Article III Standing in Biometric Privacy Suits

Arian Soroush | March 30, 2018
Image by The U.S. Army, CC-BY 2.0 License.

As the use of biometric technology has grown increasingly prevalent in our everyday lives, the legal issues surrounding its use have rapidly developed. Ranging from facial recognition technology employed by social media providers to fingerprint technology adopted by employers, biometric technology has important societal implications. While many find ease and benefit in its uses, others sense a justifiable wariness over its proliferation. Biometric technology consists of an individual’s private and unique biologic identifiers. Such information in the hands of large companies poses concerns regarding what those entities do with that private information and, more importantly, what might happen if that information ends up in the hands of nefarious third parties.

With these rising concerns, many individuals have brought suit against companies and employers for their use of biometric information. With its passage of the Biometric Information Privacy Act (BIPA), Illinois is the only state to have enacted a statute that allows a private right of action for biometric privacy violations. Many of these suits have transformed to class actions, often alleging defendants’ violations of BIPA’s procedural requirements of notice and consent. Defendants, as a strategy to dismiss these claims, try to remove cases to federal courts where Article III standing requirements pose a substantial hurdle to BIPA plaintiffs.

Article III’s injury-in-fact requirement for standing has long been a source of litigation in federal courts. To establish injury-in-fact, a plaintiff must show he suffered an actual, concrete harm to a legally protected interest. A defendant’s violation of a statutorily-created right, alone, does not necessarily constitute an actual, concrete injury to a plaintiff. While legislatures can create a legally cognizable interest through a statute and its procedural requirements, a plaintiff can only obtain Article III standing if that statute’s procedural requirements were designed to protect a concrete, private interest of the plaintiff. The question then becomes whether BIPA and its requirements aim to protect a concrete, legally recognized consumer interest and whether violations of BIPA’s various provisions amount to an actual, concrete harm that warrants Article III standing.

The Supreme Court’s 2016 opinion in Spokeo v. Robins provided valuable guidance for properly conducting a concrete harm analysis for alleged intangible harms, noting that bare procedural violations, without evidence of actual injury, do not warrant Article III standing. Yet, the Spokeo ruling left considerable uncertainty as to what types of alleged injuries are sufficient for standing when no actual damages are alleged. This uncertainty extends to biometric privacy claims, where plaintiffs generally invoke procedural violations and seek statutory remedies under Illinois’ Biometric Information Privacy Act, often without alleging any actual damages. There has not yet been significant literature on how these standing issues apply in biometric privacy suits, and case law development in the wake of Spokeo’s holding has been scant. Some federal courts have begun to address BIPA claims with Spokeo in mind, but with seemingly conflicting outcomes. Nonetheless, the jurisprudence of Spokeo, as well as important policy considerations, reconciles this conflict and suggests a rejection of standing for plaintiffs that bring biometric privacy suits alleging BIPA procedural violations, especially when the alleged BIPA violations did not actually result in an injury to the plaintiff(s).

BIPA does not appear to create a concrete legal interest, but rather resembles a regulatory statute that addresses a general, public interest in controlling the dissemination and storage of biometric data. Even if it did explicitly protect a concrete interest, violations of its procedural requirements likely will not evidence a concrete and actual harm. There are some exceptional circumstances, for example, if someone is tagged in an embarrassing photo without his consent that leads to his termination from work. However, more common allegations of procedural violations will not suffice. Unlike plaintiffs suing companies for data breaches where third parties likely obtained such data for nefarious purposes such as identity theft, BIPA plaintiffs alleging a company’s failure to comply with BIPA procedure can rarely show a significant risk of nefarious misuse of their biometric data.