News, Developments, and Insights

high-tech technology background with eyes on computer display

Rivera v Google BIPA - Illinois Biometric Information Privacy Act - Facial Recognition - Spokeo

A recent case involving the Illinois Biometric Information Privacy Act (BIPA), Rivera v Google (N.D. Ill. No. 16 C 02714, Dec. 28, 2018), puts the ills of Spokeo Inc. v. Robins on full display.  In Riveraplaintiffs sued Google under BIPA, which prohibits companies from collecting and storing specific types of biometric data without people’s consent.  The plaintiffs alleged that Google collected and used their face-geometry scans through Google Photos without their consent.  Google’s face recognition feature is defaulted to being on unless users opt out.  Instead of addressing the merits of the plaintiffs’ lawsuit under BIPA, the court dismissed the case for lack of standing based on Spokeo, a fairly recent U.S. Supreme Court case on standing.

Spokeo is a terrible decision by the U.S. Supreme Court.  It purports to be an attempt to clarify the test for standing to sue in federal court, but it flunks on clarity and coherence.  I previously wrote an extensive critique of Spokeo when the decision came out in 2016.

Beyond Spokeo‘s incoherent mess, there is another part of the opinion that is far worse — Spokeo authorizes courts to override legislatures in determining whether there’s a cognizable privacy harm under a legislature’s own statute.  This part of Spokeo is a major usurpation of legislative power — it undermines a legislature’s determination about the proper remedies for violations of its own laws.

A 7th Circuit case from 2016, Gubala v. Time Warner Cable, Inc., 846 F.3d 909 (7th Cir. 2016), held that a cable subscriber lacked standing to sue for a violation of the Cable Communications Policy Act when Time Warner Cable unlawfully retained his personal data (date of birth, address, phone number, and Social Security Number).  The 7th Circuit, in an opinion by Judge Posner, used Spokeo to dismiss the case on standing grounds. According to the 7th Circuit, there would be “a risk of harm” if Time Warner had “given away or leaked or lost any of his personal information or . . . ha[d] the information stolen from it,” but there was no disclosure or data loss.

The problem with Grubala is that the Cable Act and other privacy laws use private rights of action as an enforcement mechanism.  The case strips from the law a major element that Congress had put into it to ensure that it would be followed — using a private right of action to enforce the law.  The perverse result of Grubala is that companies can just ignore many provisions of the Cable Act and leave people without remedies.  Rights without remedies are often quite meaningless.

In Rivera, the court follows Spokeo and Grubala to reach a similar conclusion:

Plaintiffs have not offered evidence about the retention of their face templates that overcomes the obstacle in Gubala. Plaintiffs do not dispute that: their face templates have not been shared with other Google Photos users or with anyone outside of Google itself; there has not been any unauthorized access to the accounts or data associated with their face templates or face groups; and hackers have not obtained their data.

There are several problems with this conclusion.  First, the Grubala and Rivera courts both have a very narrow and constrained view of privacy harm, which they view as a harm of disclosure.  But privacy can be harmed in many other ways than revealing personal data to others.  One of these ways is when organizations retain people’s data without their consent, failing to give them a way to reassert control over their personal data, even when the data is no longer necessary for the purposes for which it was collected.  This is not a concern only of a few overly-anxious people.  It’s not a concern merely concocted by plaintiffs and not felt widely by society. Instead, it is a harm that many privacy laws recognize.  Many laws include a right to deletion of data (or a right to erasure or a right to be forgotten).  These include the Children’s Online Privacy Protection Act (COPPA), the EU General Data Protection Regulation (GDPR), and the recent California Consumer Privacy Act (CCPA), among others.  The FTC has required companies to purge data improperly collected.  And the Cable Act in Gubala and BIPA in Rivera can also be included on the list.

