Rivera v. Google, Inc.
Filing
207
MEMORANDUM Opinion and Order signed by the Honorable Edmond E. Chang on 12/29/2018. This is the public redacted version of the opinion. For the reasons stated in the Opinion, Defendant Google's motion 151 for summary judgment is granted. The case is dismissed for lack of subject matter jurisdiction, because Plaintiffs have not alleged an injury-in-fact. The status hearing of 01/22/2019 is vacated. A separate AO-450 judgment will be entered. Civil case terminated. Mailed notice (cn).
UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
LINDABETH RIVERA and JOSEPH WEISS, on
behalf of themselves and all others similarly
situated,
Plaintiffs,
v.
GOOGLE, INC.,
Defendant.
)
)
)
)
)
)
)
)
)
)
)
No. 16 C 02714
Judge Edmond E. Chang
MEMORANDUM OPINION AND ORDER
Under the Illinois Biometric Privacy Act, a private entity cannot collect or store
certain kinds of biometric information, including face-geometry scans, without first
obtaining consent or providing certain disclosures. 740 ILCS 14/1 et seq. Plaintiffs
Lindabeth Rivera and Joseph Weiss both allege that Google unlawfully collected,
stored, and exploited their face-geometry scans via Google Photos, a cloud-based
service.1 R. 63, Second Am. Compl. ¶¶ 4-5, 28-30, 33-36, 38-39, 42-45, 57-60, 67-70;
1The
Court has diversity jurisdiction over Rivera’s and Weiss’s state-law claims under
28 U.S.C. § 1332. Rivera and Weiss are citizens of Illinois. R. 63, Second Am. Compl. ¶¶ 7-8.
Google is a citizen of Delaware (its place of incorporation) and California (its principal place
of business). Id. ¶ 9. Although Google, Inc. has since reorganized from a corporation to a
limited liability company, FCC Report. No. SCL-00205 (Nov. 24, 2017), “the jurisdiction of
the court depends upon the state of things at the time of the action brought,” Grupo Dataflux
v. Atlas Glob. Grp., L.P., 541 U.S. 567, 570 (2004) (quotation omitted).
The amount in controversy requirement is also satisfied. The aggregate claims of the
potential class (which would number in the thousands of members) could possibly equal or
exceed $5,000,000, exclusive of interest and costs. 28 U.S.C. § 1332(d)(6). Even setting aside
the class allegation, it is not “legally impossible” for either Weiss or Rivera alone to recover
more than $75,000 in this action. Back Doctors Ltd. v. Metro. Prop. & Cas. Ins. Co., 637 F.3d
see also R. 167, Pl.’s Resp. Br. at 1-3.2 Google now moves for summary judgment on
all of Plaintiffs’ claims against it, arguing that Plaintiffs cannot establish Article III
standing; Plaintiffs are not “aggrieved” within the meaning of the Act; and Plaintiffs
are not entitled to monetary or injunctive relief under the Act because they have
suffered no harm.3 R. 151, Def.’s Mot. Summ. J.
For the reasons discussed below, Plaintiffs have not suffered an injury
sufficient to establish Article III standing and their claims are dismissed. Because
the Court lacks subject matter jurisdiction over Plaintiffs’ claims, the Court need not
consider Google’s other arguments.
I. Background
In deciding Google’s motion for summary judgment, the Court views the
evidence in the light most favorable to Plaintiffs, the non-moving parties. Matsushita
Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587 (1986). Google Photos is a
free, cloud-based service for organizing and sharing photographs. R. 153, Def. SOF
¶ 7; R. 167-1, Pls. Resp. Def. SOF ¶ 10. When a user uploads a photo to Google Photos,
Google Photos detects images of faces, then creates a face template, represented by
827, 830 (7th Cir. 2011) (amount-in-controversy requirement satisfied unless it is “legally
impossible” for a plaintiff to recover that amount).
2Citations to the record are noted as “R.” followed by the docket number and the page
or paragraph number.
3The parties agreed to defer argument on and resolution of other issues, such as
liability under the Act (whether face templates qualify as “biometric identifiers” or “biometric
information” under the Act, and whether Google provided sufficient disclosures or obtained
sufficient consent), Google’s defense under the Dormant Commerce Clause, whether the Act
applies extraterritorially, and choice of law. R. 137, Joint Status Report 03/28/18; see also R.
152, Def.’s Br. at 4 n.2. Where relevant, the Court will note when it is assuming certain facts
in favor of Plaintiffs for the purposes of this Opinion, even though Google has not conceded
the issue outside of the motion under consideration.
2
. Def. SOF ¶¶ 1315. Google uses these face templates to compare the visual similarity of faces within
Google Photos users’ private accounts, id. ¶ 15, and then groups photographs with
visually similar faces and displays the groups (called “face groups”) to the users’
private account, id. ¶ 9. Google Photos’ face-recognition feature automatically
defaults to “on” and is applied to every photo uploaded to the service unless the user
opts out. Pls. Resp. Def. SOF ¶¶ 8, 10. The technology also can be applied to photos
on the user’s phone if “Private Face Clustering” is enabled. Id. ¶ 10. Google Photos
users can assign a label (for example a name or title) to any face groups in their
private accounts. Def. SOF ¶ 18. These face labels are private to individual users’
accounts and are visible only to that user and to Google.4 Id. ¶ 20. Google does not
use the face templates it creates for anything other than organizing photographs in
users’ Google Photos accounts.5 Id. ¶ 59.
4Plaintiffs
dispute this, contending that “[l]abels, face templates, and all associated
data in Google Photos are accessible to Google, its personnel, and to any party that Google
permits to access such data.” Pls. Resp. Def. SOF ¶ 20 (citing R. 153-3, Porter Decl. ¶¶ 4-10).
But Porter’s declaration states that the Plaintiffs’ face templates are private to their
accounts, and that the labeled face group of Rivera has not been “disclosed to anyone outside
of Google.” Porter Decl. ¶¶ 6-7. And Plaintiffs do not dispute that “[t]here is no evidence that
the … face labels from the photographs of [Plaintiffs] … have been shared outside of Google.”
