Today, the U.S. Supreme Court dealt another blow to industries like those of CDIA members in our and others’ requests to bring clarity to the interpretation of Article III standing in the Constitution, especially when a consumer suffers no injury or harm. The Court denied Facebook’s cert petition in an important standing case. CDIA filed an amicus brief in support of acceptance of the petition for cert as did TechFreedom and the Washington Legal Foundation. The case was on appeal from the 9th Circuit opinion in Patel v. Facebook. Amici in the 9th Circuit included CDIA and the U.S. Chamber of Commerce.
In Patel, the 9th Circuit held that the plaintiffs had satisfied Article III standing simply by alleging a state statutory violation, namely the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiffs claimed that Facebook’s “Tag Suggestions” feature—which uses facial-recognition software to suggest that users tag their friends in photographs they upload to the service—violated BIPA. Judge Donato (N.D. Cal.) certified a class. Two of the named plaintiffs testified that they were unaware of any harm that they suffered because of Tag Suggestions; indeed, one called it a “nice feature” that he continues to use. Plaintiffs’ lawyer admitted in open court that “[w]e haven’t found” that “any consequential harm resulted” from the alleged BIPA violation.
The Court relied heavily on the “findings” of the Illinois legislature in reaching its conclusion. With the advent of more state privacy legislation (with similar findings), this opinion lays the groundwork for far-reaching liability based on a state legislature’s say so.
The 9th Circuit took an extremely broad conception of Article III standing and Rule 23, and its misapplication of the narrowly-drafted BIPA statute, threaten to stifle the development of useful technologies and expose many companies to enormous aggregate damages awards where the classes have suffered no actual harm.
The panel disregarded all this evidence as a result of three errors. First, the panel held that BIPA’s notice‑and‑consent requirements are “substantive” rather than procedural requirements—contrary to every case that has addressed this issue—because they implicate “privacy rights.” Second, the court held that because the provisions are substantive, any “violation” of the statute gives rise to Article III standing, without the need for plaintiffs to show real-world harm. Third, even though this case is well past the discovery stage, the panel asserted without any explanation that its review was limited to the pleadings.