Federal district court dismisses Illinois gamers’ biometric information privacy case against video game maker

A federal district court in New York has determined the mere violation of the Illinois Biometric Information Privacy Act does not amount to an injury sufficient to allow video game players to sue in federal court.

Two video game players from Illinois alleged Take-Two Interactive Software Inc. violated Illinois’ Biometric Information Privacy Act, or BIPA, through the company’s collection of faceprints for use in its NBA 2K15 and NBA 2K16 video games. But a federal district court in New York dismissed the biometric information privacy case against Take-Two Jan. 30, according to the New York Law Journal.

The court based its dismissal on the Spokeo v. Robins case, which set the precedent requiring evidence of a “concrete and particularized injury,” which the U.S. Supreme Court decided May 16. The dismissal of the Take-Two case follows the August decision of the U.S. District Court for the Northern District of Illinois to dismiss a BIPA-based case against Smarte Carte, an operator of fingerprint-keyed lockers, on Spokeo grounds.

The BIPA, while complex, affects how individual privacy is protected.

The dismissal of the cases against Take-Two and Smarte Carte make it likelier that companies will continue to develop and incorporate technology based on biologically derived, or “biometric,” data without having to undertake prohibitively expensive new disclosure and consent procedures. If other courts follow suit, would-be plaintiffs will have to show actual injuries, such as theft of biometric information or costs incurred from a data breach, to win in court, making a nationwide mass biometric information tort industry less likely to spring up. Whether reining in federal lawsuits will result in laxer privacy and data protection practices remains to be seen, although companies competing for customers would probably not take such concerns lightly.

Biologically derived technology prompts privacy concerns

Over the last decade, biometric technology has increasingly come into use. Apple Inc.’s iPhone, for example, allows users to employ fingerprint technology to unlock phones, and some financial institutions now enable customers to conduct transactions online or at ATMs through such technology.

Facebook’s photo tag suggestions program and SnapChat’s Lenses feature use technology based on people’s facial geometry. And the possibility now exists for retail stores to use facial-recognition technology to spot known shoplifters, as well as to identify and greet repeat customers with special deals, according to an article in the Washington Post.

On the health care front, developments include injectable, vision-correcting artificial lenses, which can collect and store information from the wearer and transmit that data to outside devices.

Notwithstanding the promise of this biotechnology to enhance many aspects of life, serious concerns about privacy, security, government monitoring citizens, and the sale of people’s personal, biologically derived data abound. As the Illinois General Assembly noted, although a person can change her Social Security number if it is stolen, she cannot easily alter her distinct facial geometry once that identifier falls into the wrong hands.

It is against this backdrop that the Illinois General Assembly passed the BIPA in 2008, making Illinois the first state to regulate how private entities could collect, use and store biometric information.

How Illinois’ Biometric Information Privacy Act works

The BIPA includes as “biometric information” data derived from a “biometric identifier” such as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”

Illinois’ BIPA makes it illegal for a private entity to obtain a person’s biometric identifier or information, unless the entity first informs the person in writing and discloses the specific purpose and length of time for which the data is being collected, stored or used. The entity must then obtain written consent from the person to use or store the biometric information.

The act further requires the party in possession of the data to protect the security of the information.

Under the BIPA, Illinoisans “aggrieved” by violations of the act have the right to sue private parties for violations of the act and to collect the greater of $1,000 or actual damages for each violation negligently committed, and the greater of $5,000 or actual damages for each violation recklessly or intentionally committed.

Interestingly, Illinois’ BIPA expressly excludes state agency or local government personnel from the prohibitions contained in the act.

The case against Take-Two

The Illinois plaintiffs sued New York City-based Take-Two in federal district court in New York. The gamers had scanned their faces to create personalized virtual basketball players in the NBA 2K15 game. Both plaintiffs agreed to the NBA 2K15 “MyPlayer” terms and conditions, which contained a notice about the transmission of facial information. Nonetheless, the plaintiffs alleged the game maker violated the BIPA by, among other things, storing face scan information indefinitely on Take-Two servers, transmitting facial images unencrypted across the internet, failing to protect game players’ information adequately, and neglecting to send written disclosures to or obtain written consent from players. The plaintiffs claimed the NBA 2K15 experience had soured them on participating in other biometric-facilitated transactions.

Dismissal of claims against Take-Two followed Spokeo, Smarte Carte decisions

The district court that decided the case against Take-Two determined that the plaintiffs had not met the standards set forth in the Supreme Court’s Spokeo decision. In Spokeo, the Supreme Court explained that to have standing to file a lawsuit in federal court, Article III of the U.S. Constitution requires a plaintiff to have an actual conflict that needs to be resolved. The Supreme Court in Spokeo emphasized the necessity of a “concrete and particularized injury” to satisfy Article III’s “case or controversy” requirement and held that allegations of a mere violation of a statute do not qualify.

The Take-Two decision noted that, just as the plaintiff in the case against Smarte Carte must have understood her fingerprint would be stored long enough for her to use it to open her rented locker, the NBA 2K15 gamers must have known their face scans would be stored to create personalized basketball player avatars. The court explained that plaintiffs had failed to show Take-Two had used their biometric information for any purposes other than to allow them to play NBA 2K15, and had also failed to show an imminent risk of wrongful dissemination or theft of their biometric data. Even if Take-Two had failed to follow BIPA-mandated procedures, plaintiffs’ alleged “enhanced risk of harm” was “too abstract and speculative to support standing” under Article III according to the Spokeo decision.

The court further dismissed the idea that more extensive notice and consent would have better served the BIPA’s data-protection goals. And, citing the decision in the Smarte Carte case, the court rejected the idea that the video game players were “aggrieved” under the BIPA, as they had failed to establish an injury sufficient to sue.

Implications of dismissals of BIPA cases

The federal district courts’ rejection of the BIPA plaintiffs’ claims as nothing more than “bare statutory violations” in the cases against Take-Two and Smarte Carte could provide federal courts in other BIPA cases, such as those against Facebook, Google and SnapChat, grounds to impose strict standards with respect to plaintiffs’ injuries. These outcomes could also discourage other plaintiffs who lack concrete injuries from bringing similar claims in federal court.

However, the $1.5 million settlement of a fingerprint-based BIPA case against L.A. Tan in Illinois state court in December could encourage more BIPA lawsuits in Illinois state courts. It is not clear how many potential defendants will have Illinois ties sufficient to allow plaintiffs to sue them in Illinois state court, though.

One thing is certain: The use of biometric information, such as face scans and fingerprints, is an increasingly common facet of everyday life. Lawmakers, government agencies, other organizations, businesses and consumers need to arrive at ways to protect this data while not creating incentives for mass tort litigation that hobbles innovation and industry.