Pls. Resp. Def. SOF ¶ 52. There is no genuine dispute of material fact that face labels are
visible only to the user and Google.
5Plaintiffs also dispute this, and argue that “the facial recognition … can be monetized
by Google.” Pls. Resp. Def. SOF ¶ 59; R. 167-1, Pls. Statement Add. Facts ¶ 6. As discussed
in more depth below, the only evidence offered by Plaintiffs shows that Google might use this
technology to mine data or target advertisements in the future. Pls. Resp. Def. SOF ¶ 59; Pls.
Statement Add. Facts ¶ 6. Although that sort of use without obtaining the proper consent
might very well constitute a concrete injury, Plaintiffs provide no evidence that Google has
engaged in those practices with respect to Plaintiffs’ face templates or photographs.
3
Weiss is a Google Photos user, Def. SOF ¶ 24, and the face-grouping feature in
his account was defaulted to “on” until he turned it off sometime in mid-December
2017, Pls. Resp. Def. SOF ¶ 25. There are 53 photographs of Weiss that form the basis
of his claim. Def. SOF ¶ 26. At least 16 of them were taken after he filed his complaint
on March 4, 2016, but before he turned off the face-grouping feature. Id. ¶ 27. Weiss’s
Google Photos account, which is associated with his face template, is also associated
with his Gmail account. Pls. Resp. Def. SOF ¶ 53. On the other hand, Rivera is not a
Google Photos user, Def. SOF ¶ 31, but her friend Blanca Gutierrez is,6 id. ¶¶ 32-33.
The face-grouping feature was defaulted to “on” in Gutierrez’s Google Photos account.
Pls.’ Resp. Def. SOF ¶ 34. There are at least 27 photos of Rivera taken by Gutierrez
and uploaded to Gutierrez’s Google Photos account that form the basis for Rivera’s
claim. Id. ¶¶ 35-36. At least 10 of the photographs of Rivera uploaded to Gutierrez’s
Google Photos account were taken after Rivera filed her complaint. Def. SOF ¶ 38.
Gutierrez labeled a face group in her account as “LindaBeth Rivera.” Id. ¶ 44. Apart
from Weiss’s Gmail account and Gutierrez’s labelled face group, Plaintiffs’ face
templates are not associated with other identifying information, such as their social
security numbers or credit card information. Pls. Resp. Def. SOF ¶¶ 53-54. Google
did not have permission from Plaintiffs to capture, store, or use face scans of
Plaintiffs.7 Pls. Statement Add. Facts ¶ 2.
6Ms.
Gutierrez is not a party to this action. Def. SOF ¶ 32.
disputes whether it obtained consent or provided notice in compliance with
the Act, 740 ILCS 14/15. R. 179-1, Def. Resp. Pls. Statement Add. Facts ¶ 2. As noted earlier,
resolution of that issue was deferred to after the resolution of this motion. Id.; Joint Status
Report 03/28/18. For the purposes of this motion, the Court assumes that Google did not
obtain sufficient consent.
7Google
4
Weiss and Rivera both claim injury to their privacy interests, but testified that
they did not suffer any financial, physical, or emotional injury apart from feeling
offended by the unauthorized collection. R. 179-1, Def. Resp. Pls. Statement Add.
Facts. ¶¶ 3-4. Weiss testified that he would not have given consent to collect his face
template if Google had asked him to do so, although he was not sure if he would have
stopped using Google Photos altogether. Pls. Resp. Def. SOF ¶ 29. The face templates
and face groups associated with Weiss’s and Gutierrez’s Google Photos accounts are
private, and there is no evidence of any unauthorized access into the accounts. Def.
SOF ¶¶ 49-50.
II. Standard
Summary judgment must be granted “if the movant shows that there is no
genuine dispute as to any material fact and the movant is entitled to judgment as a
matter of law.” Fed. R. Civ. P. 56(a). A genuine issue of material fact exists if “the
evidence is such that a reasonable jury could return a verdict for the nonmoving
party.” Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). In evaluating
summary judgment motions, courts must view the facts and draw reasonable
inferences in the light most favorable to the non-moving party. Scott v. Harris, 550
U.S. 372, 378 (2007). The Court may not weigh conflicting evidence or make
credibility determinations, Omnicare, Inc. v. UnitedHealth Grp., Inc., 629 F.3d 697,
704 (7th Cir. 2011), and must consider only evidence that can “be presented in a form
that would be admissible in evidence.” Fed. R. Civ. P. 56(c)(2). The party seeking
summary judgment has the initial burden of showing that there is no genuine dispute
5
and that they are entitled to judgment as a matter of law. Carmichael v. Village of
Palatine, 605 F.3d 451, 460 (7th Cir. 2010); see also Celotex Corp. v. Catrett, 477 U.S.
317, 323 (1986); Wheeler v. Lawson, 539 F.3d 629, 634 (7th Cir. 2008). If this burden
is met, the adverse party must then “set forth specific facts showing that there is a
genuine issue for trial.” Anderson, 477 U.S. at 256.
III. Analysis
Google argues that this Court lacks subject matter jurisdiction over this case
because Plaintiffs have not shown they have suffered concrete injuries sufficient to
satisfy Article III standing, and even if Plaintiffs could establish concrete injuries,
those injuries were not caused by Google’s conduct. Standing requires that a plaintiff
“(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of
the defendant, and (3) that is likely to be redressed by a favorable judicial decision.”
Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016) (citations omitted). Predictably,
the parties dispute how the Court should apply the Supreme Court’s most recent
pronouncement on the injury-in-fact requirement, Spokeo v. Robins, so it is worth
examining that opinion before delving into the facts of this case.
