The Second U. S. Circuit Court of Appeals has affirmed a district court’s ruling that a pair of video game players lacked standing (under Article III of the U.S. Constitution) to bring a claim that a game developer violated the Illinois Biometric Information Privacy Act (BIPA) in its handling of data collected in a face scan for use as an individualized avatar in the game in question. In so ruling, it found that none of the alleged procedural violations of BIPA raised a material risk of harm to the players’ interest in preventing the unauthorized use, collection, or disclosure of their biometric data.
However, the court did find that the lower court erred when it dismissed the claim with prejudice, finding that the plaintiffs should have been permitted to amend their complaint to make a different argument, thus remanding the case with the instruction to dismiss the claim without prejudice.
The plaintiffs in the case were Ricardo Vigil and Vanessa Vigil, while the defendant was Take-Two Interactive Software, a publisher, developer, and distributor of “NBA 2K15” and “NBA 2K16.”
The NBA 2K15 and NBA 2K16 games contain a feature called “MyPlayer,” which allows gamers to create a personalized basketball player that has a realistic 3-D rendition of the gamer’s face, also known as an “avatar.” If a gamer chooses to play with the avatar in the games’ online, “multiplayer” mode, then other players who participate in the same multiplayer match will see the rendition of the gamer’s “face” during gameplay.
To create a MyPlayer avatar, a gamer must first agree to the following terms and conditions, which are presented on the viewer’s television screen or monitor:
“Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement. www.take2games.com/eula.”
Only after viewing this screen and pressing “continue” can a gamer access the MyPlayer feature, according to the court.
The 3-D mapping process uses cameras to capture a scan of the gamer’s facial geometry, which is then used to disseminate a realistic rendition of the gamer’s face. Gamers must hold their faces within 6 to 12 inches of the camera and slowly turn their heads 30 degrees to the left and to the right during the scanning process. Id. at 23-24. The process of scanning the face takes about 15 minutes.
Ricardo Vigil purchased NBA 2K15 and his sister, Vanessa Vigil, played his copy of the game. Both plaintiffs used the MyPlayer feature and followed the above-described procedure to create their MyPlayer avatars. On Oct. 19, 2015, plaintiffs brought claims against Take-Two in federal court, alleging five violations of BIPA. The statute governs the collection, storage, and dissemination of individuals’ “biometric identifiers” and “biometric information” by private entities, and defines a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” and “biometric information” as information based on “biometric identifiers.”
Specifically, the plaintiffs alleged that Take-Two: “(1) collected their biometric data without their informed consent; (2) disseminated their biometric data to others during game play without their informed consent; (3) failed to inform them in writing of the specific purpose and length of term for which their biometric data would be stored; (4) failed to make publicly available a retention schedule and guidelines for permanently destroying plaintiffs’ biometric data; and (5) failed to store, transmit, or protect from disclosure plaintiffs’ biometric data by using a reasonable standard of care or in a manner that is at least as protective as the manner in which it stores, transmits, and protects other confidential and sensitive information.”
Take-Two moved to dismiss the plaintiffs’ claims for lack of Article III standing and for failure to state a cause of action under the statute. The district court granted the motion.
On appeal, the panel first looked at the question of Article III standing. It focused on two issues.
“The first of these two issues — determining the scope and purpose of the procedural right provided by the statute — is a question of law.” Katz v. Donna Karan Co., L.L.C., 872 F.3d 114 (2d Cir. 2017). “The second issue — whether a bare procedural violation presents a material risk of harm to a concrete interest — ‘may raise either a question of law or a question of fact, depending on the sources the parties rely on in their pleadings.”
“The parties do not materially dispute the first issue of our inquiry,” wrote the panel. “The plaintiffs concede that BIPA is implicated only if their biometric data is collected or disseminated without their authorization or if a procedural violation creates a material risk of such an outcome, which is essentially the same as Take-Two’s position. We accordingly assume, without deciding, that BIPA’s purpose is to prevent the unauthorized use, collection, or disclosure of an individual’s biometric data.
“We further conclude, pursuant to the second step of our inquiry, that none of the alleged procedural violations here raise a material risk of harm to this interest. Although the plaintiffs allege that Take-Two collected and disclosed their biometric data without their authorization, there is no dispute that Take-Two informed them that the MyPlayer feature required a ‘face scan’ that would be visible to other players during online gameplay. This terminology is sufficient to meet BIPA’s mandates under the circumstances here. The statute requires that private entities ‘inform the subject . . . in writing that a biometric identifier . . . is being collected or stored,’ 740 Ill. Comp. Stat. Ann. 14/15(b)(1), and defines a ‘biometric identifier,’ among other things, as a ‘scan of . . . face geometry,’ id. § 14/10. Thus, to the extent that Take-Two departed from BIPA’s requirements, it only did so insofar as it omitted the term, ‘geometry.’
