Patel v. Facebook, Inc., 080819 FED9, 18-15982

Docket Nº:18-15982
Opinion Judge:IKUTA, CIRCUIT JUDGE.
Party Name:Nimesh Patel, Individually and on Behalf of All Others Similarly Situated; Adam Pezen; Carlo Licata, Plaintiffs-Appellees, v. Facebook, Inc., Defendant-Appellant.
Attorney:Lauren R. Goldman (argued), Andrew J. Pincus, and Michael Rayfield, Mayer Brown LLP, New York, New York, for Defendant-Appellant. John Aaron Lawson (argued) and Rafey S. Balabanian, Edelson PC, San Francisco, California; Susan K. Alexander and Shawn A. Williams, Robbins Geller Rudman & Dowd LLP, ...
Judge Panel:Before: Ronald M. Gould and Sandra S. Ikuta, Circuit Judges, and Benita Y. Pearson, [*] District Judge.
Case Date:August 08, 2019
Court:United States Courts of Appeals, Court of Appeals for the Ninth Circuit
 
FREE EXCERPT

Nimesh Patel, Individually and on Behalf of All Others Similarly Situated; Adam Pezen; Carlo Licata, Plaintiffs-Appellees,

v.

Facebook, Inc., Defendant-Appellant.

No. 18-15982

United States Court of Appeals, Ninth Circuit

August 8, 2019

Argued and Submitted June 12, 2019 San Francisco, California

Appeal from the United States District Court for the Northern District of California James Donato, District Judge, Presiding D.C. No. 3:15-cv-03747-JD

Lauren R. Goldman (argued), Andrew J. Pincus, and Michael Rayfield, Mayer Brown LLP, New York, New York, for Defendant-Appellant.

John Aaron Lawson (argued) and Rafey S. Balabanian, Edelson PC, San Francisco, California; Susan K. Alexander and Shawn A. Williams, Robbins Geller Rudman & Dowd LLP, San Francisco, California; Michael P. Canty and Corban S. Rhodes, Labaton Sucharow LLP, New York, New York; for Plaintiffs-Appellees.

Susan Fahringer and Nicola Menaldo, Perkins Coie LLP, Seattle, Washington; Neal Kumar Katyal, Hogan Lovells U.S. LLP, Washington, D.C.; Lauren Ruben, Perkins Coie LLP, Denver, Colorado; Thomas P. Schmidt, Hogan Lovells U.S. LLP, New York, New York; Sara Solow, Hogan Lovells U.S. LLP, Philadelphia, Pennsylvania; for Amicus Curiae Internet Association.

Nathan Freed Wessler, American Civil Liberties Union, New York, New York; Rebecca K. Glenberg, Roger Baldwin Foundation of ACLU, Chicago, Illinois; Jacob A. Snow, American Civil Liberties Union Foundation of Northern California, San Francisco, California; Jennifer Lynch and Adam Schwartz, Electronic Frontier Foundation, San Francisco, California; Joseph Jerome, Center for Democracy & Technology, Washington, D.C.; Michael C. Landis, Illinois PIRG Education Fund Inc., Chicago, Illinois; for Amici Curiae American Civil Liberties Union, American Civil Liberties Union of Illinois, American Civil Liberties Union Foundation of Northern California, American Civil Liberties Union Foundation of Southern California, Center for Democracy & Technology, Electronic Frontier Foundation, and Illinois PIRG Education Fund Inc.

Marc Rotenberg, Alan Butler, and John Davisson, Electronic Privacy Information Center, Washington, D.C., for Amicus Curiae Electronic Privacy Information Center (EPIC).

Kelly P. Dunbar, Reginald J. Brown, Patrick J. Carome, Jonathan G. Cedarbaum, and Samuel M. Strongin, Wilmer Cutler Pickering Hale and Dorr LLP, Washington, D.C.; Steven P. Lehotsky and Jonathan D. Urick, U.S. Chamber Litigation Center, Washington, D.C.; for Amicus Curiae Chamber of Commerce of the United States of America.

Before: Ronald M. Gould and Sandra S. Ikuta, Circuit Judges, and Benita Y. Pearson, [*] District Judge.

SUMMARY

[**]

Standing / Class Certification / Illinois Law

The panel affirmed the district court's order certifying a class under Fed.R.Civ.P. 23 of users of Facebook, Inc., who alleged that Facebook's facial-recognition technology violated Illinois's Biometric Information Privacy Act ("BIPA").

The panel held that plaintiffs alleged a concrete and particularized harm, sufficient to confer Article III standing, because BIPA protected the plaintiffs' concrete privacy interest, and violations of the procedures in BIPA actually harmed or posed a material risk of harm to those privacy interests. Specifically, the panel concluded that the development of a face template using facial-recognition technology without consent (as alleged in this case) invades an individual's private affairs and concrete interests.

