On January 21, 2020, the United States Supreme Court denied Facebook’s Petition for a Writ of Certiorari in Patel v. Facebook (19-706) – leaving intact an affirmed lower court ruling against Facebook. See Patel v. Facebook Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018), aff’d, Patel v. Facebook, Inc., 932 F. 3d 1264 (9th Cir. 2019), cert. denied, Patel v. Facebook, Inc., 589 U.S. __, (January 21, 2020). Consumer advocates pushed throughout in favor of plaintiffs.
Class counsel alleged in the complaint that Facebook’s “Tag Suggestions” program – a now-terminated program that scanned for and identified people in uploaded photographs for purposes of photo tagging, improperly collected and stored biometric data without prior notice or consent in violation of the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq. Specifically, Section 15(b) of BIBA provides that biometric data may not be obtained without (1) written notice that biometric data is at issue, (2) written notice of why and for how long the data is being collected and stored, and (3) written consent from the subject.
Facebook sought dismissal arguing the lack of Article III standing necessary for all federal lawsuits – in essence, arguing that the mere technical violation of BIBA’s statutory notice and consent provisions did not actually cause any real harm to the plaintiffs. In rejecting that argument, the District Court, found that actual and concrete harm sufficiently existed to create Article III standing. Patel, supra, 290 F. Supp. 3d at 953 – 954 (“BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent. As the Illinois legislature found, these procedural protections are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers — identifiers that cannot be changed if compromised or misused. When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.”).
Even though this suit may still be dismissed on other grounds given the only argument that actually percolated all the way up to the Supreme Court was the standing issue, this was definitely Facebook’s strongest defense so it now faces likely exposure in the billions. A class comprised of seven million potential members with statutory damages based only on a single uploaded picture per person could yield damages of between $7 billion for a negligence finding and $35 billion for an intentional or reckless finding. In addition, this remains only one of several BIPA class actions against Facebook currently litigated around the federal judiciary. Despite its $5 billion mea culpa with the FTC, Facebook’s privacy exposures are certainly nowhere near its rear view mirror.
The Supreme Court may eventually take on a new privacy standing case but it will likely be a specific Google case that gets the nod – a case where the Supreme Court previously ruled: “Because there remain substantial questions about whether any of the named plaintiffs has standing to sue in light of our decision in Spokeo, Inc. v. Robins, 578 U. S. ___ (2016), we vacate the judgment of the Ninth Circuit and remand for further proceedings.” And, if this Google “referrer headers” case does not get the nod, as states continue to push the boundaries of privacy rights, the Supreme Court will certainly revisit its Spokeo decision to determine whether the violation of some future privacy law merits federal standing – especially when only a “trifle of injury” is alleged. Ultimately, the question that may be answered by the Court is whether the mere alleged violation of a law addressing digital privacy rights sufficiently constitutes an Article III injury. See Patel, supra, 932 F. 3d at 1273.