“No reasonable person, however, would believe that the MyPlayer feature was conducting anything other than such a scan. The plaintiffs had to place their faces within 6 to 12 inches of the camera, slowly turn their heads to the left and to the right, and do so for approximately 15 minutes. This degree of invasiveness far exceeded that of a simple photo, and plaintiffs do not plausibly assert (beyond a mere conclusory allegation) that they would have withheld their consent had Take-Two included the missing term.
“Take-Two’s alleged violations of BIPA’s notice provisions similarly fail to raise a material risk of harm. The plaintiffs allege that Take-Two did not inform them of the duration that it would hold their biometric data, as BIPA requires. See 740 Ill. Comp. Stat. Ann. 14/15(a). However, the plaintiffs have not shown that this violation, if true, presents a material risk that their biometric data will be misused or disclosed. The plaintiffs have not alleged that Take-Two has not or will not destroy their biometric data within the period specified by the statute, and accordingly have alleged only a bare procedural violation. Likewise, although Take-Two did not notify the plaintiffs of its ‘retention schedule and guidelines for permanently destroying [their] biometric [data],’ id., plaintiffs do not allege that Take-Two lacks such protocols, that its policies are inadequate, or that Take-Two is unlikely to abide by its internal procedures. There is accordingly no material risk that Take-Two’s procedural violations have resulted in plaintiffs’ biometric data being used or disclosed without their consent. See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1550, 194 L. Ed. 2d 635 (2016) (observing that a credit reporting agency’s failure to notify a user of the agency’s consumer information would not confer standing where ‘that information . . . [is] entirely accurate’).”
The panel did note that Take-Two’s alleged violations of BIPA’s data security provisions “raise a somewhat thornier issue. BIPA requires entities to use the ‘reasonable standard of care within [their] industry’ to protect the biometric data in their possession and to store and transmit such data in a manner that is as ‘protective’ as that in which they handle ‘other confidential and sensitive information.’ 740 Ill. Comp. Stat. Ann. 14/15(e). The plaintiffs allege that Take-Two violated these provisions by ‘transmit[ting] . . . unencrypted scans of face geometry via the open, commercial Internet, and not a secure network such as a virtual private network,’ and ‘stor[ing] [p]laintiffs’ face templates in a manner that associates their identity with their biometric data.’ App. 27.
“Although Take-Two asserts that violations of such prophylactic measures confer standing only where there has been a data breach, we do not need to make such a wide-sweeping conclusion. Despite multiple opportunities to amend their pleadings, plaintiffs have failed to allege that Take-Two’s alleged violations have raised a material risk that their biometric data will be improperly accessed by third parties. They therefore have failed to show a ‘risk of real harm’ sufficient to confer an injury-in-fact. See Spokeo, 136 S. Ct. at 1549.
We lastly find unpersuasive plaintiffs’ attempt to manufacture an injury. The plaintiffs assert that ‘a consumer deprived of BIPA’s procedural protections is likely to be deterred from using . . . biometrics to authorize transactions in the future,’ and that they similarly have ‘refrained from participating in biometric transactions facilitated by, among other things, scans of face geometry.’ The plaintiffs’ fear, without more, is insufficient to confer an Article III injury-in-fact. While it is true that BIPA’s legislative findings identify consumers’ withdrawal from biometric-facilitated transactions as a problem, they clarify that this issue arises only where a consumer’s biometric data has been ‘compromised,’ i.e., collected or disclosed without his or her authorization. 740 Ill. Comp. Stat. 14/5(c). Because the plaintiffs have failed to establish that Take-Two’s procedural violations have created a material risk that this will occur, they cannot now leapfrog this obligation by imposing an injury upon themselves.”
Hadit Santana et al. v. Take-Two Interactive Software, INC.; 2nd Cir.; No. 17-303, 2017 U.S. App. LEXIS 23446; 11/21/17
Attorneys of Record: (for plaintiffs-appellants) FRANK HEDIN (John C. Carey, on the brief), Carey, Rodriguez, Milian, Gonya, LLP, Miami, FL. (for defendant-appellee) VICTOR JIH (Robert M. Schwartz, Nathaniel Lipanovich, Molly Russell, Derek R. Flores, on the brief), Irell & Manella LLP, Los Angeles, CA.