California district court rules social media company cannot dismiss non-users’ facial scan privacy claims
On March 2, the U.S. District Court for the Northern District of California denied a motion to dismiss an action for lack of standing in a lawsuit brought under the Illinois Biometric Information Privacy Act (BIPA) against a social media company (defendant) for allegedly collecting and storing non-user facial scans. The action was similar to a consolidated class action lawsuit brought by users of the site in 2016. The court found that the factual difference between the two cases (one involving users and one involving non-users) was irrelevant for its Article III analysis. Citing to his February 26 decision (February decision) in the related case, the judge concluded that the abrogation of the plaintiffs’ procedural rights under BIPA, which allow users to control their biometric information, amounted to a concrete injury under Article III. As the court noted in the February decision: “BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent,” and that there is “equally little doubt . . . that a violation of BIPA’s procedures would cause actual and concrete harm.” The court rejected the defendant’s argument that it did not store non-users’ biometric information, stating that such factual evidence, which is disputed by the plaintiffs, goes to the merits of the case and cannot be weighed or resolved at the motion to dismiss stage.