A recent case involving the Illinois Biometric Information Privacy Act (BIPA), Rivera v Google (N.D. Ill. No. 16 C 02714, Dec. 28, 2018), puts the ills of Spokeo Inc. v. Robins on full display. In Rivera, plaintiffs sued Google under BIPA, which prohibits companies from collecting and storing specific types of biometric data without people’s consent. The plaintiffs alleged that Google collected and used their face-geometry scans through Google Photos without their consent. Google’s face recognition feature is defaulted to being on unless users opt out. Instead of addressing the merits of the plaintiffs’ lawsuit under BIPA, the court dismissed the case for lack of standing based on Spokeo, a fairly recent U.S. Supreme Court case on standing.
Spokeo is a terrible decision by the U.S. Supreme Court. It purports to be an attempt to clarify the test for standing to sue in federal court, but it flunks on clarity and coherence. I previously wrote an extensive critique of Spokeo when the decision came out in 2016.
Beyond Spokeo‘s incoherent mess, there is another part of the opinion that is far worse — Spokeo authorizes courts to override legislatures in determining whether there’s a cognizable privacy harm under a legislature’s own statute. This part of Spokeo is a major usurpation of legislative power — it undermines a legislature’s determination about the proper remedies for violations of its own laws.