A. Spokeo
A plaintiff can, in some instances, satisfy the concrete-injury requirement of
Article III absent actual monetary damages. But in those cases, federal courts must
carefully ensure that the concrete-injury requirement is still met. In Spokeo, the
plaintiff alleged that an online personal-information publisher violated the Fair
Credit Reporting Act by publishing inaccurate information about him. 136 S. Ct. at
6
1546. The website got several things wrong, incorrectly reporting that “he is married,
has children, is in his 50’s, has a job, is relatively affluent, and holds a graduate
degree.” Id. But despite these mistakes, the plaintiff did not allege that he suffered
any actual monetary harm. Id. at 1546, 1550. Even without that allegation, the
Supreme Court reiterated that the concrete-injury requirement can be satisfied even
if the injury is not tangible. Id. at 1549. The Court explained, “[a]lthough tangible
injuries are perhaps easier to recognize, we have confirmed in many of our previous
cases that intangible injuries can nevertheless be concrete.” Id. (emphasis added).8
In determining which intangible injuries are sufficient to confer standing and
which are not, Spokeo set out basic principles: a “bare procedural violation” of a
statute is not automatically enough to satisfy Article III’s concreteness requirement.
136 S. Ct. at 1549. To be sure (and as Plaintiffs here discuss in detail), “[i]n
determining whether an intangible harm constitutes injury in fact, both history and
the judgment of Congress play important roles.” Id. When Congress has created a
cause of action for a statutory violation, by definition it has created a legally protected
interest that Congress, at least, deems important enough for a lawsuit. Going beyond
federal statutes, the Seventh Circuit has recognized the importance of state
legislative judgments as well. See Scanlan v. Eisenberg, 669 F.3d 838, 845 (7th Cir.
2012) (noting the importance of federal congressional judgments and reasoning “the
8At
the same time, concreteness is indeed a requirement that is separate and apart
from the Article III requirement that the injury be “particularized” to the individual plaintiff.
Spokeo, 136 S. Ct. at 1548. Specifically, “[t]o establish injury in fact, a plaintiff must show
that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and
particularized.’” Id. at 1548 (emphasis added) (quoting Lujan v. Defs. of Wildlife, 504 U.S.
555, 560 (1992)).
7
same must also be true of legal rights growing out of state law”) (cleaned up).9 Spokeo
explained that the legislative branch, with its fact-finding ability and responsiveness
to public interest, “is well positioned to identify intangible harms that meet minimum
Article III requirements,” so Congress’s (or the state legislature’s) judgment on the
nature of the injury is “instructive and important.” 136 S. Ct. at 1549. Still, “Congress’
role in identifying and elevating intangible harms does not mean that a plaintiff
automatically satisfies the injury-in-fact requirement whenever a statute grants a
person a statutory right … . Article III standing requires a concrete injury even in
the context of a statutory violation.” Id. (emphasis added).
Spokeo also announced the principle that the risk of harm sometimes is enough
to satisfy concreteness. 136 S. Ct. at 1549. To illustrate this point, the Supreme Court
offered both a historical example and a statute-based example. From history and the
common law, Spokeo noted that common law defamation cases have long allowed
plaintiffs to sue even though their actual damages are difficult to prove. Id. From
Congress, Spokeo cited two information-rights cases, Federal Election Comm’n v.
Akins, 524 U.S. 11, 20-25 (1998), and Pub. Citizen v. U.S. Dep’t of Justice, 491 U.S.
440, 449 (1989), both of which involved plaintiffs who sought information that
Congress had decided to make available to the public. Spokeo, 136 S. Ct. at 1549-50.
There was no particular substantive standard of conduct set by the pertinent
provisions of the information-access statutes involved in those cases. Indeed, Public
9This
Opinion uses (cleaned up) to indicate that internal quotation marks, alterations,
and citations have been omitted from quotations. See Jack Metzler, Cleaning Up Quotations,
18 Journal of Appellate Practice and Process 143 (2017).
8
Citizen cited to prior cases involving the Freedom of Information Act, and declared,
“Our decisions interpreting the Freedom of Information Act have never suggested
that those requesting information under it need show more than that they sought
and were denied specific agency records.” Pub. Citizen, 491 U.S. at 449 (citing cases).
These procedural-rights-only cases led Spokeo to explain that “the violation of a
procedural right granted by statute can be sufficient in some circumstances to
constitute injury in fact. In other words, a plaintiff in such a case need not allege any
additional harm beyond the one Congress identified.” 136 S. Ct. at 1549 (emphasis
in original).
Applying these principles to this case, with the aid of more recent Seventh
Circuit cases, it is clear that Google’s retention of Plaintiffs’ unique face templates
did not cause them a concrete injury for Article III standing purposes. The more
difficult question is whether the creation of the face templates constitutes an injuryin-fact on its own. But that too falls short of satisfying Article III’s concreteness
requirement.
B. Retention of Face Scans
First up is Plaintiffs’ claim that Google retained or stored their face templates
in violation of the Act.10 The Act requires that any private entity in possession of
biometric information or identifiers must develop and make available to the public a
retention schedule and guidelines for destroying that information, 740 ILCS 14/15(a),
10As
noted earlier, for the purposes of deciding this motion, the Court assumes that
the face templates are “biometric identifiers” under the Act, 740 ILCS 14/10, and that Google
did not provide disclosures or obtain the consent as required by the Act, id. § 14/15.
9
and provides certain standards for storing, transmitting, and protecting the
information, id. § 14/15(e). By not providing the required disclosure or obtaining the
required consent, Plaintiffs argue that Google violated their right to control their own
biometric identifiers and information, which Plaintiffs assert is a right of privacy.
Pls.’ Resp. Br. at 3-4 (citing Pls. Statement Add. Facts ¶ 3 (quoting Weiss Dep. Tr. at
176:21-177:2 (“I believe that my biometric information or identifier is very sensitive.
I think it’s akin to my DNA, to a fingerprint. To have that stored, collected, is, again,
that in and of itself, when done so against my consent or without my consent, it’s a
damage, I think.”)); Pls. Statement Add. Facts ¶ 4 (citing Rivera Dep Tr. at 78:1014)); R. 166-2, Exh. B, Rivera Dep Tr. at 59:15-19 (“Google is putting me at risk for
potential hackers. … I feel like it’s putting me—pretty much my identity in danger.”);
id. at 61:8-9 (“I feel like my identity was harmed so that is my property.”).
