The U.S. Court of Appeals for the 2nd Circuit recently upheld a district court decision dismissing a putative class action filed by two plaintiffs against the maker of the NBA2K videogame series. The plaintiffs alleged five violations of the Illinois Biometric Information Privacy Act (BIPA). The district court dismissed plaintiffs’ claims for lack of Article III standing, and the plaintiffs appealed.
The BIPA was enacted in 2008, but there has been a recent increase in BIPA-related litigation as more companies collect biometric data. The statute governs the collection, storage, and dissemination of “biometric identifiers” and “biometric information” by private entities. A “biometric identifier” is a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, and “biometric information” is information based on “biometric identifiers.” A private entity must provide notice in writing that a biometric identifier is being collected or stored. The statute also requires that private entities use the reasonable standard of care within their industry to protect biometric data in their possession while it is being stored or transmitted.
In this case, plaintiffs claimed that Take-Two violated the notice and data security provisions of the BIPA. Take-Two included a feature in its NBA2K15 and NBA2K16 video games that allowed players to use personal cameras to scan their facial geometry and use it to create an avatar for gameplay. Prior to creating this avatar, the gamer had to agree to the following terms and conditions on the viewer’s screen:
“Your face scan will be visible to you and others you play with and may be recorded or screen-captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement.”
Despite agreeing to these terms, plaintiffs claimed they did not provide informed consent for the collection and use of their biometric data, and further argued that Take-Two did not properly protect the biometric data it collected.
District Court and Appellate Court Agreed on the Illinois Biometric Information Privacy Act Law Suit Dismissal
The district court dismissed plaintiffs’ claims for lack of standing, and the appellate court agreed. The appellate court acknowledged that there were procedural violations of the BIPA by Take-Two, but found that none of the alleged procedural violations raised a material risk of harm to the interest that the BIPA was designed to protect. The court noted that although Take-Two did not inform plaintiffs how long their data would be held, or inform them of how the data would be destroyed, the plaintiffs did not allege that either Take-Two’s internal policies or actions violated the statute. Similarly, while plaintiffs alleged that Take-Two’s data security measures were inadequate, the Court noted that plaintiffs did not allege that these violations raised a material risk of harm that the data would be improperly accessed.
This case is another in a growing collection of data privacy cases disposed of based on a lack of Article III standing following the United States Supreme Court’s ruling in Spokeo. It is also an example of the increasing number of cases alleging violations of statutes that address the collection and use of biometric data. The defendant in this case was able to avoid any liability despite the court finding that it had violated the applicable statute; however, it is important not to disregard the procedural requirements of these laws. When collecting personal data, including biometric data, great care should be taken to ensure that actions comply with all applicable rules and regulations to protect not only the interests of your company, but also to protect the interest of the individuals who have provided the data.
If you have any questions regarding cybersecurity law or data privacy litigation, or rules and regulations pertaining to the collection and use of biometric data, please contact Tim Hayes at McKenna Storer.