Facebook Petitions Supreme Court for Review of Critically Important Privacy Question
This term, the Supreme Court may review the Ninth Circuit’s decision in Patel v. Facebook—a high-stakes privacy class action lawsuit. The defendant in Patel filed a petition for certiorari with the high Court last week. The Supreme Court’s decision on whether it will take the case will have profound effects on the future of federal privacy litigation.
As a brief review (our full summary of Patel is available here), this suit was initiated by Facebook users who argue that the defendant violated the Illinois Biometric Information Privacy Act (BIPA), a state law provides a private right of action for any violation of the statute, even mere procedural violations without a showing that the plaintiff was harmed. The plaintiffs argue that the defendant collected facial recognition data on them to facilitate the use of its “tag suggestions” feature, which prompts users to link other users’ profiles to photographs. The sole allegation was that the defendant violated the procedural elements of the law, such as failing to publish a data retention schedule. Critically, the plaintiffs have not alleged that they suffered any harm—tangible or intangible—and, in fact, the lead plaintiff referred to “tag suggestions” as a “nice feature” that he consciously chose not to opt out of.
Given the lack of any harm, the defendant challenged the suit on standing grounds. The argument largely revolved around Spokeo v. Robins, a 2016 Supreme Court decision that held that “a bare procedural violation, divorced from any concrete harm” could not satisfy Article III’s injury-in-fact requirement. The defendant essentially argued that the plaintiffs’ claims were “bare procedural violations” because there failed to allege any real-world harm. The Ninth Circuit disagreed.
The Ninth Circuit held that alleging violations of BIPA’s procedural requirements—without more—was sufficient to confer Article III standing. To get to this conclusion, the Court reasoned that (1) the right to privacy is a concrete interest, (2) the collection of facial recognition data invades that interest, (3) BIPA was established to protect consumers’ concrete privacy interest with its procedural requirements, and thus (4) violation of BIPA’s procedural requirements is—in and of itself—a concrete harm. The defendant’s petition for certiorari (the Petition) takes issue with this reasoning.
The Petition asks the Court to answer two privacy-related[1] questions:
-
Whether a court can find Article III standing based on its conclusion that a statute protects a concrete interest, without determining that the plaintiff suffered a personal, real-world injury from the alleged statutory violation.
-
Whether a court can find Article III standing based on a risk that a plaintiff’s personal information could be misused in the future, without concluding that the possibility of misuse is imminent.
The Petition presents three arguments as to why the Court should answer these questions. First—as we have previously highlighted—the Petition argues that the Ninth Circuit’s decision creates one circuit split on Article III standing and deepens another. The Petition explains that the Ninth Circuit’s decision allows plaintiffs to seek damages “regardless of whether the plaintiff in fact suffered a personal, real-world harm,” which conflicts with decisions from the Second, Fourth, Sixth, Seventh, and Eighth Circuits. The Petition also points out that the Ninth Circuit’s decision “deepened an acknowledged circuit split over whether the mere possibility of future misuse of a plaintiff’s personal information creates Article III standing.”
Second, the Petition contends that the Ninth Circuit “badly contorted” standing doctrine by (1) failing to require plaintiffs to show that they were injured by the defendant’s alleged statutory violation, and (2) holding that “a court can find standing based on the risk of future misuse of a plaintiff’s personal information, without determining that this risk is certainly impending,” in violation of the Supreme Court’s decision in Clapper v. Amnesty International.
Third, the Petition argues that the questions are important and recurring. It notes that “[n]o principle is more fundamental to the judiciary’s proper role in our system of government than” Article III standing. It buttresses this argument by pointing out that the Ninth Circuit’s holding will only speed up the proliferation of injury-free lawsuits, which create “a significant risk that defendants will accept in terrorem settlements to resolve questionable claims.”
Whether the Supreme Court will grant the Petition is anyone’s guess. But the existence of two circuit splits indicates that the issue of standing in privacy cases is in serious need of Supreme Court guidance. On the other hand, the Supreme Court has turned down a slew of other recent petitions that have asked similar questions.
Regardless of whether it takes the case, the importance of this issue cannot be overstated. There are hundreds of pending BIPA suits, and technology companies are facing billions of dollars in liability. And that’s just BIPA. As the Chamber of Commerce pointed out in a 2019 white paper, private rights of action in other statutes designed to protect consumer privacy—including the Telephone Consumer Protection Act, Fair Credit Reporting Act, and Video Privacy Protection Act—present similar risks. Perhaps most concerning of all, Senate Democrats’ draft federal privacy legislation includes a broad private right of action that explicitly addresses standing, declaring that any violation of the bill would “constitute[] a concrete and particularized injury in fact[.]”
Without Supreme Court action—or preemptive federal privacy legislation that doesn’t include a private right of action—businesses will be forced to continue weathering the storm of privacy class action lawsuits.
[1] The Petition asks a third question independent of the privacy issues: “Whether a court can certify a class without deciding a question of law that is relevant to determining whether common issues predominate under Rule 23.”
