“Biometric Identifiers Must Identify”: The Ninth Circuit Clarifies the Scope of BIPA
The U.S. Court of Appeals for the Ninth Circuit issued an opinion in Zellmer v. Meta Platforms, Inc., on June 17, 2024, affirming dismissal of a putative class action filed under the Illinois Biometric Information Privacy Act, 740 ILCS 14 et seq. (BIPA).
In what is expected to be an influential opinion, the panel held that the "face signatures" at issue were not covered by the statute because they could not be used to identify a person. In doing so, the panel provided further clarity on the types of data regulated by BIPA. This Update summarizes the case background and the Ninth Circuit's decision and predicts how Zellmer might influence future BIPA cases.
The District Court Dismissed Zellmer's BIPA Claims on Behalf of Nonusers
Zellmer was a follow-on to In re Facebook Biometric Information Privacy Litig., No. 15-cv-03747-JD (N.D. Cal. 2020), a landmark class action alleging that Facebook used facial recognition technology to collect and store data covered by BIPA—"biometric identifiers" and "biometric information"—through its "Tag Suggestions" feature. While In re Facebook was filed by users of the platform, Zellmer was filed by a nonuser who claimed that Facebook had collected his biometric identifiers and biometric information from photos of him that users had uploaded to the platform. Zellmer asserted claims for violation of BIPA Sections 14/15(a) (which requires private entities to publish a retention schedule and guidelines for permanently destroying biometric data covered by the statute) and 14/15(b) (which requires private entities to obtain informed consent before collecting such data) and sought to certify a class of nonusers in Illinois.
On summary judgment, the district court dismissed Zellmer's Section 15(b) claim, reasoning that "it would be patently unreasonable to construe BIPA to mean that Facebook was required to provide notice to, and obtain consent from, nonusers who were for all practical purposes total strangers to Facebook, and with whom Facebook had no relationship whatsoever." Zellmer v. Facebook, Inc., No. 3:18-CV-01880-JD, 2022 WL 976981, at *3 (N.D. Cal. Mar. 31, 2022), aff'd sub nom. Zellmer v. Meta Platforms, Inc., – F.4th –, 2024 WL 3016946 (9th Cir. June 17, 2024). The court later dismissed the Section 15(a) claim for lack of standing, ruling that Zellmer had failed to plausibly allege that he had suffered a particularized concrete injury traceable to Facebook's alleged failure to develop a destruction policy.
The Ninth Circuit Affirmed on Alternate Grounds: Biometric Data Covered by BIPA Must Be "Capable of Identifying" a Person
The Ninth Circuit affirmed on appeal for reasons different from those stated in the district court's ruling. Judges Ryan D. Nelson, Danielle J. Forrest, and Gabriel P. Sanchez held that because the alleged biometric data at issue—"face signatures"—were not capable of identifying a person, they were neither "biometric identifiers" nor "biometric information" under BIPA, so the statute did not apply. In reaching their decision, the Ninth Circuit relied on a declaration from a product manager at Facebook, who explained that a "face signature" cannot be used to identify anyone because it (1) is "an abstract, numerical representation of a face" which does not reveal any information about the appearance of the face and (2) "cannot be reverse engineered," such that it is not possible to identify nonusers from their face signatures alone." Id. at 16. While Zellmer offered evidence that face signatures could be used to predict age and gender, the panel reasoned that those predictions do not constitute identification as required by BIPA.
The Ninth Circuit also affirmed the district court's ruling that Zellmer lacked standing under BIPA Section 15(a). Like the U.S. Court of Appeals for the Seventh Circuit in Bryant v. Compass Grp. USA, Inc., 958 F.3d 617 (7th Cir. 2020), the court held that the duty to publish a policy was owed to the public generally, and Zellmer had failed to show he was harmed in any concrete and particularized way by the failure to publish such a policy. Nor could he, because the data on which his claim was based—his "face signature"—was not subject to BIPA. As the panel explained, "Zellmer is no more harmed by Meta's failure to have a retention schedule or guidelines related to the destruction of biometric identifiers or information than anyone else in Illinois." Zellmer v. Meta Platforms, Inc., – F.4th –, 2024 WL 3016946, at *8 (9th Cir. June 17, 2024).
Notably, the Ninth Circuit disagreed with the district court's ruling that BIPA could not be interpreted to apply to nonusers based on the practical impossibility of compliance. On this point, the panel concluded that because the statute's text clarifies its application to "a person's or a customer's" biometric data, "non-users are protected, regardless of any preexisting relationship with the party alleged to have violated BIPA." Id. at *4.
Looking Ahead
BIPA currently provides for extraordinary "liquidated" damages of $1,000 to $5,000 "per violation" and has prompted thousands of class actions since the first case was filed in 2015. BIPA defendants range from small companies using biometric timekeeping devices to social media platforms providing services across the nation. Exposure under BIPA can be staggering, and compliance, especially with regard to nonusers, can be challenging, so understanding the scope of BIPA is crucial for courts and litigants alike.
A threshold question is whether the data at issue is covered by BIPA. Zellmer helps answer that: data covered by BIPA must be capable of identifying a person. Zellmer offers private entities important guidance regarding how to manage data, comply when BIPA applies, and defend against BIPA claims. But Zellmer also leaves some questions unanswered, and this is where we expect future cases to focus. If a defendant does not use the data at issue to identify people, what must be shown to establish that they could do so if they chose? Would practical limitations, such as the need for significant engineering effort, be enough to conclude that the data could not be used to identify someone? What does "identify" mean? Would a name be required? Something less? If so, what?
Given the significant volume of BIPA cases filed each week, these interesting and technical questions are sure to be litigated in short order.
***
Companies with questions regarding BIPA or other biometric privacy laws should seek experienced counsel. Perkins Coie lawyers have been litigating cases involving biometric privacy and helping companies minimize risk under biometric privacy laws for more than a decade. For more information, or if you would like to speak to one of our biometrics lawyers, click here to contact our biometric lawyers.
© 2024 Perkins Coie LLP