The Seventh Circuit has definitively held that retention of an individual’s
private information, on its own, is not a concrete injury sufficient to satisfy Article III.
Gubala v. Time Warner Cable, Inc., 846 F.3d 909, 912-13 (7th Cir. 2016). In Gubala,
a cable subscriber alleged that Time Warner Cable had unlawfully retained
information that he had provided—including his date of birth, address, phone
number, and social security number—in violation of the Cable Communications
Policy Act. Id. at 910. The Seventh Circuit acknowledged that there would be “a risk
of harm” if Time Warner had “given away or leaked or lost any of his personal
information or ... ha[d] the information stolen from it.” Id. (emphasis in original). But
there were no facts suggesting that the information had been further disclosed or that
10
there truly was a risk of disclosure. Id. at 910-11. So even though the statute was
violated, Gubala held that mere retention of an individual’s personal data (without
disclosure or risk of disclosure) was insufficient to confer Article III standing. Id. at
912-13. Yes, the subscriber did “feel aggrieved,” but that by itself did not cause him a
concrete injury. Id. at 911 (emphasis in original); see also Groshek v. Time Warner
Cable, Inc., 865 F.3d 884, 886-87, 889 (7th Cir. 2017) (plaintiff lacked standing to sue
for a violation of the Fair Credit Reporting Act where the defendant obtained a credit
report without providing the required disclosures; although the defendant’s action
violated plaintiff’s privacy, it was merely a “statutory violation completely removed
from any concrete harm or appreciable risk of harm”).
Setting aside how Google obtained Plaintiffs’ face templates (which will be
addressed in the following section), Plaintiffs have not offered evidence about the
retention of their face templates that overcomes the obstacle in Gubala. Plaintiffs do
not dispute that: their face templates have not been shared with other Google Photos
users or with anyone outside of Google itself; there has not been any unauthorized
access to the accounts or data associated with their face templates or face groups; and
hackers have not obtained their data. Pls. Resp. Def. SOF ¶¶ 49-52. In other words,
all that Plaintiffs can point to on the issue of retention is a privacy concern that
Gubala holds is insufficient to satisfy Article III’s concrete-injury requirement.
To demonstrate a heightened risk of harm, Plaintiffs filed a notice of
supplemental information, with an accompanying news article and a Google blog
entry, reporting that a software bug gave outside developers access to the data of
11
around 500,000 Google+ users between 2015 and March 2018. R. 203, Exh. A,
10/08/18 WSJ Article; id., Exh. B, 10/08/18 Project Strobe Blog. Google+ is another
Google product, distinct from Google Photos. According to Plaintiffs, the exhibits
show that Google decided not to disclose the issue to avoid regulatory scrutiny and
reputational damage. Id. More recently, Plaintiffs filed another notice, which reports
yet another software bug that compromised the private information of around 52½
million Google+ users, which Google again kept quiet for about a week before
disclosing. R. 204, Exh. A, 12/10/18 The Keyword Blog. Even assuming, as is
appropriate at summary judgment, that these breaches happened and that Google
failed to disclose them fast enough, these disclosures have little bearing on the facts
of this case. None of the disclosures pertain to the accounts of Google Photos users,
nor is there any evidence of a connection between the disclosures of Google+ account
data to Google Photos accounts or data. Id. So this newly presented information does
not create a genuine dispute undermining Google’s argument that “[t]here is no
evidence of any unauthorized access to the Google Photos accounts and related data
of Weiss and Gutierrez,” Def. SOF ¶ 50 (emphasis added), nor is there “evidence that
the face templates, face groups, or face labels from the photographs of Weiss and
Rivera in Weiss and Gutierrez’s Google Photos accounts, respectively, have been
shared outside of Google.” Id. ¶ 52 (emphasis added).11
11Although
neither party discusses Google Photo Application Programming Interfaces
(APIs), it appears that there are APIs for Google Photos. See R. 166-2, Maya Decl., Exh. H
(email from Google employee thanking a person from “PM Mobile Vision APIs/Platform” for
help with improving FaceNet technology); see also https://developers.google.com/photos/
(website for Google Photos APIs). “Google makes user data available to outside developers
through more than 130 different public channels known as application programming
12
When a plaintiff relies on a risk of future harm to satisfy Article III’s injury
requirement, the plaintiff must establish, at the very least, a “substantial risk” that
the future harm will occur. Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5
(2013). The circumstances underlying the Google+ data breach do not come close to
the kinds of situations in which the risk of future harm satisfies Article III
concreteness requirements. Compare Lewert v. P.F. Chang’s China Bistro, Inc., 819
F.3d 963, 968-69 (7th Cir. 2016) (hackers already had breached the defendant’s
database and stolen customers’ payment-card information, so the risk of identity theft
and the precautions customers took to mitigate the risk constituted a concrete injury)
and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (same),
with In re VTech Data Breach Litig., 2017 WL 2880102, at *4-5 (N.D. Ill. July 5, 2017)
(a hacker accessed and copied plaintiffs’ data—including names, addresses, and
birthdates—from defendant’s online communication platform connected to a
children’s game, but because plaintiffs did not plausibly allege that the disclosure of
that data increased their risk of identity theft or fraudulent transactions, they lacked
standing). It is true that the Illinois legislature has concluded that identity theft of
interfaces, or APIs.” 10/08/18 WSJ Article at 2. But the mere existence of APIs does not mean
that, without a bug, Google was sharing photos or face templates with outside parties, since
APIs “usually require a user’s permission to access any information … .” Id. So Plaintiffs
could not rely on the mere existence of Google Photo APIs to confer standing (nor have they
done so in any filing).
The Google+ bugs affected Google+ APIs, so ostensibly a bug causing a data breach
could also affect a Google Photos API. But as noted above, there is no evidence that any such
bug has affected Google Photos or any Google Photos APIs, so any such harm is purely
speculative. That said, if Google is aware of any bug or data breach to any Google Photos API
or Google Photos itself, it should have already reported them to Plaintiffs (as supplemental
discovery) and to the Court (in a supplemental filing), and must do so immediately if a Google
Photos breach occurred.