The panel held that the district court did not abuse its discretion in certifying the class. Specifically, the panel rejected Facebook's argument that Illinois's extraterritoriality doctrine precluded the district court from finding predominance. The panel further held that the district court did not abuse its discretion in determining that a class action was superior to individual actions in this case.

OPINION

IKUTA, CIRCUIT JUDGE.

Plaintiffs' complaint alleges that Facebook subjected them to facial-recognition technology without complying with an Illinois statute intended to safeguard their privacy. Because a violation of the Illinois statute injures an individual's concrete right to privacy, we reject Facebook's claim that the plaintiffs have failed to allege a concrete injury-in-fact for purposes of Article III standing. Additionally, we conclude that the district court did not abuse its discretion in certifying the class.

I

Facebook operates one of the largest social media platforms in the world, with over one billion active users. Packingham v. North Carolina, 137 S.Ct. 1730, 1735 (2017). About seven in ten adults in the United States use Facebook.1

A

When a new user registers for a Facebook account, the user must create a profile and agree to Facebook's terms and conditions, which permit Facebook to collect and use data in accordance with Facebook's policies. To interact with other users on the platform, a Facebook user identifies another user as a friend and sends a friend request. If the request is accepted, the two users are able to share content, such as text and photographs.

For years, Facebook has allowed users to tag their Facebook friends in photos posted to Facebook. A tag identifies the friend in the photo by name and includes a link to that friend's Facebook profile. Users who are tagged are notified of the tag, granted access to the photo, and allowed to share the photo with other friends or "un-tag" themselves if they choose.

In 2010, Facebook launched a feature called Tag Suggestions. If Tag Suggestions is enabled, Facebook may use facial-recognition technology to analyze whether the user's Facebook friends are in photos uploaded by that user. When a photo is uploaded, the technology scans the photo and detects whether it contains images of faces. If so, the technology extracts the various geometric data points that make a face unique, such as the distance between the eyes, nose, and ears, to create a face signature or map. The technology then compares the face signature to faces in Facebook's database of user face templates (i.e., face signatures that have already been matched to the user's profiles).2 If there is a match between the face signature and the face template, Facebook may suggest tagging the person in the photo.

Facebook's face templates are stored on its servers, which are located in nine data centers maintained by Facebook. The six data centers located in the United States are in Oregon, California, Iowa, Texas, Virginia, and North Carolina. Facebook's headquarters are in California.

B

Facebook users living in Illinois brought a class action against Facebook, claiming that Facebook's facial-recognition technology violates Illinois law. Class representatives Adam Pezen, Carlo Licata, and Nimesh Patel each live in Illinois. They joined Facebook in 2005, 2009, and 2008, respectively, and each uploaded photos to Facebook while in Illinois. Facebook created and stored face templates for each of the plaintiffs.

The three named plaintiffs filed the operative consolidated complaint in a California district court in August 2015. The plaintiffs allege that Facebook violated the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq. (2008), which provides that "[a]ny person aggrieved" by a violation of its provisions "shall have a right of action" against an "offending party," id. 14/20. According to the complaint, Facebook violated sections 15(a) and 15(b) of BIPA by collecting, using, and storing biometric identifiers (a "scan" of "face geometry," id. 14/10) from their photos without obtaining a written release and without establishing a compliant retention schedule.3

The Illinois General Assembly enacted BIPA in 2008 to enhance Illinois's "limited State law regulating the collection, use, safeguarding, and storage of biometrics." 740 Ill. Comp. Stat. 14/5(e). BIPA defines a "biometric identifier" as including a "scan of hand or face geometry." Id. 14/10.4 In a series of findings, the state legislature provided its views about the costs and benefits of biometric data use. The legislature stated that "[t]he use of biometrics is growing in the business and security screening sectors and appears to promise streamlined financial transactions and security screenings," and also noted that "[m]ajor national corporations have selected the City of Chicago and other locations in this State as pilot testing sites for new applications of biometric-facilitated financial transactions." Id. 14/5(a)-(b). Nevertheless, "[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information," because while social security numbers can be changed if compromised by hackers, biometric data are "biologically unique to the individual," and "once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions." Id. 14/5(c). Moreover, "[t]he full ramifications of biometric technology are not fully known." Id. 14/5(f). The legislature concluded that "[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information." Id. 14/5(g).

To further these goals, section 15 of BIPA imposes "various obligations regarding the collection, retention, disclosure, and destruction of biometric identifiers and biometric information" on private entities. Rosenbach v. Six Flags Entm't Corp., - N.E.3d -, 2019 IL 123186, at *4 (Ill. 2019). These requirements include "establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information" the...

To continue reading

FREE SIGN UP