Rivera v. Google, a recent federal court decision from the Northern District of Illinois, highlights how challenges to Article III standing are a versatile and useful tool for corporate defendants in privacy and cybersecurity litigation. At the same time, the litigation underscores the significant legal risk faced by entities that collect biometric information and the consequent need to proactively assess and mitigate that risk.
Overview of Biometric Privacy Litigation
In recent years, some legislatures have sought to codify the protection of biometric information that is collected by private companies. To that end, Illinois, Texas, and Washington each have statutes aimed at regulating the collection, use, and retention of biometric information, and New York City is currently considering a bill with similar impact.
Though each statute has had notable effect on businesses operating within these jurisdictions, the Illinois Biometric Information Privacy Act (“BIPA”) is generally regarded as the most stringent among the three state laws. In particular, BIPA regulates how an individual’s “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” or any information based on an individual’s biometric identifier used to identify an individual may be used, stored, and disposed of by private entities (defined broadly). The law requires that entities collecting or possessing biometric information or identifiers inform consumers of the content and purpose of the company’s data collection and maintain retention schedules and disposal guidelines, among other obligations and restrictions. Further, BIPA provides for a private right of action to persons “aggrieved by a violation” of the Act. BIPA actions are subject to statutory damages of $1,000 per violation or $5,000 if the violation is deemed intentional or reckless. Due to its scope and the possibility of statutory damages, BIPA has formed the basis of several high-stakes consumer class actions across the United States.
Rivera v. Google, Inc.
One such action is Rivera, where two individuals—one a Google Photos user, the other not—filed suit claiming that the face-recognition feature of Google Photos violated BIPA. No. 16-02714 (N.D. Ill. Dec. 29, 2018). They asserted that Google violated the Act by applying its face-recognition program to images of them without their knowledge or consent. They characterized their harm as an injury to their privacy interests, but conceded that they had not suffered financial, physical, or emotional harm apart from feeling offended by the allegedly unauthorized collection of their scans. Google argued that the court lacked subject matter jurisdiction over the case because plaintiffs lacked a concrete “injury in fact” sufficient for standing under Article III of the U.S. Constitution.
In analyzing Google’s argument, the Rivera court cited Spokeo v. Robins, 136 S. Ct. 1540 (2016), for the proposition that while intangible injuries may satisfy the concrete injury requirement of Article III, a “bare procedural violation” of a statute is not sufficient to establish standing. The court then examined the ways in which plaintiffs claimed they were harmed—first, by collection of the information, and second, by retention of that information—and ultimately determined that neither alleged sufficient harm.
In regard to retention, the court applied Gubala v. Time Warner Cable, Inc., 846 F.3d 909 (7th Cir. 2016), and found that because only Google and the private users had access to the scans, and there had been no unauthorized access to the data, Google’s allegedly improper retention of the data did not cause plaintiffs a concrete harm.
Regarding the manner of collection, the court deemed the Article III analysis a “much closer question.” It noted a dearth of comparable precedent on the question of whether the alleged collection of facial scans without consent satisfies Article III. The court thus proceeded to evaluate factors set forth in Spokeo relevant to whether an intangible injury gives rise to Article III standing—namely, (1) whether legislative judgments supported plaintiffs’ claimed injury and (2) whether the claimed injury bears a close relationship to injuries that have traditionally been regarded as providing a basis for a lawsuit in U.S. and English courts. As to the first factor, the court observed that the only specific injury-related concern described by the Illinois legislature when enacting BIPA was the risk of identity theft, yet plaintiffs presented no evidence that Google’s alleged collection of facial scans created a substantial risk of identity theft. As to the second factor, plaintiffs identified no common law torts that bore a close relationship to the collection of facial scans without consent. Consequently, the Rivera court determined that Google was entitled to summary judgment because plaintiffs simply could not establish standing under Article III. In so holding, the court departed from the conclusion of an analogous case, Patel v. Facebook, Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018), which upheld the Article III standing of consumers who alleged that Facebook applied facial-recognition software to create facial templates without consent. The Patel litigation is now pending in the Ninth Circuit.