13
biometric information poses an additional harm beyond theft of other personal
identifiers: it is not as easy to change biometric information as it is to get a new social
security number or a new credit card number, see 740 ILCS 14/5(c) (“Biometrics are
unlike other unique identifiers that are used to access finances or other sensitive
information … once compromised, the individual has no recourse … .”). But Plaintiffs
here have not offered enough evidence, even when viewed in their favor,
demonstrating a substantial risk that their own information will be disseminated to
anyone outside of Google. The Google+ data breach does not support Article III
standing.
With regard to the retention violation, all Plaintiffs are left with is their
testimony that they felt their privacy rights were violated, but “feel[ing] aggrieved,”
without more, does not establish a concrete injury. Gubala, 846 F.3d at 911, 913.
Plaintiffs’ retention claims must be dismissed for lack of Article III standing.
C. Collection of Face Scans
The much closer question on standing is whether Plaintiffs suffered a concrete
injury arising from Google’s creation of their face templates without their
knowledge.12 Viewing the facts in the light most favorable to Plaintiffs, they did not
know Google created their face templates based on the photos of Plaintiffs’ faces
uploaded to Google Photos. See Pls. Resp. Def. SOF ¶ 29 (quoting Weiss Dep. Tr. at
171:21 (“I would not have consented if I had known that biometric information was
12To
be crystal clear, the Court reiterates that it is assuming for purposes of this
Opinion that Plaintiffs’ face templates are biometric identifiers or information as defined by
the Act, 740 ILCS 14/10, and that Google did not provide the required disclosures or obtain
the required consent, id. § 14/15.
14
being gathered, collected, stored.”)); Pls. Statement of Add. Facts ¶ 2 (quoting Rivera
Dep. Tr. at 9:9-13 “[Ms. Gutierrez] stated that if I was aware that Google had this
face recognition where they were using biometric information, which is a template of
my face, so whenever my phot[o]s were taken with her device, they were
automatically uploaded. I was then upset, very angry at the fact that they were taken
without my consent and I didn’t have any control as to whether or not they were able
to be used.”)).
Gubala does not directly answer this issue because here Plaintiffs did not know
that their face templates were being created by Google. Google argues otherwise,
contending that “[i]t makes no difference that Gubala referred to ‘retention’ of data,
while Google here is alleged to have impermissibly obtained and retained the face
templates.” Def.’s Br. at 11. But Gubala did not merely “refer” to retention of private
information—instead, retention was the limit of the holding, because the cable
subscriber knew that Time Warner had his information. In fact, the subscriber
himself provided the information when signing up for cable service. 846 F.3d at 910.
The same fact—that the plaintiffs knew or should have known that their biometric
information was being collected by the defendant—also distinguishes other district
court cases relied on by Google. See, e.g., Howe v. Speedway LLC, 2018 WL 2445541,
at *6 (N.D. Ill. May 31, 2018) (plaintiff’s “fingerprints were collected in circumstances
under which any reasonable person should have known that his biometric data was
being collected.”); Vigil v. Take-Two Interactive Software, Inc., 235 F. Supp. 3d 499,
515 (S.D.N.Y. 2017), aff’d in relevant part, vacated in part, remanded sub
15
nom. Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12 (2d Cir. 2017)
(“The allegations show that the plaintiffs, at the very least, understood that TakeTwo had to collect data based upon their faces in order to create the personalized
basketball avatars, and that a derivative of the data would be stored in the resulting
digital faces of those avatars so long as those avatars existed.”). Here, Plaintiffs did
not knowingly place their finger on a fingerprint scanner (as in Howe) or stare upclose at a camera for about 15 minutes while a camera scanned their face and heads
(as in Vigil, 235 F. Supp. 3d at 505). Instead, they merely took pictures of themselves
(or allowed them to be taken), which then were automatically uploaded to Google
Photos where their face template was created. So Gubala, Howe, and Vigil are not
directly on point when evaluating the extent of the privacy intrusion of Google Photos.
On the flip side, however, recent cases that have found Article III standing
where the plaintiff did not know of the collection of biometric information are
themselves also not directly on point, because in those cases the information was then
disclosed to a third-party. In two recent cases, plaintiffs have successfully shown
injury-in-fact because the defendant disclosed a fingerprint scan to a third-party
without informing the plaintiff or obtaining the plaintiff’s consent. See Miller v. Sw.
Airlines Co., 2018 WL 4030590, at *3 (N.D. Ill. Aug. 23, 2018); Dixon v. Washington
& Jane Smith Cmty.-Beverly, 2018 WL 2445292, at *10 (N.D. Ill. May 31, 2018).
Although the opinions included dicta suggesting that collection of biometric data
without the plaintiff’s knowledge can constitute a concrete risk of harm, ultimately
the courts relied on both the absence of consent in collection of the fingerprint and
16
the later disclosure of the fingerprint without consent Miller, 2018 WL 4030590, at
*3 (“A violation of [the Act’s] notice and consent provisions does not create a concrete
risk of harm to a plaintiff’s right of privacy in his or her biometric data unless the
information is collected or disseminated without the plaintiff’s knowledge or consent.”)
(emphasis added); Dixon, 2018 WL 2445292, at *9 (“Obtaining or disclosing a person’s
biometric identifiers or information without her consent or knowledge necessarily
violates that person’s right to privacy in her biometric information.”) (emphasis
added). As discussed earlier, Plaintiffs concede that their face templates have not
been shared—and there is no showing that there is an imminent risk that they will
be shared—with anyone outside of Google. Pls. Resp. Def. SOF ¶¶ 47, 49-52. So the
two district-court decisions are not directly applicable to this case.
As the parties discuss in detail, the most factually analogous case is Patel v.
Facebook Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018).13 In Patel, the plaintiffs alleged
that Facebook applies facial-recognition software to pictures uploaded by users, and
then creates and stores face templates based on geometric relationships of facial
features—all without users’ consent. Id. at 951. The plaintiffs did not allege any
injury (such as emotional distress, physical harm, dissemination to a third-party, or
adverse employment impacts) beyond the violation of the Act’s notice-and-consent
requirements. Id. at 951, 954; see also Amend. Compl., In re Facebook Biometric Info.
