Second Circuit: Threat of Future Harm From Statutory Procedural Violation Is Insufficient to Support Article III Standing
The Second Circuit recently issued a decision with important implications for companies dealing in or handling biometric data. In Santana v. Take–Two Interactive Software, Inc., No. 17-303, 2017 WL 5592589 (2d Cir. Nov. 21, 2017) (“Santana”), the Second Circuit Court of Appeals affirmed the district court’s dismissal of plaintiffs’ claims that defendant, Take–Two Interactive Software, Inc., a video game developer, had violated the Illinois Biometric Information Privacy Act (“BIPA”).
In Santana, plaintiffs were putative class action representatives of purchasers of Take–Two’s video games, including NBA 2K15. NBA 2K15 is a basketball simulation video game that allows gamers to play as, and against, virtual basketball players, many of whom are designed based upon real professional players from the NBA. A gamer can play NBA 2K15 in multiplayer mode with other gamers over the Internet. Santana, at *1. NBA 2K15 includes the “MyPlayer” feature, which allows a gamer to create a “personalized basketball avatar” based upon a three-dimensional rendition of the gamer’s face. To create the avatar, NBA 2K15 use cameras connected to the gaming platform to scan the gamer’s face and head. The scanning is a lengthy and involved process that takes about 15 minutes, during which time the gamer must place his/her face within 6 to 12 inches from the camera and turn it from side-to-side at regular intervals. Vigil v. Take Two Interactive Software, Inc., 35 F. Supp. 3d 499, 505 (S.D.N.Y. 2017).
If a gamer wishes to use the MyPlayer feature, the gamer must first agree to the following terms and conditions: “Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement.” Id. at 505.
In their second amended complaint (“complaint”), plaintiffs alleged that Take–Two had violated (“BIPA”), which regulates the collection, storage, and dissemination of “biometric identifiers.” Santana, at *1. The BIPA prohibits an entity from collecting, capturing, purchasing, or storing a person’s “biometric identifier” or “biometric information,” unless it first:
- Informs the subject in writing that a biometric identifier is being collected;
- Informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
- Receives a written release executed by the subject.
See 740 ILCS 14/15. The BIPA defines a “biometric identifier” as “a retina or iris scan, fingerprint, videoprint, or scan of hand or face geometry,” and defines “biometric information” as “information based on biometric identifiers.” Santana, at *1 (citing 740 ILCS 14/10). Plaintiffs alleged that Take–Two, through the My Player feature: “(i) Collected their biometric data without their informed consent; (ii) Disseminated their biometric data to others during game play without their informed consent; (iii) Failed to inform them in writing of the specific purpose and length of term for which their biometric data would be stored; (iv) Failed to make publicly available a retention schedule and guidelines for permanently destroying plaintiffs’ biometric data; and (v) Failed to store, transmit, or protect from disclosure plaintiffs’ biometric data by using a reasonable standard of care or in a manner that is at least as protective as the manner in which it stores, transmits, and protects other confidential and sensitive information.” Santana, at *1.
The defendant moved to dismiss the complaint in the district court on two grounds. First, Take–Two argued that the plaintiffs did not have Article III standing to pursue their claims under the US Constitution. Second, Take–Two contended that the plaintiffs failed to state a cause of action under the BIPA. Vigil, 35 F. Supp. 3d at 507. In opposition, plaintiffs argued that Take–Two’s procedural violations of the BIPA were sufficient to confer Article III standing; and, even if they were not, plaintiffs said that they suffered an increased risk of future harm based on Take Two’s improper retention of their face scans. Vigil, 35 F. Supp. 3d at 507. The district court agreed with the defendant and dismissed the complaint with prejudice.
In analyzing the defendant’s motion to dismiss, the district court first focused on whether plaintiffs had Article III standing, based on the defendant’s purported procedural violations of the BIPA. Article III of the US Constitution limits the jurisdiction of federal courts to “Cases” and “Controversies.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 559 (1992). To satisfy the requirements of Article III standing, a plaintiff must show that: (i) he/she has suffered an actual or imminent injury in fact, which is concrete and particularized; (ii) there is a causal connection between the injury and defendant's actions; and (iii) it is likely that a favorable decision in the case will redress the injury. Id. at 560–61. In a putative class action, a court must analyze the injuries allegedly suffered by the named plaintiffs, not unnamed members of the potential class, to determine whether the plaintiffs have Article III standing. Warth v. Seldin, 422 U.S. 490, 502 (1975). A legally protected interest may exist solely by virtue of “statutes creating legal rights, the invasion of which creates standing.” Id. at 500. But where standing is based on alleged procedural violations of a statute, the plaintiff must first show that the statute in question confers “the procedural right to protect a plaintiff’s concrete interests as to the harm in question, and, second, that ‘the procedural violation presents a risk of real harm to that concrete interest.’” Katz v. Donna Karen Co., L.L.C., 872, F.3d 114, 119 (2d Cir. 2017) (internal citation omitted).
