In Patel v. Facebook, Inc., No. 18-15982, 2019 U.S. App. LEXIS 23673 (9th Cir. Aug. 8, 2019), the Court of Appeals for the 9th Circuit found that a class could be certified under the Illinois Biometric Privacy Act. The facts were as follows:

When a new user registers for a Facebook account, the user must create a profile and agree to Facebook’s terms and conditions, which permit Facebook to collect and use data in accordance with Facebook’s policies. To interact with other users on the platform, a Facebook user identifies another user as a friend and sends a friend request. If the request is accepted, the two users are able to share content, such as text and photographs. For years, Facebook has allowed users to tag their Facebook friends in photos posted to Facebook. A tag identifies the friend in the photo by name and includes a link to that friend’s Facebook profile. Users who are tagged are notified of the tag, granted access to the photo, and allowed to share the photo with other friends or “un-tag” themselves if they choose. In 2010, Facebook launched a feature called Tag Suggestions. If Tag Suggestions is enabled, Facebook may use facial-recognition technology to analyze whether the user’s Facebook friends are in photos uploaded by that user. When a photo is uploaded, the technology scans the photo and detects whether it contains images of faces. If so, the technology extracts the various geometric data points that make a face unique, such as the distance between the eyes, nose, and ears, to create a face signature or map. The technology then compares the face signature to faces in Facebook’s database of user face templates (i.e., face signatures that have already been matched to the user’s profiles).2 If there is a match between the face signature and the face template, Facebook may suggest tagging the person in the photo. Facebook’s face templates are stored on its servers, which are located in nine data centers maintained by Facebook. The six data centers located in the United States are in Oregon, California, Iowa, Texas, Virginia, and North Carolina. Facebook’s headquarters are in California. B Facebook users living in Illinois brought a class action against Facebook, claiming that Facebook’s facial-recognition technology violates Illinois law

In deciding Spokeo standing, the 9th Circuit had to justify a finding of standing under the TCPA in Van Patten versus a finding of no-standing under the FCRA in Bassett.  The Court of Appeals came down on the side of Article III standing.

Given the nature of the alleged violation of BIPA, Facebook’s reliance on Bassett v. ABM Parking Services, Inc., 883 F.3d at 780, is misplaced. Although the parking service in that case technically violated the FCRA by failing to redact a credit card’s expiration date, that violation did not cause a disclosure of the consumer’s private financial information, the substantive harm the FCRA was designed to vindicate. Id. at 782-83. By contrast, Facebook’s alleged collection, use, and storage of plaintiffs’ face templates here is the very substantive harm targeted by BIPA. Because we conclude that BIPA protects the plaintiffs’ concrete privacy interests and violations of the procedures in BIPA actually harm or pose a material risk of harm to those privacy interests, see Dutta, 895 F.3d at 1174, the plaintiffs have alleged a concrete and particularized harm, sufficient to confer Article III standing.

The Court of Appeals also found a class properly certified.  The Court of Appeals found that the district court did not abuse its discretion in certifying a class, because it was a common question whether BIPA looked to where the plaintiff resides or uses Facebook (in which case Illinois residents were proper plaintiffs and class members) or to where the biometric data is used (in which case Facebook might escape liability since its servers were not located in Illinois).)  The Court of Appeals also found that the fact that statutory damages for violation of Illinois’ Biometric Information Privacy Act could be huge did not justify denying class certification.

The question “whether the potential for enormous liability can justify a denial of class certification depends on [legislative] intent.” Bateman v. Am. Multi-Cinema, Inc., 623 F.3d 708, 722 (9th Cir. 2010). Where neither the statutory language nor legislative history indicates that the legislature intended to place a cap on statutory damages, denying class certification on that basis would “subvert [legislative] intent.” Id. at 722-23; cf. Kline v. Coldwell, Banker & Co., 508 F.2d 226, 228, 235 (9th Cir. 1974) (holding that a potential liability of $750 million under the Sherman Act would be inconsistent with congressional intent in enacting the statutory damages provision because treble damages were “not remedial” but “punitive”). Here, nothing in the text or legislative history of BIPA indicates that a large statutory damages award would be contrary to the intent of the General Assembly. Therefore, the district court did not abuse its discretion in determining that a class action is superior to individual actions in this case. See Fed. R. Civ. P. 23(b)(3).8