Privacy Lit., No. 3:15-cv-03747, R. 40 (N.D. Cal. Aug. 28, 2015). The district court
13On
May 29, 2018, the Ninth Circuit granted Facebook’s petition for interlocutory
appeal of the district court’s order granting class certification. Patel v. Facebook, Inc., USCA
No. 18-15982 (9th Cir. May 30, 2018). No oral argument has been scheduled yet.
17
denied Facebook’s motion to dismiss for lack of standing, holding that the plaintiffs
had sufficiently alleged a concrete injury to satisfy Article III based solely on the
violation of the Act. Patel, 290 F. Supp. at 956.
Patel placed great weight on the legislative findings and intent underlying the
Act, and indeed (and as discussed above) Spokeo does instruct courts to respect
legislative judgments in identifying intangible harms. As recounted by Patel, the
Illinois legislature found that (1) biometrics are uniquely sensitive and when
compromised, put individuals at a heightened risk for identity theft; (2) biometric
technology is cutting edge, and “[t]he full ramifications of biometric technology are
not fully known”; (3) the public is “weary”14 of using biometrics when tied to personal
information; and (4) regulating biometric collection, use, and storage serves the public
interest. Id. at 953 (citing 740 ILCS 14/5(b)-(e), (g)). The district court reasoned that
these legislative findings, combined with the notice-and-consent requirements
(among other requirements of the Act), left “little question that the Illinois legislature
codified a right to privacy in personal biometric information” and that the legislature
determined “that a violation of [the Act’s] procedures would cause actual and concrete
harm.” Id.
Because a statutory violation is not necessarily enough for Article III standing,
it is important to discern exactly on what grounds Patel relied for finding concrete
harm. Patel appears to rely on two specific points: first, as the Illinois legislature
found, biometric information “cannot be changed if compromised or misused.” Id. at
14
It is possible that the word “weary” in the Act, 740 ILCS 14/5(d), was intended to be
“wary.”
18
954. So when there is a violation of the Act, Patel asserted, “the right of the individual
to maintain her biometric privacy vanishes into thin air.” Id. Second, later in the
opinion, Patel distinguished two cases that had rejected standing under the Act. In
those two cases, the plaintiffs knew that their biometric information was being
collected by the defendants. Id. at 955 (discussing Vigil, 235 F. Supp. 3d at 513 (scans
of plaintiffs’ faces that took 15 minutes and required plaintiffs to consent by pressing
“continue” after reading a notice stating a “face scan” might be recorded); and
McCullough v. Smarte Carte, Inc., 2016 WL 4077108 (N.D. Ill. Aug 1, 2016) (plaintiffs
scanned their fingerprints to rent a locker)). Patel explained that the injuries there
were not sufficiently concrete because the plaintiffs “indisputably knew that their
biometric data would be collected before they accepted the services offered by the
businesses involved.” Patel, 290 F. Supp. 3d at 955. So Patel’s holding stands on two
pillars: the risk of identity theft arising from the permanency of biometric
information, as described by the Illinois legislature, and the absence of in-advance
consent to Facebook’s collection of the information. Id.
This is a close question, but even when drawing all inferences in Plaintiffs’
favor, neither pillar supports a finding of concrete injury. First, as discussed in detail
earlier, there is no evidence of a substantial risk that the face templates will result
in identity theft. It is true that if an unintended disclosure happens, then there are
few ways to change biometric information, and federal courts should follow the
legislature’s lead in considering that immutability in deciding what is a “substantial”
risk. But even taking that permanency into account does not justify an across-the-
19
board conclusion that all cases involving any private entity that collects or retains
individuals’ biometric data present a sufficient risk of disclosure that concrete injury
has been satisfied in every case.
On the second pillar of Patel, there is no legislative finding that explains why
the absence of consent gives rise to an injury that is independent of the risk of identity
theft. See 740 ILCS 14/5(a)-(g). Indeed, the only specific injury described by the Act’s
findings is the risk of identity theft, 740 ILCS 14/5(c), (d). The other findings only set
forth broad conclusions, like the “public welfare, security, and safety will be served”
and the “full ramifications of biometric technology are not fully known.” 740 ILCS
14/5(f), (g). The generality of the legislature’s findings is especially damning when
considering whether unconsented face scans are sufficiently concrete for Article III
purposes. Most people expose their faces to the general public every day, so one’s face
is even more widely public than non-biometric information like a social security
number. Indeed, we expose our faces to the public such that no additional intrusion
into our privacy is required to obtain a likeness of it, unlike the physical placement
of a finger on a scanner or other object, or the exposure of a sub-surface part of the
body like a retina. There is nothing in the Act’s legislative findings that would explain
why the injury suffered by Plaintiffs here—the unconsented creation of face
templates—is concrete enough for Article III purposes. As important and instructive
as legislative judgments are in evaluating intangible harms, the Act does not support
a finding that the concrete-injury requirement has been met in this case.15
15This
holding is limited to the specific circumstances of this case, which challenges
face scans. Likewise, this holding of course does not preclude the legislature from making
20
Moving on from legislative findings, Spokeo instructs courts to also examine
possible analogues to common law harms that historically have supported a finding
of Article III injury-in-fact. Spokeo, 136 S. Ct. at 1549 (“[I]t is instructive to consider
whether an alleged intangible harm has a close relationship to a harm that has
traditionally been regarded as providing a basis for a lawsuit in English or American
courts.”) In this case, Plaintiffs’ response brief outlines the historical development of
the right to privacy in American law, which was “fueled by social and technological
change.” Pls.’ Resp. Br. at 8. They argue that the Act directly follows from common
law privacy torts. Id. at 8-9. It is true that the alleged injury in this case need not
square on all fours with a common law privacy tort. Plaintiffs are correct that they
do not have to adequately state a claim under a common law tort; otherwise, they
would just pursue a common law claim, and Spokeo must have meant more than that
when it authorized claims for harms that bear a close relationship to common law
claims. Pls.’ Resp. Br. at 10; see also Whitaker v. Appriss, Inc., 229 F. Supp. 3d 809,
813 (N.D. Ind. 2017) (noting that the “close relationship” test does not require
“sameness”). At the same time, however, the common law tort must bear a close
relationship to the alleged injury in this case in order for the common law analogue
to be instructive. See Spokeo, 136 S. Ct. at 1549; see also Van Patten v. Vertical Fitness
Grp., LLC, 847 F.3d 1037, 1043 (9th Cir. 2017) (statutory violation led to “unsolicited
additional findings either now or in the future. It is not hard to imagine more concrete
concerns arising from facial-recognition technology, especially as it becomes more accurate
and more widespread (along with video-surveillance cameras) to the point that private
entities are able to use the technology to pinpoint where people have been over extended time
periods.