Here, the district court found that plaintiffs lacked standing based on Take–Two’s alleged procedural violations because there was no risk that the violations presented a real risk of harm. The district court held that “there is no plausible allegation that there is a material risk that the plaintiffs’ biometrics may be used in a way not contemplated by the underlying use of the MyPlayer feature. The plaintiffs allege that they agreed to the MyPlayer terms and conditions, that NBA 2K15 scanned their faces to create personalized basketball avatars, and that the plaintiffs used their personalized basketball avatars for in-game play. The plaintiffs thus allege that the MyPlayer feature functioned exactly as anticipated.” Vigil, 35 F. Supp. 3d at 507. The district court held that because plaintiffs’ allegations of harm were “at best, marginal,” they lacked standing to pursue their claims for the alleged bare procedural violations under the BIPA.
The district court also examined whether plaintiffs’ allegations of an increased risk of future injury in connection with Take–Two’s alleged BIPA violations were sufficient to confer standing. Specifically, plaintiffs claimed that Take–Two failed to properly store their face scans and that, as a result, there was an “enhanced” risk that those scans could fall into the “wrong hands.” Vigil, 35 F. Supp. 3d at 512. Plaintiffs also claimed that, because of Take–Two’s failure to properly store their biometric information, they were less likely to engage in biometric transactions in the future. Id. at 514-15.
“An allegation of future injury may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.” Susan B. Anthony List v. Driehaus, ____U.S.____, 134 S.Ct. 2334, 2341 (2014) (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398 (2013)). The Supreme Court recently clarified in Spokeo, Inc. v. Robins, 568 U.S. 398 (2016), that “[f]or an injury to be ‘particularized,’ it ‘must affect the plaintiff in a personal and individual way,’” id. at 1548 (quoting Lujan, 504 U.S. at 560 n.l), while for an injury to be “concrete,” it must be “real, and not abstract,” id. at 1548 (internal quotation marks omitted). The determination of whether a violation of a statute constitutes a concrete injury-in-fact is aided by reference to congressional intent and the common law. Id. But a “bare procedural violation” under a federal statute, “divorced from any concrete harm,” that “may result in no harm,” would not “satisfy the injury-in-fact requirement.” Id.
Applying Spokeo and Clapper, the district court held that plaintiffs’ allegations of an enhanced risk of their face scans being compromised based on Take–Two’s failure to properly store them in accordance with the BIPA was too speculative to confer standing. Vigil, 35 F. Supp. 3d at 512. Plaintiffs did not allege that their face scans had been obtained by a third-party, subjected to identity theft, or misused in any way. Id.
Plaintiffs appealed the district court’s dismissal. The Second Circuit affirmed the dismissal, without prejudice.
In affirming, the Second Circuit agreed with the district court in almost all respects. With respect to Take–Two’s alleged procedural violations of the BIPA, the Second Circuit noted that Take – Two’s written disclaimer that a face scan would occur largely satisfied the BIPA’s notification requirements. Santana, at *3. Moreover, the Second Circuit held that Take–Two’s alleged violations of the BIPA did not pose a material risk of harm to plaintiffs. Id. Specifically, it held that, “although Take–Two did not notify the plaintiffs of its [data retention schedule], plaintiffs do not allege that Take–Two lacks such protocols, that its policies are inadequate, or that Take–Two is unlikely to abide by its internal procedures. There is accordingly no material risk that Take–Two’s procedural violations have resulted in plaintiffs’ biometric data being used or disclosed without their consent.” Id.
The Second Circuit also agreed that plaintiffs’ allegations of an enhanced risk of future harm were far too speculative to support a claim of Article III standing. It held that none of plaintiffs’ allegations established a material risk that their biometric data would be improperly accessed by third parties. Id., at *4. It also agreed that the plaintiffs could not “manufacture an injury” based upon their purported apprehension of using biometrics to authorize transactions in the future as a result of Take- Two’s BIPA violations. It held that, “Plaintiffs’ fear, without more, is insufficient to confer an Article III injury-in-fact.” Id., at *4.
Although Take-Two prevailed in Santana, it, and other companies that collect and maintain biometric information of their customers, should create and follow policies and procedures that comply with statutes like the BIPA. Santana leaves open the possibility that the proliferation of biometric identifiers and their adoption may also increase the risk posed to consumers by procedural violations of statutes like the BIPA. The failure to implement a retention policy for biometric information also increases such a risk, which increases the likelihood that courts will find the failure to properly handle that information will support Article III standing. Similarly, an increase in the value of consumers’ biometric information may increase the likelihood that it will become a target for hackers who are eager to exploit such information. Entities that acquire and maintain consumer biometric information would be wise to implement procedures that comply with the BIPA, and statutes like it, to protect such information and reduce their exposure to liability and litigation.
Arent Fox's Complex Litigation and Insurance & Reinsurance groups will continue to monitor issues in this area. If you have any questions, please contact James Westerlind, Andrew Dykens, or the Arent Fox professional who usually handles your matters.