New York Appeals Court Rules on Illinois Biometric Statute
by Jerry Glover
November 22, 2017
We have discussed the Illinois Biometric Information Privacy Act (the “Act”), 740 ILCS 145/1 et seq in past posts to this site. See here http://lsglegal.com/illinois-biometric-act-excludes-photographs-court-says-photos-included and here http://lsglegal.com/mirror-mirror-wall-scan-face. We now have reason to write about it again.
The U.S. Court of Appeals for the Second Circuit (located in New York) recently heard a case involving two people who claimed that Take-Two Interactive Software violated the Act by the use of a face scanning option in its video games NBA 2K15 and NBA2K16. Santana v. Take-Two Interactive Software, Inc., 2017 WL 5592589 (2d Cir. November 21, 2017). Here’s what happened.
The video games have a feature that allows those playing the games to create a personalized basketball player with a 3-D rendition of the player’s face (an avatar). In the online-multiplayer mode, other payers who participate in the same multiplayer match will see the rendition of the player’s “face” during play. The games use a 3-D mapping process which uses cameras to capture a scan of the player’s facial geometry. Players must hold their faces within 6 to 12 inches of the camera and slowly turn their heads 30 degrees to the left and to the right during scanning. The process takes about 15 minutes. Prior to the scanning a player must agree to the following terms which are presented on the viewer’s screen:
“Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement www.take2games.com/eula.”
The plaintiff and his sister purchased NBA2K15 and created avatars from their faces. In 2015 they sued Take-Two claiming Take-Two violated the Act. This Act governs the collection, storage and dissemination of a person’s “biometric identifiers” and “biometric information” by private companies/individuals. A biometric identifier” is defined as “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.” [NOTE: Keep the word “geometry” in mind; we’ll come back to it shortly] “Biometric information” means information based on biometric identifiers. The Act requires any entity/individual that stores biometric information about third parties provide them a written policy that establishes how the information will be held and guidelines for when it will be destroyed.
The plaintiffs claimed that Take-Two collected their biometric information without their consent and disseminated it to other game players without their consent. They also alleged that Take-Two did not inform them in writing of how long Take-Two would store their biometric data or when it would be destroyed. Take-Two filed a motion to dismiss claiming that the plaintiffs did not have “Article III standing” to sue.
The court noted that the standing question is determined, first, by determining the scope and purpose of the procedural right provided by the statute. The second issue is whether a bare procedural violation presents a material risk of harm to a concrete interest. The plaintiffs admitted that their claim under the Act is implicated only if their biometric data was collected or disseminated without their authorization—one of the main things the Act was meant to prevent. The court noted that Take-Two had informed the plaintiffs that a face scan was necessary to participate as an avatar in the video game and that it would be visible to other players. The court added that it did not matter that the consent language quoted above did not include the word “geometry” as found in the Act. The court noted that anyone who had to follow the procedure required for the face scan would have no doubt that’s what was occurring.
The court acknowledged that Take-Two did not inform the plaintiffs of the duration that it would hold their biometric data. But the court noted that the plaintiffs had not shown that this violation presented a material risk that their biometric data will be misused or disclosed and they did not allege in their complaint that Take-Two has not or will not destroy their biometric data within the statutorily mandated time period. The plaintiffs also claimed that Take-Two did not notify them of its retention schedule and guidlines for destroying their data. But the court noted that the plaintiffs did not allege that Take-Two had no such protocols, that is policies were inadequate or that it was unlikely to abide by its internal procedures. So, the plaintiffs could not show their biometric data had been disclosed without consent.
Finally, the plaintiffs argued that Take-Two violated the Act by transmitting unencrypted scans of their face geometry via the open, commercial Internet, not to a secure network such as a virtual private network. But the plaintiffs did not allege that these failures raised a material risk that their biometric data would be improperly accessed by third parties; therefore, they failed to show a risk of real harm sufficient to confer an injury in fact.
The court’s ruling seems to be based on a complaint that was not adequately drafted. The Act does require the entity/person created biometric data to have certain written retention and destruction policies. In this case, however, the plaintiffs simply failed to allege in their complaint that Take-Two either did not have any such policies or that there was any unconsented release of the data that would have caused the plaintiff’s a real harm.