No About-Face for Second Circuit in Face-Scanning Suit

Advertising Law

A video game company successfully dodged a lawsuit which claimed that face-scanning technology violated an Illinois privacy law, in a new decision from the U.S. Court of Appeals, Second Circuit.

Siblings Ricardo and Vanessa Vigil purchased NBA 2K15 in part due to the “My Player” feature that allowed users to undergo a facial scan and create a personalized avatar in the game. Although the Vigils signed a release permitting Take-Two Interactive Software Inc. to take the scan and use the data collected to create avatars, they alleged the company violated the Illinois Biometric Information Privacy Act (BIPA).

The statute sets forth disclosure, consent and retention requirements for private entities that collect, store and disseminate biometric data. The Vigils claimed that Take-Two failed to provide adequate disclosures, in particular by failing to inform them that their likenesses would be visible to other players online and by not providing a retention schedule or guidelines for destroying biometric identifiers, so their consent was invalid.

The software company moved to dismiss, arguing that the plaintiffs failed to adequately allege concrete harm under BIPA as required by Spokeo, Inc. v. Robins. A district court judge agreed, and the Second Circuit affirmed.

BIPA was implicated only if the plaintiffs’ biometric data was collected or disseminated without their authorization or if a procedural violation created a material risk of such an outcome, the panel said. But the Vigils consented to the scans, and none of the alleged procedural violations raised a material risk of harm.

Although the statute requires that private entities inform the subject in writing that a biometric identifier—defined as a “scan of … face geometry”—is being collected or stored, Take-Two’s disclosure that the MyPlayer feature required a “face scan” without using the term “geometry” was sufficient, the court found.

“No reasonable person … would believe that the MyPlayer feature was conducting anything other than such a scan,” the panel wrote. “Plaintiffs had to place their faces within 6 to 12 inches of the camera, slowly turn their heads to the left and to the right, and do so for approximately 15 minutes. This degree of invasiveness far exceeded that of a simple photo, and plaintiffs do not plausibly assert … that they would have withheld their consent had Take-Two included the missing term.”

Further, the plaintiffs neglected to show that the defendant’s failure to inform them of the duration that it would hold their biometric data, as required by BIPA, raised a material risk of harm.

“Plaintiffs have not alleged that Take-Two has not or will not destroy their biometric data within the period specified by the statute, and accordingly have alleged only a bare procedural violation,” the court said. “Likewise, although Take-Two did not notify the plaintiffs of its retention schedule and guidelines for permanently destroying [their] biometric [data],’ plaintiffs do not allege that Take-Two lacks such protocols, that its policies are inadequate, or that Take-Two is unlikely to abide by its internal procedures. There is accordingly no material risk that Take-Two’s procedural violations have resulted in plaintiffs’ biometric data being used or disclosed without their consent.”

Although the Second Circuit acknowledged that the alleged violations of BIPA’s data-security provisions raised “a somewhat thornier issue,” by transmitting unencrypted scans of face geometry via the open Internet and storing the templates in a way that associated a user’s identity with his or her biometric data. Nonetheless, the claim still failed. The Vigils did not allege that the purported violations raised a material risk that their biometric data will be improperly accessed by third parties, the court said.

Finally, the panel was not persuaded that the plaintiffs’ fear of using biometrics established an Article III injury-in-fact.

“While it is true that BIPA’s legislative findings identify consumers’ withdrawal from biometric-facilitated transactions as a problem, they clarify that this issue arises only where a consumer’s biometric data has been ‘compromised,’ i.e., collected or disclosed without his authorization,” the court wrote. “Because plaintiffs have failed to establish that Take-Two’s procedural violations have created a material risk that this will occur, they cannot now leapfrog this obligation by imposing an injury upon themselves.”

The court dismissed the suit without prejudice.

To read the order in Vigil v. Take-Two Interactive Software, Inc., click here.

Why it matters: Consumer class actions claiming violations of BIPA have exploded in recent months, but the Second Circuit’s decision should provide those collecting biometric data with some breathing room in light of its conclusion that a plaintiff’s bare procedural violation is not sufficient to establish standing to sue.