resident to collect $5,000 per violation in damages from each offending organization. Biometric data is particularly sensitive information because it is unique to every individual. Passwords and social security numbers, for example, can be changed in the event of breach, but a face cannot.
Under BIPA, individuals can sue anyone violating their privacy rights even absent a financial injury resulting from the violation. There is currently a circuit split on whether a plaintiff needs to suffer a tangible injury to obtain Article III standing to bring the case in federal court.
In the Second Circuit, among others, alleged injuries must be financial or otherwise tangible in order to satisfy Article III. However, in the Ninth Circuit, among others, an intangible injury may be sufficient for Article III standing, and a mere statutory violation constitutes sufficient injury if the statute is meant to protect the plaintiff’s interests and the alleged violations present a material risk of harm to those interests. The Ninth Circuit’s interpretation controversially empowers many more individuals to bring suit against privacy violators. It can be difficult for individuals to demonstrate tangible injury resulting from privacy violations because victims rarely experience financial injury.
Facebook had filed a petition for writ of certiorari with the United States Supreme Court claiming the plaintiffs experienced no tangible injury. The Court denied the petition, refusing to decide on the circuit split. For the moment the circuit split stands.
Patel v. Facebook tests the effectiveness of the Ninth Circuit’s broad interpretation of “injury.” Because the case was settled before judgment, we do not know how courts would count alleged violations. But with BIPA’s mandate of payment of up to $5,000 per privacy violation and Facebook’s massive user base, a judgment potentially could have ended in the billions of dollars. By giving more consumers standing to sue violators, the Ninth Circuit’s standing interpretation could be more effective in incentivizing companies to comply with privacy laws than the Second Circuit’s. While a $550 million payout is relatively insignificant for the social media behemoth (revenue still rose 25% in its fourth quarter, more than making up for the loss), the risk that state privacy statutes like BIPA pose to tech firms like Facebook is certainly significant. And with California’s Consumer Privacy Act now in effect, the Ninth Circuit’s Article III jurisprudence will likely stay in the limelight.