The Rivera decision has several important takeaways for companies that collect or use personally identifiable information.
- Article III remains a powerful tool for defendants in privacy and cybersecurity litigation, though courts have divided over whether and when plaintiffs have standing in these cases. In part, the division is due to disparate applications of the Supreme Court’s Spokeo decision. The Supreme Court may clarify the Spokeo standard this spring in separate litigation against Google pending before the Court, In re Google Referrer Header Privacy Litig., 869 F.3d 737 (9th Cir. 2017), cert. granted sub nom. Frank v. Gaos, No. 17-961 (U.S. Apr. 30, 2018).
- Article III challenges may be raised at any time. Because such challenges relate to the court’s subject matter jurisdiction, they are never waived. As such, parties are always free to raise Article III objections, regardless of the stage of litigation. 13B Charles Alan Wright, Arthur R. Miller & Edward H. Cooper, Federal Practice and Procedure §3531.15 (3d ed. 2008). Indeed, Google did not raise Article III at the motion to dismiss stage in the Rivera litigation and then successfully argued the issue at summary judgment.
- Keep in mind, however, that Article III is not the only injury-related argument that defendants can raise in privacy and cybersecurity litigation. Rather, there are two separate and independent ways to attack plaintiffs’ injury allegations. One is to challenge Article III standing in federal court (or the state court equivalent, if in state court), which is what the Rivera court addressed. The other is to argue the plaintiffs fail to plead or prove the injury or damages required by the cause of action or statute in question. BIPA, for instance, permits private actions only by someone who has been “aggrieved by a violation” of the statute. The question of what, if any, injury a plaintiff must plead and prove (separate and apart from being the subject of a violation of the statute) to establish that he or she is “aggrieved” is currently pending before the Illinois Supreme Court in Rosenbach v. Six Flags, No. 123186.
- Despite the usefulness of injury-related and other challenges in BIPA litigation, companies collecting or using biometric data continue to face significant risk. As a district court opinion, of course, Rivera is not binding precedent. Moreover, the Rivera court enumerated several litigation risks in the BIPA context by specifically carving them out from the scope of its holding. For example, the court left open the questions of whether and when a BIPA plaintiff might establish Article III standing in a context where the company “monetizes” biometric data, uses APIs to share that data, or suffers a breach that permits third parties unauthorized access to the data. The court also left open the question of standing in situations where the biometric data collected is something other than facial scans. And even when a company successfully wins dismissal of litigation, that dismissal cannot undo the costs and burdens of having been sued. Companies with potential exposure to BIPA or other biometric statues should work with experienced counsel to evaluate and, as appropriate, mitigate the risks of enforcement.
 According to the court, the face-recognition technology works as follows: When a user uploads a photo, Google detects images of faces in that photo, scans them, and creates face templates for what it observes. It then compares the new images with other faces that are already in the user’s private account, and groups together the faces that are similar. Although the user who uploaded the photo can see and assign a label to these face groupings, the templates and subsequent information added by the user are only available to that user and Google. Of note, however, the face-recognition feature is automatically defaulted to “on,” such that all Google Photos users’ photos are always analyzed this way, unless they opt out.
 Rivera, who was not a user of Google Photos, alleged that eleven photos of her were taken by someone using a Google Droid device, uploaded to Google Photos, and then scanned by Google to “locate [ ] her face and zero [ ] in on its unique contours to create a ‘template’ that maps and records her distinct facial measurements.” Weiss, the other plaintiff, alleged that he used a Droid device, and twenty-one photos he took of himself were automatically uploaded to and scanned on Google Photos. Notably, Google did not concede that the scans were taken without consent.
 The Rivera court limited its holding by distinguishing between faces, which are not inherently private given that “most people expose their faces to the general public every day,” and biometric data like fingerprints and retina, that are not publicly visible.