21
contact” and “disturb[ing of] solitude,” similar to nuisance tort); Robins v. Spokeo,
Inc., 867 F.3d 1108, 1114-15 (9th Cir. 2017) (statutory violation resulted in
“dissemination of false information,” similar to defamation tort).
To start, there are four well-established common law privacy torts: (a)
unreasonable intrusion upon someone’s seclusion; (b) appropriation of a person’s
name or likeness; (c) unreasonable disclosure of private facts; and (d) publicity that
unreasonably places the other in a false light. Restatement (Second) of Torts § 652A
(1977). Plaintiffs rightly do not argue that Google’s alleged conduct is anything like
the public disclosure of private facts or false-light invasion of privacy. Pls.’ Resp. Br.
at 8-10. That leaves intrusion on seclusion and appropriation of likeness.
Starting with intrusion on seclusion, the Second Restatement of Torts defines
this tort as a claim against someone “who intentionally intrudes, physically or
otherwise, upon the solitude or seclusion of another or his private affairs or concerns
… if the intrusion would be highly offensive to a reasonable person.” Restatement
(Second) of Torts § 652B (1977). The elements of the tort are “(1) an unauthorized
intrusion or prying into the plaintiff’s seclusion; (2) an intrusion that is highly
offensive or objectionable to a reasonable person; (3) that the matter upon which the
intrusion
occurs
is
private;
and
(4)
the
intrusion
causes
anguish
and
suffering.” Jacobson v. CBS Broad., Inc., 19 N.E.3d 1165, 1180 (Ill. App. Ct. 2014).
The third element, that the intrusion be upon a private matter, is a necessary
predicate for the other elements. Id. at 1181; see also Lovgren v. Citizens First Nat.
Bank of Princeton, 534 N.E.2d 987, 989 (Ill. 1989) (“[T]he core of this tort is the
22
offensive prying into the private domain of another.”) (emphasis added). It is this
element where the relationship between Plaintiffs’ alleged injury and this common
law tort breaks down.
First, Plaintiffs cannot show—and do not argue—that Google “intruded into a
private place” by receiving photographs of Plaintiffs voluntarily uploaded (by Weiss
or Gutierrez) to Google Photos. See Pls.’ Resp. Br. at 8-11; R. 60, Opinion 2/27/17 at
26 n.11 (“Neither side is arguing that for the purposes of the Privacy Act, Google
needed consent to upload the photographs to the cloud.”). Second, although Plaintiffs
argue that their faces are not public, Pls.’ Resp. Def.’s SOF ¶ 60 (disputing “that their
faces are public, not private.”), Plaintiffs’ only evidence to support that assertion is
deposition testimony in which they say that their facial biometrics are private
information. Id. (quoting Weis Dep. Tr. at 183:18-19 (“Looking [at someone’s face with
your eyes] and recording [someone’s face with biometric identifiers] are different, as
far as I understand.”); quoting Rivera Dep. Tr. at 45:15-19 (“[W]hen it’s taking my
biometric information, that’s sensitive information to me. That’s my personal
information.”)). Plaintiffs do not offer evidence to dispute that their faces are public—
just that their facial biometrics are. This is consistent with Fourth Amendment case
law that rejects an expectation of privacy in a person’s face. See United States v.
Dionisio, 410 U.S. 1, 14 (1973) (explaining that “[n]o person … can reasonably expect
that his face will be a mystery to the world,” and holding that an individual’s face,
when knowingly exposed—even in his own home or office—is not protected by the
Fourth Amendment) (citing Katz v. United States, 389 U.S. 347, 351 (1967)). Indeed,
23
Illinois courts have dismissed many intrusion-upon-seclusion claims that were
premised on photographs or videos for failure to satisfy the privacy element of the
tort. See Jacobson, 19 N.E. at 1181 (affirming dismissal where plaintiff was filmed on
“readily visible property” and the images of her revealed nothing that was “especially
private”); Schiller v. Mitchell, 828 N.E.2d 323, 326, 329 (Ill. App. Ct. 2005)
(defendants did not intrude upon plaintiffs’ seclusion by capturing surveillance video
of plaintiffs on their property, including within their garage, because passersby could
see the same things from different angles); see also Restatement (Second) of Torts
§ 652B cmt. c (there is no intrusion-upon-seclusion liability for “observing [a plaintiff]
or even taking his photograph while he is walking on the public highway, since he is
not then in seclusion, and his appearance is public and open to the public eye”). It
bears repeating that Plaintiffs need not satisfy the elements of a common law tort to
show Article III injury. But there is a wide gap between the alleged injury here—the
creation and retention of the face templates—and the privacy interest protected by
the intrusion-on-seclusion tort. All that Google did was to create a face template
based on otherwise public information—Plaintiffs’ faces. See Patel v. Zillow, Inc.,
2017 WL 3620812, at *10 (N.D. Ill. Aug. 23, 2017) (defendant did not intrude into
private matters when it created real-estate data derived from public information).