If there’s no harm in retaining personal data, then why do so many privacy laws give people rights not to have the data retained?  What’s the point if there’s no harm?  Why are legislatures wasting their time by including these provisions in so many laws?  Perhaps the U.S. Congress, state legislatures, and the EU Parliament are all just crazy.  Or, perhaps these legislatures recognize that privacy involves more than the mere protection against the disclosure of personal data — it involves many things such as being properly informed, having data collected and used with consent, having data used responsibly, requiring organizations to minimize data collection, use, and retention, and many more things.  In my book, Understanding Privacy, I argued that privacy isn’t just one narrow thing but is a web of many different yet interrelated things.  In the book, I critiqued Judge Posner for his very narrow view of privacy — as a mere desire to hide discreditable information.  This narrow view has informed many of his writings and judicial decisions about privacy.

Second, the holdings in Grubala, Rivera, and Spokeo represent tremendous judicial arrogance.  Countless legislatures have deemed something sufficiently harmful to warrant a remedy in the law, yet courts are ignoring this because they apparently know better.  With more humility, courts might express reluctance to override legislative determinations about privacy harm.  Legislatures don’t give out private rights of action loosely.  Private rights of action are one of the most contested elements of laws, and when legislatures deem that violations of a law are worthy of being redressed by a private right of action, judges ought to show a lot more respect for the legislature’s determination.

Third, Spokeo is a very ill-advised invitation for courts to undermine legislatures. It is the job of the legislatures to write the laws.  When laws run afoul of the Constitution, it’s fine for courts to strike them down.  But Spokeo allows courts to undermine a law by nullifying its enforcement.  Spokeo invites courts to substitute their own judgments about what is a privacy harm for that of legislatures.  This is a usurpation of legislative power.  Courts can define harm under common law or where a legislature has specifically allowed a court to define harm under a law. But otherwise, courts shouldn’t be messing with the way that legislatures craft their laws.  In Spokeo, Congress chose to recognize certain violations of the Fair Credit Reporting Act as justifying a remedy.  Likewise, Congress for the Cable Act and the Illinois legislature for BIPA decided which violations were worthy of redress.  They chose to use a private right of action as one of the enforcement tools.  Nullifying this enforcement component of the law can throw a wrench into the structure of a law, thwarting the way the law is supposed to work.

A legislature can provide statutory damages for violations of a law.  Statutory damages often involve situations where harm is difficult to prove, and the legislature, in its judgment, still wants plaintiffs to pursue litigation for violations.  This is why so many laws have statutory damages provisions.  I’m not sure what becomes of statutory damages provisions in laws after Spokeo.  Courts can just reject them.  This is tremendously wrong.  It is brazen judicial overreaching.

It should not matter what the Rivera court thought about the privacy harms in Rivera.  I think that there were such harms. But even if I didn’t, the Illinois legislature made the determination that a violation of the BIPA is actionable.  That should end the debate, at least with regard to standing. Legislatures have every right to define what is harmful in their laws and how their laws are to be enforced.  Courts should enforce the laws passed by the legislature, not pick and choose which parts of laws they like the best based upon whether they think there’s a harm or not.

Spokeo is a very ambiguous opinion and can readily be distinguished in nearly any case.  Courts don’t need to accept Spokeo’s invitation to override legislative judgments of privacy harms and statutory enforcement.  The Spokeo decision itself was uneasy about this and provided ample ways for courts to decline its invitation.  Instead of using Spokeo as a tool to wield mischief, courts could readily find bases in Spokeo to push it aside.  Spokeo is a rabbit hole that leads not to wonderland, but to a far more miserable and crazy place.  Thus, my advice to courts on Spokeo is to brush it aside and move along.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 3-5, 2018 in Washington, DC), an annual event designed for seasoned professionals. 

NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.

Our New Privacy Awareness Training Course

Click here to see a demo or to learn more about the course.

TeachPrivacy Privacy Awareness Training - Global Privacy screenshots 01

Table of Contents

TeachPrivacy Privacy Awareness Training - Global Privacy Outline 02

Click here to see a demo or to learn more about the course.