Another element of the intrusion-on-seclusion tort shows the disconnect
between the common law claim and this case: the creation of face templates is not a
“highly offensive” intrusion.16 As discussed earlier, the templates are based on
16Plaintiffs
argue that whether the creation of face templates was “highly offensive”
would “clearly be for a jury to decide at trial, not for the Court to decide at summary
24
something that is visible to the ordinary eye, that is, Plaintiffs’ faces. And the crux of
the tort is the intrusion itself, not what is done with the fruits of the intrusion (if
there are any fruits) later. In other words, “[t]he basis of the tort is not publication or
publicity.” Lovgren, 534 N.E.2d at 989 (emphasis added). So what Google did with the
photographs of Plaintiffs’ faces—that is, using them to create face templates—is
irrelevant when comparing this case to an intrusion-on-seclusion claim. In any event,
the record shows that Google only used the facial images to create face templates that
organize Plaintiffs’ photographs in private Google Photos accounts. Plaintiffs do not
present any evidence showing that Google commercially “exploited” their faces or the
face templates they created. Without more, Plaintiffs’ injury in this case does not bear
a close relationship to the tort of intrusion upon seclusion.17
That leaves the tort of appropriation of likeness. This common law tort protects
an individual’s “interest … in the exclusive use of his own identity, in so far as it is
represented by his name or likeness, and in so far as the use may be of benefit to him
or others.” Restatement (Second) of Torts § 652C cmt. a (1977).18 This interest is
judgment.” Pls.’ Resp. Br. at 10. If Plaintiffs asserted the intrusion-on-seclusion claim, then
that argument would have greater force, because the merits of the claim could be a question
for the jury. But the analysis at hand is whether Plaintiffs have sufficiently established an
injury-in-fact under Article III for purposes of subject matter jurisdiction. There is no general
Seventh Amendment jury trial right for issues of subject matter jurisdiction, and Plaintiffs
offer no precedent that the close-relationship analysis, as explained in Spokeo, is a matter for
the jury to decide.
17Plaintiffs’ argument that the creation of face templates is similar to “restaurants []
dust[ing] their customers’ glasses for fingerprints and stockpil[ing] those identifiers,” Pls.’
Resp. Br. at 10, is misplaced. Fingerprints are not held out to the public like faces, which are
visible to the ordinary eye. Applying a template to a face on a voluntarily uploaded
photograph is very different from collecting the tiny physical remnants left by ridges on a
person’s fingers.
18In Illinois, the common law tort of appropriation of likeness was replaced with the
Right of Publicity Act, 765 ILCS 1075/30, effective in 1999. Trannel v. Prairie Ridge Media,
25
invaded when a defendant uses the likeness “to advertise [its] business or product,”
“for some similar commercial purpose,” or “for [its] own purposes and benefit.” Id.
cmt. b. Plaintiffs have not shown that Google has done anything closely related to
appropriation of their likenesses. In their Rule 56.1 Statement, Plaintiffs dispute that
“[t]here is no evidence that any of the data generated by Google Photos was used in
any way except to help organize the photographs in Wiess’s and Gutierrez’s accounts.”
Pls. Resp. Def. SOF ¶ 59; see also Pls. Statement Add. Facts ¶ 6. But the evidence
offered in their response fails to adequately support their denial. Plaintiffs cite to an
article that describes ways in which Google’s facial recognition technology could be
used in the future, including data mining, targeted advertisements, and filtering
content, Pls. Statement Add. Facts ¶ 6 (citing Maya Decl., Exh. K), as well as an email
chain among Google employees forwarding an article discussing similar “likely” uses,
id. (citing Maya Decl., Exh. I). These exhibits only demonstrate future potential uses
of Google’s facial recognition technology; they do not suggest that Google currently
employs these practices, that Google likely will do so in the future without consent,
or that Google used Plaintiffs’ data in this way. So the evidence falls well short of a
substantial likelihood that Plaintiff’s will suffer any of those injuries. The only other
tack that Plaintiffs could possibly take is to argue that Google “mapped Plaintiffs’
faces, creating, collecting, storing, and exploiting their unique biometric identifiers
for its own competitive advantage in the marketplace for photo-sharing services.” Pls.’
Inc., 987 N.E.2d 923, 929 (Ill. App. Ct. 2013). The Act has nearly identical elements to the
common law tort, and a plaintiff must allege three elements: “(1) an appropriation of one’s
name or likeness; (2) without one’s consent; and (3) for another’s commercial benefit.” Id.
26
Resp. Br. at 2. But Plaintiffs do not develop this argument or offer evidence in support
of it. Google’s use of the face templates for the sole purpose of organizing photographs
does not bear a “close relationship” to harms caused by appropriation of likeness.
With neither a legislative judgment nor a common law analogue (or anything
else) to support a finding of concrete injury, the Court concludes that Plaintiffs have
not demonstrated an injury-in-fact sufficient to confer Article III standing.19 This case
presented close legal questions, which is not uncommon when it comes to
technological advances,20 and the Court appreciates the able presentations of both
sides.
IV. Conclusion
Google’s motion for summary judgment is granted. The Court lacks subject
matter jurisdiction because Plaintiffs have not suffered concrete injuries for Article
III purposes. In light of that holding, there is no need to opine on the statutoryinterpretation arguments (and, in any event, the Illinois Supreme Court has the issue
19A
court within this District held the plaintiff had alleged an injury-in-fact where the
defendant allegedly collected his face scans without his knowledge in violation of the Act.
Monroy v. Shutterfly, 2017 WL 4099846, *8 n.5 (N.D. Ill. Sept. 15, 2017). But Monroy relies
on a generally described privacy invasion, rather than engage in an analysis of specific
common law torts (it also does not appear that the parties precisely teed up this issue for the
district court in that case, as the defendant did not challenge the plaintiff’s standing). Id.
20The difficulty in predicting technological advances and their legal effects is one
reason why legislative pronouncements with minimum statutory damages and fee-shifting
might reasonably be considered a too-blunt instrument for dealing with technology. Of
course, there might be policy considerations that weigh in favor of taking the broader
approach.
27
under advisement). The case is dismissed for lack of subject matter jurisdiction and
the status hearing of January 22, 2019 is vacated.
ENTERED:
s/Edmond E. Chang
Honorable Edmond E. Chang
United States District Judge
DATE: December 29, 2018
28
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?